munin-cgi-graph: User can load new config, pointing log to arbitrary file

Debian Bug report logs - #684076
munin-cgi-graph: User can load new config, pointing log to arbitrary file

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Stevie Trujillo <stevie.trujillo@gmail.com>

To: submit@bugs.debian.org

Subject: munin-cgi-graph: User can load new config, pointing log to arbitrary file

Date: Mon, 6 Aug 2012 20:25:02 +0200

Package: munin
Version: 2.0.1-1
Severity: grave
Tags: security
X-Debbugs-CC: helmut@subdivi.de

http://www.munin-monitoring.org/ticket/1238

When running munin-cgi-graph as a CGI-script (not FastCGI) under Apache2,
Apache2 may use the query-string as command line arguments.

This will write "2012/07/04 18:03:57 Opened log file" to /tmp/123.txt
(this didn't work for helmut, but ?--help also demonstrated the
problem):

my $data = "logdir /tmp/123.txt\0\n";
print "POST /cgi-bin/munin-cgi-graph/x.png?--config+/dev/stdin HTTP/1.1\r\n" .
      "Host: 127.0.0.1\r\n" .
      "Connection: close\r\n" .
      "Content-Length: ".length($data)."\r\n" .
      "\r\n" .
      $data;


munin will check the query-string for bad characters after opening the
log file and terminate, limiting the possible damage.

munin will also try opening "$conf.storable" using perl's Storable
module. I'm not sure if this can be used to provide code execution
like python's pickle.

Message #14 received at 684076@bugs.debian.org (full text, mbox, reply):

From: Kurt Seifried <kseifried@redhat.com>

To: 684076@bugs.debian.org

Subject: CVE-2012-3513 munin: User can load new config, pointing log to arbitrary file

Date: Mon, 20 Aug 2012 22:56:08 -0600

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CVE-2012-3513 munin: User can load new config, pointing log to
arbitrary file


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJQMxToAAoJEBYNRVNeJnmTuHcP/1VJlN2FGZByEKh56IkDrrAf
hh/x5dXhZUvQaKH1kZmuPOd80xaZnGv7/NoE8E5QliRfLUR5K3is1MIekK9El6pO
5XPa51IZpnRtdrm6ULhzvOq8525dZJ1rOFPYitgmDGRNfO5DK4weV1FtGF1NzOtH
6s5N+0O0YVhmW8YHnb31xVUmLa8VGGO5ojlbCetf0h04gb5gATwf4Z25YDAfgl4Q
sJMiqpJ0yIfe6h4u6S3lAHm8JIW8SuzYOyP/gXS0XvaijmCnnthSFcRq8nSsrFf2
yiZTCpB9nFghtYgEYJ/0iLSonmajskigvIRgIZyk3/FU5KILFQhDnSfQErRMp9BH
8g5sDHDHQacshrBvXx+ESVwYOXnldiJ5bfU1xYQwq+PwumgcMyv8VqCp43JQgxBx
ChU0uOaTLlccMc7kZHnfTbc5D3M1jX+lxeDk9YAKN/n1OSuNrnegps7HaUa1jfwg
QWoatHqa1PHNJeXdQYGHwRNWq/IfrftaTYV/lvEdHhHA4bcaWTG9CaZDJ/3AMHFP
bUITod3zNrRE0nXFV+VKy1u8Ps3TFDeN4JP2P2uRd/iahl++7RV1jhtNFpCFZZ+T
l6OQ/gXfYBdF1+TWGmp5/j/HtmFF+5YlVAkwvxCHLh4E6afafNTcSwiSu1LCEk5B
vKrXzXPZpai3uqN5awfK
=zSD8
-----END PGP SIGNATURE-----

Message #21 received at 684076-close@bugs.debian.org (full text, mbox, reply):

