Package: munin / 2.0.25-1+deb8u3
Metadata
Package | Version | Patches format |
---|---|---|
munin | 2.0.25-1+deb8u3 | 3.0 (quilt) |
Patch series
view the series filePatch | File delta | Description |
---|---|---|
0001 http_loadtime plugin Fix several bugs.patch | (download) |
plugins/node.d/http_loadtime.in |
21 10 + 11 - 0 ! |
http_loadtime plugin: fix several bugs MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit - Missing fi - Unset variable for wget in autoconf - garbage to stdout from cd - |
0002 Fix wrong parameter expansion in CGI.patch | (download) |
master/_bin/munin-cgi-graph.in |
22 14 + 8 - 0 ! |
[patch] fix wrong parameter expansion in cgi MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit As Toma olc <tomaz.solc@tablix.org> said : Munin package in Jessie has a local file write vulnerability when CGI graphs are enabled. Setting multiple "upper_limit" GET parameters allows overwriting any file accessible to the www-data user. And sstj <stevie.trujillo@gmail.com> said : Running munin-2.0.25 on Gentoo. I observed this message in the logs 2016/07/26 21:57:54 [PERL WARNING] CGI::param called in list context from /usr/libexec/munin/cgi/munin-cgi-graph line 450, this can lead to vulnerabilities. See the warning in "Fetching the value or values of a single named parameter" at /usr/lib64/perl5/vendor_perl/5.20.2/CGI.pm line 404. This allows injecting options into munin-cgi-graph (similar to http://munin-monitoring.org/ticket/1238 ), by doing something like this: &upper_limit=500&upper_limit=--output-file&upper_limit=/tmp/test.txt which wrote the graph to /tmp/test.txt Closes: #721, D:855705, CVE-2017-6188 |
0003 cgi handle the empty string in CGI arguments.patch | (download) |
master/_bin/munin-cgi-graph.in |
8 4 + 4 - 0 ! |
[patch] cgi: handle the empty string in cgi arguments The previous fix is a little too restrictive. And it just adds the parameters if it is defined. Which should not be the case if it is an empty string. Note that a simple "if" test has the nasty side-effect of being false if the value is "0". A more complete test should be done then. It might be better to fix the dynazoom call itself, but as we already touched that area, and failed, let's try to contain this and avoid having the change spreading epidemically :) |
0004 cgi use Scalar Util looks_like_number.patch | (download) |
master/_bin/munin-cgi-graph.in |
11 7 + 4 - 0 ! |
[patch] cgi: use scalar::util::looks_like_number As Jonas Meurer <jonas@freesources.org> said in a comment, it is much better to use Scalar::Util::looks_like_number() instead of coming up with a semi-clever algo. Closes: #804 |
1