Bug 20335 - munin new security issue CVE-2017-6188
Summary: munin new security issue CVE-2017-6188
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA5-64-OK MGA5-32-OK has_procedure a...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2017-02-23 01:27 CET by David Walser
Modified: 2017-04-04 08:44 CEST (History)
3 users (show)

See Also:
Source RPM: munin-2.0.25-3.mga6.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2017-02-23 01:27:21 CET 
A CVE has been assigned for a security issue in munin:
http://openwall.com/lists/oss-security/2017/02/22/4

Debian has a patch, as mentioned on their bug:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=855705

Mageia 5 is also affected.
David Walser 2017-02-23 01:27:34 CET

Whiteboard: (none) => MGA5TOO

Guillaume Rousse 2017-02-23 08:01:07 CET

Assignee: guillomovitch => bugsquad

Comment 1 Marja Van Waes 2017-02-23 11:36:50 CET 
Assigning to the registered maintainer.

CC: (none) => marja11
Assignee: bugsquad => guillomovitch

Comment 2 David Walser 2017-02-26 17:18:28 CET 
Debian has issued an advisory for this on February 25:
https://www.debian.org/security/2017/dsa-3794

It was also fixed upstream in 2.0.31.

Patched packages uploaded for Mageia 5 and Cauldron.

Advisory:
========================

Updated munin packages fix security vulnerability:

Stevie Trujillo discovered a local file write vulnerability in munin, a
network-wide graphing framework, when CGI graphs are enabled. GET parameters
are not properly handled, allowing to inject options into munin-cgi-graph and
overwriting any file accessible by the user running the cgi-process
(CVE-2017-6188).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6188
https://www.debian.org/security/2017/dsa-3794
========================

Updated packages in core/updates_testing:
========================
munin-2.0.25-1.1.mga5
munin-master-2.0.25-1.1.mga5
munin-node-2.0.25-1.1.mga5
munin-java-plugins-2.0.25-1.1.mga5
munin-async-2.0.25-1.1.mga5

from munin-2.0.25-1.1.mga5.src.rpm

CC: marja11 => (none)
Version: Cauldron => 5
Assignee: guillomovitch => qa-bugs
Whiteboard: MGA5TOO => (none)

Comment 3 Herman Viaene 2017-02-28 15:12:02 CET 
MGA5-32 on Asus A6000VM
No installation issues
Ref bug 11944 Comment 4, when pointing to 
http://localhost/munin 
I get Error 403
and in /var/log/httpd/error_log I get
[Tue Feb 28 14:25:06.656432 2017] [autoindex:error] [pid 3574] [client 127.0.0.1:38618] AH01276: Cannot serve directory /var/lib/munin/html/: No matching DirectoryIndex (index.php,index.phtml,index.html) found, and server-generated directory index forbidden by Options directive
[Tue Feb 28 14:25:43.965717 2017] [autoindex:error] [pid 3573] [client 127.0.0.1:38622] AH01276: Cannot serve directory /usr/share/munin/static/: No matching DirectoryIndex (index.php,index.phtml,index.html) found, and server-generated directory index forbidden by Options directive
[Tue Feb 28 14:38:06.228800 2017] [autoindex:error] [pid 3572] [client 127.0.0.1:38636] AH01276: Cannot serve directory /var/lib/munin/html/: No matching DirectoryIndex (index.php,index.phtml,index.html) found, and server-generated directory index forbidden by Options directive
The /etc/httpd/conf/sites.d/munin.conf shows 'Require all granted' for each directory and aliases in place.

I googled on these errors and all I found referred to /etc/munin/apache.conf, but this file does not exist, nor is there any mentionof munin in the httpd.conf file.

CC: (none) => herman.viaene

Comment 4 David Walser 2017-03-02 12:11:14 CET 
Debian has done a regression update today (March 2):
https://lists.debian.org/debian-security-announce/2017/msg00053.html

Will update the patch when I get a chance.

Whiteboard: (none) => feedback

Comment 5 Dave Hodgins 2017-04-04 06:07:44 CEST 
Let's get this one out.

Installed all of the munin packages.

Starting with http://guide.munin-monitoring.org/en/latest/installation/configuration.html#configure-web-server
but took some digging to figure out.

[root@i5v ~]# munin-node-configure --shell --families=contrib,auto | sh -x
# The following plugins caused errors:
# hddtemp_smartctl:
#       Junk printed to stderr
# http_loadtime:
#       Non-zero exit during autoconf (2)
# netstat_multi:
#       Wrong amount of autoconf
# proc:
#       In family 'auto' but doesn't have 'autoconf' capability
# samba:
#       Junk printed to stderr
+ ln -s /usr/share/munin/plugins/apc_nis /etc/munin/plugins/apc_nis
+ ln -s /usr/share/munin/plugins/hddtempd /etc/munin/plugins/hddtempd
+ ln -s /usr/share/munin/plugins/meminfo /etc/munin/plugins/meminfo

Enabled and then started the services and apache ...
[root@i5v system]# systemctl enable munin-fcgi-html.service
[root@i5v system]# systemctl enable munin-fcgi-graph.service
[root@i5v system]# systemctl enable munin-node.service
[root@i5v system]# systemctl start munin-fcgi-html.service
[root@i5v system]# systemctl start munin-fcgi-graph.service
[root@i5v system]# systemctl start munin-node.service
[root@i5v system]# systemctl restart httpd.service
Then, as regular user was able to access http://localhost/munin/
and confirmed the graphs are working, and at least some have data.

Installed the updates, restarted apache and confirmed still working.

Same testing completed on my x86_64 Mageia 5 virtualbox host.

Validating the update.

Keywords: (none) => validated_update
Whiteboard: feedback => MGA5-64-OK MGA5-32-OK has_procedure advisory
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 6 Mageia Robot 2017-04-04 08:44:52 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0101.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.