From: Holger Levsen <holger@debian.org>

To: 684076-close@bugs.debian.org

Subject: Bug#684076: fixed in munin 2.0.6~git-1

Date: Thu, 30 Aug 2012 08:48:19 +0000

Source: munin
Source-Version: 2.0.6~git-1

We believe that the bug you reported is fixed in the latest version of
munin, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 684076@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Holger Levsen <holger@debian.org> (supplier of updated munin package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 30 Aug 2012 08:26:09 +0000
Source: munin
Binary: munin-node munin-plugins-core munin-plugins-extra munin-plugins-java munin munin-common munin-async munin-doc
Architecture: source all
Version: 2.0.6~git-1
Distribution: experimental
Urgency: low
Maintainer: Munin Debian Maintainers <packaging@munin-monitoring.org>
Changed-By: Holger Levsen <holger@debian.org>
Description: 
 munin      - network-wide graphing framework (grapher/gatherer)
 munin-async - network-wide graphing framework (async master/client)
 munin-common - network-wide graphing framework (common)
 munin-doc  - network-wide graphing framework (documentation)
 munin-node - network-wide graphing framework (node)
 munin-plugins-core - network-wide graphing framework (plugins for node)
 munin-plugins-extra - network-wide graphing framework (user contributed plugins for nod
 munin-plugins-java - network-wide graphing framework (java plugins for node)
Closes: 679897 684075 684076 685343 686089 686090 686093
Changes: 
 munin (2.0.6~git-1) experimental; urgency=low
 .
   * 2.0.6 is actually unreleased still, this is based on the current git
     commit 6183662. The following fixes are included:
     - munin-node: more secure state file handling, introducing a new plugin
       state directory root, owned by uid 0. Then each plugin runs in its own
       UID plugin state directory, owned by the said UID. (Closes: #684075),
       (Closes: #679897), closes CVE-2012-3512.
     - munin-cgi-graph: ignore @ARGV to fix CVE-2012-3513 (Closes: #684076),
       thanks to Helmut Grohne <helmut@subdivi.de>
     - munin-cron: call munin-graph with --cron argument (Closes: #685343)
     - Master/Node.pm: fix _node_read_fast() to accept all valid returns
       (Closes: #686089) and _do_connect() to not use an uninitialized
       variable. (Closes: #686090)
     - munin-async: make spoolread less restrictive about (valid) plugin names
       (Closes: #686093)
   * Update Location and Scriptalias in shipped apache.conf to reflect changes
     introduced upstream in 64dfec73 coming in 2.0.6. This fixes a regression
     introduced in fixing #682869.
Checksums-Sha1: 
 87f92bd652589be479511fd928f17ca9e62172ef 2129 munin_2.0.6~git-1.dsc
 e28fb8500f1363a905f2be164c3f0ec4780aca5c 1422644 munin_2.0.6~git-1.tar.gz
 495b3c699c5db9706db03d9d2eeab149a3d8c113 126252 munin-node_2.0.6~git-1_all.deb
 76a3d3fcd400f5221ba5d7424c30e0b5339b9b43 302894 munin-plugins-core_2.0.6~git-1_all.deb
 dc01c511e671c0a677dfc6cf7fec360077934e6f 152910 munin-plugins-extra_2.0.6~git-1_all.deb
