Package: munin Version: 2.0~rc4-1 Severity: important Tags: security printf 'GET /cgi-bin/munin-cgi-graph/localdomain/localhost.localdomain/vmstat-day.png?foo HTTP/1.0\r\nHost: localhost\r\nConnection: close\r\n\r\n' | nc localhost 80
Provided that the filename actually exists, munin will render the image and store it as /tmp/munin-cgi-graph/localdomain/localhost.localdomain/vmstat-day.png?foo. By choosing a unique string instead of foo for each request an adversary is able to create one png file per http request none of which are ever deleted. He is thus able to exhaust the filesystem for /tmp. The issue gets worse when /tmp is a tmpfs. Again this issue seems to only affect the 2.x branch (sid). Helmut -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
