Bug 7591 - munin new security issues CVE-2012-2103, CVE-2012-3512, and CVE-2012-3513
: munin new security issues CVE-2012-2103, CVE-2012-3512, and CVE-2012-3513
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Normal Severity: major
: ---
Assigned To: QA Team
:
: http://lwn.net/Vulnerabilities/517689/
: MGA2-64-OK MGA2-32-OK
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2012-09-26 20:24 CEST by David Walser
Modified: 2012-12-11 22:22 CET (History)
5 users (show)

See Also:
Source RPM: munin-2.0-0.rc5.2.mga2.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2012-09-26 20:24:39 CEST
Fedora has issued an advisory on September 9:
http://lists.fedoraproject.org/pipermail/package-announce/2012-September/088239.html

Mageia 1 and Mageia 2 are also affected.

More info at the RedHat bug:
https://bugzilla.redhat.com/show_bug.cgi?id=849830
Comment 1 David Walser 2012-10-04 23:22:30 CEST
It appears this is fixed upstream in 2.0.6.
Comment 2 Guillaume Rousse 2012-10-05 15:44:50 CEST
It is indeed fixed upstream in 2.0.6.

I'll have a look on how to backport the fix, but the limited scope of the attack scenario (local user having control over the munin account against some specific plugins) isn't very frightening.
Comment 3 David Walser 2012-11-02 19:11:30 CET
Fixed in Cauldron.
Comment 4 David Walser 2012-11-06 16:15:29 CET
Ubuntu has issued an advisory on November 5:
http://www.ubuntu.com/usn/usn-1622-1/

from http://lwn.net/Vulnerabilities/522962/

this adds CVE-2012-2103 (looks to be fixed upstream in 2.0 rc6), and CVE-2012-3513 (looks to be fixed upstream in 2.0.6), so neither should affect Cauldron.

Ubuntu has also identified the upstream changes that fixed all of these:
http://people.canonical.com/~ubuntu-security/cve/2012/CVE-2012-2103.html
http://people.canonical.com/~ubuntu-security/cve/2012/CVE-2012-3512.html
http://people.canonical.com/~ubuntu-security/cve/2012/CVE-2012-3513.html
Comment 5 Guillaume Rousse 2012-11-17 15:33:20 CET
I just submitted munin-2.0-0.rc5.2.1.mga2 to updates_testing. The changes are quite invasive, tough, and I didn't tested them yet.
Comment 6 David Walser 2012-11-17 16:50:58 CET
OK, we can push to QA when you're ready.  Saving the package list for now.

munin-2.0-0.rc5.2.1.mga2.noarch.rpm
munin-master-2.0-0.rc5.2.1.mga2.noarch.rpm
munin-node-2.0-0.rc5.2.1.mga2.noarch.rpm
Comment 7 David Walser 2012-11-20 16:38:15 CET
Ping.  Is this ready for QA?

Do we have any plans to fix this for Mageia 1?
Comment 8 Guillaume Rousse 2012-11-21 22:50:18 CET
Everything seems OK for me, QA can proceed.

I don't plan to do anything for mageia 1.
Comment 9 David Walser 2012-12-09 02:47:04 CET
Assigning to QA and removing MGA1TOO from whiteboard due to EOL.

Advisory:
========================

Updated munin packages fix security vulnerabilities:

The qmailscan plugin for Munin before 2.0 rc6 allows local users to overwrite
arbitrary files via a symlink attack on temporary files with predictable
names (CVE-2012-2103).

Munin before 2.0.6 stores plugin state files that run as root in the same
group-writable directory as non-root plugins, which allows local users to
execute arbitrary code by replacing a state file, as demonstrated using the
smart_ plugin (CVE-2012-3512).

munin-cgi-graph in Munin before 2.0.6, when running as a CGI module under
Apache, allows remote attackers to load new configurations and create files
in arbitrary directories via the logdir command (CVE-2012-3513).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2103
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3512
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3513
http://www.ubuntu.com/usn/usn-1622-1/
========================

Updated packages in core/updates_testing:
========================
munin-2.0-0.rc5.2.1.mga2
munin-master-2.0-0.rc5.2.1.mga2
munin-node-2.0-0.rc5.2.1.mga2

from munin-2.0-0.rc5.2.1.mga2.src.rpm
Comment 10 Dave Hodgins 2012-12-10 03:03:22 CET
As the poc requires root access to start with (to then su to the user
munin), I'm just testing that munin works.

Before the update, in order to get access to http://127.0.0.1/munin,
I had to change all "Allow from all" to "Allow from 127.0.0.1".

After confirming that works, installed the update, and then confirmed
it's still working.

Testing complete on Mageia 2 i586 and x86-64.

Could someone from the sysadmin team push the srpm
munin-2.0-0.rc5.2.1.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates.

Advisory: Updated munin packages fix security vulnerabilities:

The qmailscan plugin for Munin before 2.0 rc6 allows local users to overwrite
arbitrary files via a symlink attack on temporary files with predictable
names (CVE-2012-2103).

Munin before 2.0.6 stores plugin state files that run as root in the same
group-writable directory as non-root plugins, which allows local users to
execute arbitrary code by replacing a state file, as demonstrated using the
smart_ plugin (CVE-2012-3512).

munin-cgi-graph in Munin before 2.0.6, when running as a CGI module under
Apache, allows remote attackers to load new configurations and create files
in arbitrary directories via the logdir command (CVE-2012-3513).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2103
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3512
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3513

https://bugs.mageia.org/show_bug.cgi?id=7591
Comment 11 David Walser 2012-12-10 03:13:52 CET
One of the References is missing in Comment 10, see Comment 9.
Comment 12 Thomas Backlund 2012-12-11 22:22:29 CET
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0358

Note You need to log in before you can comment on or make changes to this bug.