Package: munin Version: 1.4.5-3 Severity: serious Tags: security I wondered where a socket /tmp/munin-master-processmanager-12345.sock would come from and whether it was created in a secure way. In the presence of this bug report you may have guessed, that it is not. The corresponding code can be found in /usr/share/perl5/Munin/Master/ProcessManager.pm. Apparently rundir is set to /tmp and the _prepare_unix_socket subroutine happily unlink(2)s that path and creates a socket. So via a simple race condition (use inotify!) we can place a symbolic link at the desired location and make munin place a socket at an arbitrary location. It should also be possible to turn this into a local denial of service by pointing to a non-existent directory. Please evaluate the impact of this issue and downgrade the severity accordingly. Fixing this issue should be easy changing the default for rundir.
Helmut -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