 71b1c478d9a7abd4d901d954ab52f6d84479559a 145808 munin-plugins-java_2.0.6~git-1_all.deb
 6d24d5033c9387d8e8f3910373646b74c74cbf13 200446 munin_2.0.6~git-1_all.deb
 5954e9803442dbd4fe7f24adbd0b1bc9fc6a7c1b 93692 munin-common_2.0.6~git-1_all.deb
 acf0ac69dd6e51a091bb55699f1ba7ccd32e5efb 81604 munin-async_2.0.6~git-1_all.deb
 1fe472bce2797dd2929955e7101a70f0e5283e2a 210798 munin-doc_2.0.6~git-1_all.deb
Checksums-Sha256: 
 e788a52a42e577702b03df2a76b902ecfb75d7d554bab56ab218a96857ceb1d4 2129 munin_2.0.6~git-1.dsc
 2fba10446f70b872d7fd0c2aef3e6d7fd6d19363a98228d8079d16be1c431943 1422644 munin_2.0.6~git-1.tar.gz
 c5e3df113333b5fb286c943ef1e252f9caa981c83c5ac47d24a77e6fdb3cb058 126252 munin-node_2.0.6~git-1_all.deb
 8adfd149197072b108d26ea402393cc40b203c652bee10b3e67c56da9a75744e 302894 munin-plugins-core_2.0.6~git-1_all.deb
 343093da2cdca0dfe21d32c8ea2b4f14e9c1b6e202fea45b10f68bea4f85690f 152910 munin-plugins-extra_2.0.6~git-1_all.deb
 50d926265834e95a642617a575d8fc29c6bec0ca4e97b914da26135526cd3ee0 145808 munin-plugins-java_2.0.6~git-1_all.deb
 7b8fa95370adb1eaff00091d99a3543ab6b62850f7d09e873b8a375c4fc81d52 200446 munin_2.0.6~git-1_all.deb
 e8e501fc937dbd964b2e8092385e15b4edf99dd26307e28e79b245c092d714f6 93692 munin-common_2.0.6~git-1_all.deb
 3fb62447d4df6d00b89de1be7acac538bcd1dafddcef92217e97aacfa9dbe094 81604 munin-async_2.0.6~git-1_all.deb
 f7d126effa2b2924a5964fa09b427d3dad62195c2e15c3a7254ccb767e91ad33 210798 munin-doc_2.0.6~git-1_all.deb
Files: 
 cb7b1f41569d38be6104d578543c637a 2129 net optional munin_2.0.6~git-1.dsc
 61aa2c32d0a415d7e14d424cf771bbb1 1422644 net optional munin_2.0.6~git-1.tar.gz
 55c3fa84967745332b796b21249fa85a 126252 net optional munin-node_2.0.6~git-1_all.deb
 3b271a0f6b4746bbe1e0fc5eea4ca72f 302894 net optional munin-plugins-core_2.0.6~git-1_all.deb
 d39bfbb398a5c30e1ce985ca87e703d3 152910 net optional munin-plugins-extra_2.0.6~git-1_all.deb
 26fe11792149f134c3cf34988c528006 145808 net optional munin-plugins-java_2.0.6~git-1_all.deb
 349a40dc4c3bbdcd0640fca8e2936ac9 200446 net optional munin_2.0.6~git-1_all.deb
 a86b0f6d30e1a94610fca9ef491e49fe 93692 net optional munin-common_2.0.6~git-1_all.deb
 c0a03eb040ff1a0e098b9287f0ea4230 81604 net optional munin-async_2.0.6~git-1_all.deb
 3076757e3fe6a060197ee96b55473490 210798 doc optional munin-doc_2.0.6~git-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIVAwUBUD8lvgkauFYGmqocAQgfxQ//egaDsjnxdDGxqTJ7gp552WnGGP9Ws9Lr
Bnirdgknb+zeIpVkLBe1bSgiFToKIAl/xaIMe9gzk8tiksSnpr634f79t5mmoqLb
P8ljp5H3fp+fNDjtrbGVv2QzUXn/B+NE8edgqR20LU7XXwoGvG/JVK4nFvElNCmh
NZBy/2Xge1W7PbT3mCqZj1mYMhJhXt/yUjA7vFrJyGfwM36Xry4MRqhYj+wFEeXN
iiT3dxJ77hupp7Lch4Iq2UylGU6mb9GgOSnXEqfQBhnaFDH/79Yfv6Yd1JBGgHlc
JgkrrzhoxwtI07W0QVyK4epUkl6SCQfVBQXnXd8lhyLZH4xOctQbiTYHg7Xb4ea2
Fik+37ePyB2epOxTrFNPEv2PcyinnutCNY3DITZk+eqBlS8/e9cYfigLmUkwCo9J
FrePyPAofQj4+k3EtesLN4/Ss0GrOqEJ+UUOSsj1ini7fHDjZ6FPo5Pr2FG7oSQI
SJNVWiczYIC6AKH9XqfFznuTmEHcI5MZKjfUeRbbaXzuEgdJHlNpqQ6aiVcfVZOK
I8YW5P4hontOTRFCgkZK2F3GYj4OD8SlPCOM39zNwoeCBGsbdW8N3VuQ8x8xahN2
V19KUC7JUTLPNr5HglQOHQoA7boUjEi6y+dJ3S3al92JppMxvBPnZpsClVNNc1Y7
t68o1Uwiu0Q=
=XPYG
-----END PGP SIGNATURE-----

