Fedora has issued an advisory on September 9: http://lists.fedoraproject.org/pipermail/package-announce/2012-September/088239.html Mageia 1 and Mageia 2 are also affected. More info at the RedHat bug: https://bugzilla.redhat.com/show_bug.cgi?id=849830
Whiteboard: (none) => MGA2TOO, MGA1TOO
It appears this is fixed upstream in 2.0.6.
It is indeed fixed upstream in 2.0.6. I'll have a look on how to backport the fix, but the limited scope of the attack scenario (local user having control over the munin account against some specific plugins) isn't very frightening.
Status: NEW => ASSIGNED
CC: (none) => oe
Fixed in Cauldron.
Version: Cauldron => 2Whiteboard: MGA2TOO, MGA1TOO => MGA1TOO
Ubuntu has issued an advisory on November 5: http://www.ubuntu.com/usn/usn-1622-1/ from http://lwn.net/Vulnerabilities/522962/ this adds CVE-2012-2103 (looks to be fixed upstream in 2.0 rc6), and CVE-2012-3513 (looks to be fixed upstream in 2.0.6), so neither should affect Cauldron. Ubuntu has also identified the upstream changes that fixed all of these: http://people.canonical.com/~ubuntu-security/cve/2012/CVE-2012-2103.html http://people.canonical.com/~ubuntu-security/cve/2012/CVE-2012-3512.html http://people.canonical.com/~ubuntu-security/cve/2012/CVE-2012-3513.html
Summary: munin new security issue CVE-2012-3512 => munin new security issues CVE-2012-2103, CVE-2012-3512, and CVE-2012-3513
I just submitted munin-2.0-0.rc5.2.1.mga2 to updates_testing. The changes are quite invasive, tough, and I didn't tested them yet.
OK, we can push to QA when you're ready. Saving the package list for now. munin-2.0-0.rc5.2.1.mga2.noarch.rpm munin-master-2.0-0.rc5.2.1.mga2.noarch.rpm munin-node-2.0-0.rc5.2.1.mga2.noarch.rpm
Ping. Is this ready for QA? Do we have any plans to fix this for Mageia 1?
Everything seems OK for me, QA can proceed. I don't plan to do anything for mageia 1.
Assigning to QA and removing MGA1TOO from whiteboard due to EOL. Advisory: ======================== Updated munin packages fix security vulnerabilities: The qmailscan plugin for Munin before 2.0 rc6 allows local users to overwrite arbitrary files via a symlink attack on temporary files with predictable names (CVE-2012-2103). Munin before 2.0.6 stores plugin state files that run as root in the same group-writable directory as non-root plugins, which allows local users to execute arbitrary code by replacing a state file, as demonstrated using the smart_ plugin (CVE-2012-3512). munin-cgi-graph in Munin before 2.0.6, when running as a CGI module under Apache, allows remote attackers to load new configurations and create files in arbitrary directories via the logdir command (CVE-2012-3513). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2103 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3512 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3513 http://www.ubuntu.com/usn/usn-1622-1/ ======================== Updated packages in core/updates_testing: ======================== munin-2.0-0.rc5.2.1.mga2 munin-master-2.0-0.rc5.2.1.mga2 munin-node-2.0-0.rc5.2.1.mga2 from munin-2.0-0.rc5.2.1.mga2.src.rpm
CC: (none) => guillomovitchAssignee: guillomovitch => qa-bugsWhiteboard: MGA1TOO => (none)
As the poc requires root access to start with (to then su to the user munin), I'm just testing that munin works. Before the update, in order to get access to http://127.0.0.1/munin, I had to change all "Allow from all" to "Allow from 127.0.0.1". After confirming that works, installed the update, and then confirmed it's still working. Testing complete on Mageia 2 i586 and x86-64. Could someone from the sysadmin team push the srpm munin-2.0-0.rc5.2.1.mga2.src.rpm from Mageia 2 Core Updates Testing to Core Updates. Advisory: Updated munin packages fix security vulnerabilities: The qmailscan plugin for Munin before 2.0 rc6 allows local users to overwrite arbitrary files via a symlink attack on temporary files with predictable names (CVE-2012-2103). Munin before 2.0.6 stores plugin state files that run as root in the same group-writable directory as non-root plugins, which allows local users to execute arbitrary code by replacing a state file, as demonstrated using the smart_ plugin (CVE-2012-3512). munin-cgi-graph in Munin before 2.0.6, when running as a CGI module under Apache, allows remote attackers to load new configurations and create files in arbitrary directories via the logdir command (CVE-2012-3513). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2103 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3512 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3513 https://bugs.mageia.org/show_bug.cgi?id=7591
Keywords: (none) => validated_updateCC: (none) => davidwhodgins, sysadmin-bugsWhiteboard: (none) => MGA2-64-OK MGA2-32-OK
One of the References is missing in Comment 10, see Comment 9.
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0358
Status: ASSIGNED => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED