Debian Bug report logs -
#668778
qmailscan: CVE-2012-2103 predictable /tmp file names
Reported by: Helmut Grohne <helmut@subdivi.de>
Date: Sat, 14 Apr 2012 10:42:14 UTC
Severity: important
Tags: security, upstream
Found in version munin/1.4.5-3
Fixed in version munin/2.0~rc6-1
Done: Holger Levsen <holger@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Munin Debian Maintainers <packaging@munin-monitoring.org>:
Bug#668778; Package munin-plugins-extra.
(Sat, 14 Apr 2012 10:42:17 GMT) (full text, mbox, link).
Acknowledgement sent
to Helmut Grohne <helmut@subdivi.de>:
New Bug report received and forwarded. Copy sent to Munin Debian Maintainers <packaging@munin-monitoring.org>.
(Sat, 14 Apr 2012 10:42:20 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: munin-plugins-extra
Version: 1.4.5-3
Severity: important
Tags: security
The qmailscan plugin uses predictable filenames.
| grep "`date +%d\ %b\ %Y`" $LOG0 $LOG1 > /tmp/q$$
This can be used to overwrite arbitrary files owned by the munin user
using symbolic links.
This issue affects squeeze, wheezy and sid.
Note that few users will have enabled this plugin, because qmail is not
that popular among Debian users.
Helmut
Information forwarded
to debian-bugs-dist@lists.debian.org, Munin Debian Maintainers <packaging@munin-monitoring.org>:
Bug#668778; Package munin-plugins-extra.
(Sat, 14 Apr 2012 15:33:28 GMT) (full text, mbox, link).
Acknowledgement sent
to Holger Levsen <holger@layer-acht.org>:
Extra info received and forwarded to list. Copy sent to Munin Debian Maintainers <packaging@munin-monitoring.org>.
(Sat, 14 Apr 2012 15:33:28 GMT) (full text, mbox, link).
Message #10 received at 668778@bugs.debian.org (full text, mbox, reply):
tags 668778 + upstream
tags 668667 + upstream
tags 668666 + upstream
thanks
Hi Helmut,
thanks again for your bug reports!
On Samstag, 14. April 2012, Helmut Grohne wrote:
> Note that few users will have enabled this plugin, because qmail is not
> that popular among Debian users.
<helmut> given the quality of the plugin in conjunction with its widespread
usage (count the number of qmail + clamscan installs please), i suggest rm?
;-)
<h01ger> i'm inclined to think thats sensible
but would prefer if this would be done upstream as I don't it smart to divert
from upstream here.
cheers,
Holger
Added tag(s) upstream.
Request was from Holger Levsen <holger@layer-acht.org>
to control@bugs.debian.org.
(Sat, 14 Apr 2012 15:33:29 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Munin Debian Maintainers <packaging@munin-monitoring.org>:
Bug#668778; Package munin-plugins-extra.
(Thu, 19 Apr 2012 09:59:44 GMT) (full text, mbox, link).
Acknowledgement sent
to Holger Levsen <holger@layer-acht.org>:
Extra info received and forwarded to list. Copy sent to Munin Debian Maintainers <packaging@munin-monitoring.org>.
(Thu, 19 Apr 2012 09:59:47 GMT) (full text, mbox, link).
Message #17 received at 668778@bugs.debian.org (full text, mbox, reply):
tags 668778 + pending
thanks
On Donnerstag, 19. April 2012, Munin SVN Repository Admin wrote:
> Author: steve.schnepp
> Date: 2012-04-19 11:20:29 +0200 (Thu, 19 Apr 2012)
> New Revision: 4819
>
> Modified:
> trunk/plugins/node.d/qmailscan.in
> Log:
> - remove the use of tempfiles. (D: Closes #668778)
>
>
> Modified: trunk/plugins/node.d/qmailscan.in
cheers,
Holger
Added tag(s) pending.
Request was from Holger Levsen <holger@layer-acht.org>
to control@bugs.debian.org.