Message #26 received at 684076-close@bugs.debian.org (full text, mbox, reply):

From: Holger Levsen <holger@debian.org>

To: 684076-close@bugs.debian.org

Subject: Bug#684076: fixed in munin 2.0.6-1

Date: Mon, 03 Sep 2012 13:17:47 +0000

Source: munin
Source-Version: 2.0.6-1

We believe that the bug you reported is fixed in the latest version of
munin, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 684076@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Holger Levsen <holger@debian.org> (supplier of updated munin package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 03 Sep 2012 12:42:09 +0000
Source: munin
Binary: munin-node munin-plugins-core munin-plugins-extra munin-plugins-java munin munin-common munin-async munin-doc
Architecture: source all
Version: 2.0.6-1
Distribution: unstable
Urgency: high
Maintainer: Munin Debian Maintainers <packaging@munin-monitoring.org>
Changed-By: Holger Levsen <holger@debian.org>
Description: 
 munin      - network-wide graphing framework (grapher/gatherer)
 munin-async - network-wide graphing framework (async master/client)
 munin-common - network-wide graphing framework (common)
 munin-doc  - network-wide graphing framework (documentation)
 munin-node - network-wide graphing framework (node)
 munin-plugins-core - network-wide graphing framework (plugins for node)
 munin-plugins-extra - network-wide graphing framework (user contributed plugins for nod
 munin-plugins-java - network-wide graphing framework (java plugins for node)
Closes: 679897 684075 684076 685343 686089 686090 686093
Changes: 
 munin (2.0.6-1) unstable; urgency=high
 .
   * New upstream release 2.0.6, switching back to cron graphing (as it better
     for small setups) and besides that only containing bugfixes, but many of
     them. See the upstream ChangeLog for the full list.
     - munin-node: more secure state file handling, introducing a new plugin
       state directory root, owned by uid 0. Then each plugin runs in its own
       UID plugin state directory, owned by the said UID. (Closes: #684075),
       (Closes: #679897), closes CVE-2012-3512.
       So all properly written plugins will use
       /var/lib/munin-node/plugin-state/$uid/$some_file now - please report
       plugins that are still using /var/lib/munin/plugin-state/ - as those
       might pose a security risk!
     - munin-cgi-graph: ignore @ARGV to fix CVE-2012-3513 (Closes: #684076),
       thanks to Helmut Grohne <helmut@subdivi.de>
     - munin-cron: call munin-graph with --cron argument (Closes: #685343)
     - Master/Node.pm: fix _node_read_fast() to accept all valid returns
       (Closes: #686089) and _do_connect() to not use an uninitialized
       variable. (Closes: #686090)
     - munin-async: make spoolread less restrictive about (valid) plugin names
       (Closes: #686093)
   * Update Location and Scriptalias in shipped apache.conf to fix a regression
     introduced in fixing #682869.
   * munin-node.postinst: don't create /var/lib/munin/plugin-state anymore as
     munin-node now uses /var/lib/munin-nodes/plugin-state and subdirs and
     handles creation by itself.
   * debian/rules: workaround bug in upstream Makefile targets to move
     /var/lib/async from munin-node package to munin-async.
   * debian/control:
     - make munin-async depend on munin-node for now.
     - update Vcs: headers to point to an uptodate repository.
   * Remove build/resources/apache-cgi.conf from munin.docs as it's outdated.
   * update munin.NEWS to reflect that everybody using cgi graphing needs to
     update the configuration files and that cron graphing is the default
     again. (cgi graphing was the default from pre-2.0 until 2.0.5)
