Package: munin / 2.0.25-1+deb8u3

Metadata

Package Version Patches format
munin 2.0.25-1+deb8u3 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
0001 http_loadtime plugin Fix several bugs.patch | (download)

plugins/node.d/http_loadtime.in | 21 10 + 11 - 0 !
1 file changed, 10 insertions(+), 11 deletions(-)

 http_loadtime plugin: fix several bugs
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit

 - Missing «fi»

 - Unset variable for «wget» in «autoconf»

 - garbage to stdout from «cd -»

0002 Fix wrong parameter expansion in CGI.patch | (download)

master/_bin/munin-cgi-graph.in | 22 14 + 8 - 0 !
1 file changed, 14 insertions(+), 8 deletions(-)

 [patch] fix wrong parameter expansion in cgi
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

As Tomaž Šolc <tomaz.solc@tablix.org> said :

	Munin package in Jessie has a local file write vulnerability when CGI graphs are
	enabled. Setting multiple "upper_limit" GET parameters allows overwriting any
	file accessible to the www-data user.

And sstj <stevie.trujillo@gmail.com> said :

	Running munin-2.0.25 on Gentoo. I observed this message in the logs

	2016/07/26 21:57:54 [PERL WARNING] CGI::param called in list context
	from /usr/libexec/munin/cgi/munin-cgi-graph line 450, this can lead to
	vulnerabilities. See the warning in "Fetching the value or values of a
	single named parameter" at /usr/lib64/perl5/vendor_perl/5.20.2/CGI.pm
	line 404.

	This allows injecting options into munin-cgi-graph (similar to
	http://munin-monitoring.org/ticket/1238 ), by doing something like
	this:

	&upper_limit=500&upper_limit=--output-file&upper_limit=/tmp/test.txt

	which wrote the graph to /tmp/test.txt

Closes: #721, D:855705, CVE-2017-6188

0003 cgi handle the empty string in CGI arguments.patch | (download)

master/_bin/munin-cgi-graph.in | 8 4 + 4 - 0 !
1 file changed, 4 insertions(+), 4 deletions(-)

 [patch] cgi: handle the empty string in cgi arguments

The previous fix is a little too restrictive. And it just adds the parameters
if it is defined. Which should not be the case if it is an empty string.

Note that a simple "if" test has the nasty side-effect of being false if the
value is "0".

A more complete test should be done then.

It might be better to fix the dynazoom call itself, but as we already touched
that area, and failed, let's try to contain this and avoid having the change
spreading epidemically :)

0004 cgi use Scalar Util looks_like_number.patch | (download)

master/_bin/munin-cgi-graph.in | 11 7 + 4 - 0 !
1 file changed, 7 insertions(+), 4 deletions(-)

 [patch] cgi: use scalar::util::looks_like_number

As Jonas Meurer <jonas@freesources.org> said in a comment, it is much
better to use Scalar::Util::looks_like_number() instead of coming up
with a semi-clever algo.

Closes: #804