(Thu, 19 Apr 2012 10:00:58 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Munin Debian Maintainers <packaging@munin-monitoring.org>:
Bug#668778; Package munin-plugins-extra.
(Sat, 28 Apr 2012 12:42:53 GMT) (full text, mbox, link).
Acknowledgement sent
to Helmut Grohne <helmut@subdivi.de>:
Extra info received and forwarded to list. Copy sent to Munin Debian Maintainers <packaging@munin-monitoring.org>.
(Sat, 28 Apr 2012 12:42:57 GMT) (full text, mbox, link).
Message #24 received at 668778@bugs.debian.org (full text, mbox, reply):
CCing bug report, because others might be interested as well.
This issue is also known as CVE-2012-2103.
See https://bugzilla.redhat.com/show_bug.cgi?id=812889 for details.
Helmut
Changed Bug title to 'qmailscan: CVE-2012-2103 predictable /tmp file names' from 'qmailscan: predictable /tmp file names'
Request was from Henri Salo <henri@nerv.fi>
to control@bugs.debian.org.
(Sun, 29 Apr 2012 07:57:03 GMT) (full text, mbox, link).
Reply sent
to Holger Levsen <holger@debian.org>:
You have taken responsibility.
(Sun, 13 May 2012 16:24:14 GMT) (full text, mbox, link).
Notification sent
to Helmut Grohne <helmut@subdivi.de>:
Bug acknowledged by developer.
(Sun, 13 May 2012 16:24:14 GMT) (full text, mbox, link).
Message #31 received at 668778-close@bugs.debian.org (full text, mbox, reply):
Source: munin
Source-Version: 2.0~rc6-1
We believe that the bug you reported is fixed in the latest version of
munin, which is due to be installed in the Debian FTP archive:
munin-async_2.0~rc6-1_all.deb
to main/m/munin/munin-async_2.0~rc6-1_all.deb
munin-common_2.0~rc6-1_all.deb
to main/m/munin/munin-common_2.0~rc6-1_all.deb
munin-doc_2.0~rc6-1_all.deb
to main/m/munin/munin-doc_2.0~rc6-1_all.deb
munin-node_2.0~rc6-1_all.deb
to main/m/munin/munin-node_2.0~rc6-1_all.deb
munin-plugins-core_2.0~rc6-1_all.deb
to main/m/munin/munin-plugins-core_2.0~rc6-1_all.deb
munin-plugins-extra_2.0~rc6-1_all.deb
to main/m/munin/munin-plugins-extra_2.0~rc6-1_all.deb
munin-plugins-java_2.0~rc6-1_all.deb
to main/m/munin/munin-plugins-java_2.0~rc6-1_all.deb
munin_2.0~rc6-1.diff.gz
to main/m/munin/munin_2.0~rc6-1.diff.gz
munin_2.0~rc6-1.dsc
to main/m/munin/munin_2.0~rc6-1.dsc
munin_2.0~rc6-1_all.deb
to main/m/munin/munin_2.0~rc6-1_all.deb
munin_2.0~rc6.orig.tar.gz
to main/m/munin/munin_2.0~rc6.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 668778@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Holger Levsen <holger@debian.org> (supplier of updated munin package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 13 May 2012 18:01:59 +0200
Source: munin
Binary: munin-node munin-plugins-core munin-plugins-extra munin-plugins-java munin munin-common munin-async munin-doc
Architecture: source all
Version: 2.0~rc6-1
Distribution: unstable
Urgency: low
Maintainer: Munin Debian Maintainers <packaging@munin-monitoring.org>
Changed-By: Holger Levsen <holger@debian.org>
Description:
munin - network-wide graphing framework (grapher/gatherer)
munin-async - network-wide graphing framework (async master/client)
munin-common - network-wide graphing framework (common)
munin-doc - network-wide graphing framework (documentation)
munin-node - network-wide graphing framework (node)
munin-plugins-core - network-wide graphing framework (plugins for node)
munin-plugins-extra - network-wide graphing framework (user contributed plugins for nod
munin-plugins-java - network-wide graphing framework (java plugins for node)
Closes: 668536 668666 668667 668778 669230 669816 670428 670811
Changes:
munin (2.0~rc6-1) unstable; urgency=low
.