Checksums-Sha1: 
 f74026d9184cce248e5161f2988658d05ce49e9c 2362 munin_2.0.6-1.dsc
 639bd5b9fe457326842ed425f5258ea29db0b853 1325754 munin_2.0.6.orig.tar.gz
 7e27351c09fbbd9d5e965a533c10764939cf3917 51051 munin_2.0.6-1.diff.gz
 7fd31a561466dca631337321d05845af0f75714a 127752 munin-node_2.0.6-1_all.deb
 53cb5953732a2346c295cdceca97e5edabda19ae 304194 munin-plugins-core_2.0.6-1_all.deb
 2e4d133a910fa252dab2391305437b3752cc37e8 154006 munin-plugins-extra_2.0.6-1_all.deb
 3eec5502fcf9e64b84c9edf98613221ff694fcd8 146912 munin-plugins-java_2.0.6-1_all.deb
 23d76f087fb00cc666455a72bdf015fad9f21c74 201718 munin_2.0.6-1_all.deb
 0a815552c09f7b182f3b124f6f8a465163ca5ed8 94732 munin-common_2.0.6-1_all.deb
 bffcde93d5c686fcf8de91581c734d32f8b09022 82804 munin-async_2.0.6-1_all.deb
 3619315c94a405d54ac822262cb905bbf8b05f8c 211516 munin-doc_2.0.6-1_all.deb
Checksums-Sha256: 
 3470e54e99e0a16e607c7f6f3812756a643008e2de91b9e2f1b695d06eab944a 2362 munin_2.0.6-1.dsc
 ff99a3c36156adb6b867bb684ec508a857728336c0b81a93955bbcc9d5045ea6 1325754 munin_2.0.6.orig.tar.gz
 559090dec1df4d5c4d8592f630a8e827f0eacc54756aaf060ef11af4cc2c1d06 51051 munin_2.0.6-1.diff.gz
 fdaafe38f6e05e966063f933696e1ebf87c75caec8efeddde71630584906fca4 127752 munin-node_2.0.6-1_all.deb
 7f780cdd706b61119758281031ac16d6e9a17fc153673be8b6d47857d2067605 304194 munin-plugins-core_2.0.6-1_all.deb
 a45aee6a32389731dcfa45cccd1926560518b02419b3c40fd9d989736fa86b5f 154006 munin-plugins-extra_2.0.6-1_all.deb
 b39a4c341fd99c9be476dee153e9a9110e8a4aa8ae178da5bf657ca33f9415da 146912 munin-plugins-java_2.0.6-1_all.deb
 ba5fe591b6a98fad66cc24ba99eba58c2b71377a2c04fbad3be7e5fd5433a583 201718 munin_2.0.6-1_all.deb
 fa755d6f651834adf9e91d62b960662f832b08fd44e2a1d305af694408398859 94732 munin-common_2.0.6-1_all.deb
 2cb41fd22e9800e0667b2c1af516ae6e96e885cfdf28a6c3ef90cfea5c7edf3e 82804 munin-async_2.0.6-1_all.deb
 c7006f900b4bacff7ade589600b3ade71c4cbb4c9ed2774fe1f9189d94cf7465 211516 munin-doc_2.0.6-1_all.deb
Files: 
 1e9514ba9330de5e78d22c474b06d0af 2362 net optional munin_2.0.6-1.dsc
 a64e7d3d7a7736f3959092145886ce88 1325754 net optional munin_2.0.6.orig.tar.gz
 32e91dc8f2aae9ca27f4924ca1013755 51051 net optional munin_2.0.6-1.diff.gz
 2bff976ceb3624407b8d8b2250a44873 127752 net optional munin-node_2.0.6-1_all.deb
 ed4d325236237233008ffd4e32e80a45 304194 net optional munin-plugins-core_2.0.6-1_all.deb
 7d7a088725e012d8a2e89bb654e6fea8 154006 net optional munin-plugins-extra_2.0.6-1_all.deb
 2c2d8496a8ecc114dfd5b6b6926c2a28 146912 net optional munin-plugins-java_2.0.6-1_all.deb
 334c9918acd98ad610f2f6b9ff3d1072 201718 net optional munin_2.0.6-1_all.deb
 81bfc537f8fd914a1f7cc84e1673ea50 94732 net optional munin-common_2.0.6-1_all.deb
 301cd30114b0202d5af147cfc9e37148 82804 net optional munin-async_2.0.6-1_all.deb
 22b455e1b14aa3d50cb9181fd0b1d9af 211516 doc optional munin-doc_2.0.6-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIVAwUBUESqGwkauFYGmqocAQgkpQ//XIlizdF6mCQwt+a4Yv6EKSU4GZmw3Wj8
vZgXYp2Zo5r4lnsd9huSgBoUudzX+1b6NiyhKZh4cMUEIXRqD6ObbVWgFKzrXrTj
7zKh/MeFDYnhx71JPbHh+SsWfXC8aNTpU6zkE9GPgWOZP5RBYjpcyf7qQJMApclg
MRUzUEaX4fcXEZMEkZI+KjuZQQej55Zwq+iRfCHYyMoslVO6eyEmiFPw33pKIf2R
8u4xseoUxmUinvD1GIEn2OfSoZiOzionEnFLXm9XSuDdDv5D3EYTF2y7XYQZu7l2
Wd48aU0KJRpNtNV2XiW/7EAXu+dE5zl5+364Qb+tYcQaaerYvF0RJWXqOLxC49w0
OZaTB9MJ4om9bCAh5jLxrejSLjVMqvCc5ntaRudqgY+dWJoDuzTs0HlwFlavq6D0
vxYw2Wvo52SxVrpWXpROHNOo0ivb1y6t4yqOC7SYpOOnLRXQ4ipK0AkSdx1z23FD
FH/l8vrqOHNj78n6xiLqXm8jlufKYD8KpP9O3UkttQQ6cS2k10jFHN5PskiH32NR
CH3L9S16x4nODYPO/L15Rutn/ihdeKm8nQcqTPMTKRi/3wEfi4UYDvpRM7bofs3h
5w70JYhQiRH18Jw0bhXmbK0qYo8m5S1OafYQbjO63/RcFcwBs2tzpu46ulnFczOW
0YDtt+72KHo=
=PJjc
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.