Your message dated Mon, 3 Sep 2012 16:10:04 +0200
with message-id <201209031610.05211.hol...@layer-acht.org>
and subject line confirmed again for 2.0.6-1
has caused the Debian Bug report #683998,
regarding munin: allows creation of sockets at arbitrary locations (/tmp file
vulnerability)
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
683998: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=683998
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: munin
Version: 1.4.5-3
Severity: serious
Tags: security
I wondered where a socket /tmp/munin-master-processmanager-12345.sock
would come from and whether it was created in a secure way. In the
presence of this bug report you may have guessed, that it is not. The
corresponding code can be found in
/usr/share/perl5/Munin/Master/ProcessManager.pm. Apparently rundir is
set to /tmp and the _prepare_unix_socket subroutine happily unlink(2)s
that path and creates a socket. So via a simple race condition (use
inotify!) we can place a symbolic link at the desired location and make
munin place a socket at an arbitrary location. It should also be
possible to turn this into a local denial of service by pointing to a
non-existent directory. Please evaluate the impact of this issue and
downgrade the severity accordingly. Fixing this issue should be easy
changing the default for rundir.
Helmut
--- End Message ---
--- Begin Message ---
version: 2.0.1-1
--- End Message ---