[ Holger Levsen ]
* New upstream release candidate, quoting the upstream Changelog:
- Many bugfixes in munin-cgi-graph:
- if url parameters are not valid, send HTTP 404 instead of 500
- move the generation of png via cgi under /var/lib/munin/cgi-tmp/
(Closes: #668536)
- don't cache URL with parameters anymore, and don't keep uncached URLs
(Closes: #668667)
- validate url characters (Closes: #668666)
- add a max setting for cgi image size. (Closes: #670811)
- Plugin fixes:
- add explicit license for all plugins. (Closes: #670428)
- hddtemp_smartctl: just use the device name as the labels
- qmailscan: remove the use of tempfiles. (Closes: #668778)
* munin.NEWS: document that "cgitmpdir /var/lib/munin/cgi-tmp" has to be
set in munin.conf.
* munin-node.postinst: chmod 755 /var/log/munin (Closes: #669230)
* munin.postinst: make /var/lib/munin/cgi-tmp writable for group www-data.
.
[ Matthias Schmitz ]
* Add installation of apache configuration to /etc/apache2/conf-availble as
needed by Apache 2.4. (Closes: #669816)
Checksums-Sha1:
0d07849bbdbaf1eafc84a8641423b8e59cd465b6 2362 munin_2.0~rc6-1.dsc
5d6bd4e6879b14be29fd3ece2785269f818fea3e 1317662 munin_2.0~rc6.orig.tar.gz
39d1644c7d6d5760df9387ebe8afc1a7d764f9e0 49565 munin_2.0~rc6-1.diff.gz
2f9d7e5d1f363f112e1f61b57ccf6c68353e9da7 121414 munin-node_2.0~rc6-1_all.deb
551c02c54cbfd4e10d8dd413571e8bea172509ed 298678 munin-plugins-core_2.0~rc6-1_all.deb
ef125a65167029800f3cb1a1fe1fc3e7bef22f5c 148960 munin-plugins-extra_2.0~rc6-1_all.deb
4bbc9621c4a37ea3f38156d80fee2e7dac91b3b8 140808 munin-plugins-java_2.0~rc6-1_all.deb
4a53f815b045b59e8d70cd27458c5f0cc2b6c48e 195032 munin_2.0~rc6-1_all.deb
3b4c1ce1241707516a931db70cd6036af9b414ee 89724 munin-common_2.0~rc6-1_all.deb
4263ab9b3ac1b59ef52b44c92aaaba807875d093 77518 munin-async_2.0~rc6-1_all.deb
1bcd6fa58f0595497c9cafb424bdff0314c7d37d 207672 munin-doc_2.0~rc6-1_all.deb
Checksums-Sha256:
4ee53f7a70a85bfd22a644ab2ec57ba2b3d3453c98b2146e439a4f4b87948c5f 2362 munin_2.0~rc6-1.dsc
a8e243d7cd334a7efeccdad743daef79c8e6340eb3d1974d22098caa0cf52e7c 1317662 munin_2.0~rc6.orig.tar.gz
adb2de2db259d328de8d13fc4a86b447772ecf32d91b8eca25f610e5ee8dfa7b 49565 munin_2.0~rc6-1.diff.gz
1d1d0a2b7899bd0c48d8a99fbb918b6fc6b4836ecdccb5eebb4989c94491f382 121414 munin-node_2.0~rc6-1_all.deb
bcfceca2c3675c0f0769732f0b36802c1e8fc890c2e5275ee23b6fde4e2c969e 298678 munin-plugins-core_2.0~rc6-1_all.deb
