Package: munin
Version: 2.0.25-1
Severity: grave
Tags: security patch
Justification: user security hole
Dear Maintainers,
Munin package in Jessie has a local file write vulnerability when CGI graphs are
enabled. Setting multiple "upper_limit" GET parameters allows overwriting any
file accessible to the www-data user.
This was originally reported on GitHub by sstj here:
https://github.com/munin-monitoring/munin/issues/721
For example, requesting an URL like the following will create "/tmp/test":
http://.../munin-cgi/munin-cgi-graph/.../.../...-day.png?upper_limit=1&upper_limit=--output-file&upper_limit=/tmp/test
Attached is a simple patch that fixes the problem.
Best regards
Tomaž
Index: munin-2.0.25/master/_bin/munin-cgi-graph.in
===================================================================
--- munin-2.0.25.orig/master/_bin/munin-cgi-graph.in
+++ munin-2.0.25/master/_bin/munin-cgi-graph.in
@@ -447,13 +447,13 @@ sub draw_graph {
'--output-file', $filename );
# Sets the correct size on a by_graph basis
- push @params, "--size_x", CGI::param("size_x")
+ push @params, "--size_x", scalar CGI::param("size_x")
if (defined(CGI::param("size_x")));
- push @params, "--size_y", CGI::param("size_y")
+ push @params, "--size_y", scalar CGI::param("size_y")
if (defined(CGI::param("size_y")));
- push @params, "--upper_limit", CGI::param("upper_limit")
+ push @params, "--upper_limit", scalar CGI::param("upper_limit")
if (CGI::param("upper_limit"));
- push @params, "--lower_limit", CGI::param("lower_limit")
+ push @params, "--lower_limit", scalar CGI::param("lower_limit")
if (CGI::param("lower_limit"));
# Sometimes we want to set the IMG size, and not the canvas.