8707c354ba60f05baea50260531772d15c909e9b195cdb64c2206daec91d568a 148960 munin-plugins-extra_2.0~rc6-1_all.deb
2118010d4d354e8422e4f42f294b28194e053c1544bb5475fa468073a4ab0fe9 140808 munin-plugins-java_2.0~rc6-1_all.deb
453c70ec6a171946614f557b6ab45ac6f768e68a5127b3e10ce2927d39dbec21 195032 munin_2.0~rc6-1_all.deb
9ff4cd51c936e14204b3af74ae64bcc003993ac3795459b15ab4b1773986bece 89724 munin-common_2.0~rc6-1_all.deb
cb7aa37160bfdbec76480167cbc20d8440eaf9c54f21ef903e33a73188d3bf10 77518 munin-async_2.0~rc6-1_all.deb
73cbb6a97b9f9438316747717823400b03ef1a5a33776d1c97299e8d38c0c850 207672 munin-doc_2.0~rc6-1_all.deb
Files:
1072d9edb098bd4bc58a5f8aabfc7e7f 2362 net optional munin_2.0~rc6-1.dsc
af8eda191bb99fe6960bb507dd32f91d 1317662 net optional munin_2.0~rc6.orig.tar.gz
72a4ea3c8d159fd224e8d22d8f277f47 49565 net optional munin_2.0~rc6-1.diff.gz
ffa15a93d8db521505254aac82b2d695 121414 net optional munin-node_2.0~rc6-1_all.deb
bf7c0e31df1ffd4bfc33768e0ec2af0b 298678 net optional munin-plugins-core_2.0~rc6-1_all.deb
fa11d8532b090270b0e4bba11b99d982 148960 net optional munin-plugins-extra_2.0~rc6-1_all.deb
4f517ed96c684e48dcd55132af1dd139 140808 net optional munin-plugins-java_2.0~rc6-1_all.deb
3121f85a8016079d62d9ed0e81ac2712 195032 net optional munin_2.0~rc6-1_all.deb
0bb77e23bff042ea0a1f593818d0cf72 89724 net optional munin-common_2.0~rc6-1_all.deb
7f37be0dfabb32a018469be7a2e95cba 77518 net optional munin-async_2.0~rc6-1_all.deb
274dd22454298ad7be7baf8cc631e111 207672 doc optional munin-doc_2.0~rc6-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQIVAwUBT6/dOwkauFYGmqocAQh4EA/+JoQzrCTFVwkBr5E32DtUW/B0owt9xsOV
ZyexPa9DOn0xYCaoLPzcpJTLIK062Ob1JB0F+sSmjDB5qYEMzEAXgc+0Qvcc4RY7
0UhVHaijcKFZ6ojV+PxVo/gm/iEPKPUYEC+j0t9hNS2XudjA47opM0SIc7rxl4zY
g6uvPwXTHplb6SBVa6x38GWh60c2zaz0EkVujgPGOrvVDBfIDpbgWO+26W34PMLq
Zmgz/eZ5mNBtn3lPm6QnyYp2lauxbw6H8+xnW9+InSYWqDUelVW5poDXZSkMRPTQ
KDQUm2pycI9WjDP+d3DF5tL4HEM6W2oqJn6MvoxV918FW9f6zBmrG9stA6rKUFiq
GRexZ1BQ0pfvedgs9pEL9obZrQQQPZaxNiS6opdScpMX/mU2nG9WFgjfjnkzR3B6
iryYuDaEceIVnlcmflu8gv4sBk6oCJk2DfG/ONWPmHZ5nphEMThnQSpJ0s2+Q/pQ
LOIYujc+w3A7TS63leoecydoP8u41F6W87t9QG5IzgUTLnZt6IlrFOR/9/19RkME
LatbVUjL7Uwg28E6hcUoPAE3nhWhxe4peTQ6FNkEkovTwWwXtiyeZ3KzgnbKc56k
nvqwXBjKipxQGflFfmQnew9Tgcp0IcVFqPfbZB4VZw1u/wFEjF9zWlD25LzPbyHl
3IrCLBIiGF0=
=ECvX
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 11 Jun 2012 07:54:11 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:46:49 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon