Bug#668536: [Packaging] Bug#668536: munin: predictable tmpfile location /tmp/munin-cgi-tmp

[Holger Levsen]

tags 668536 + upstream
thanks

Hi Helmut,

many thanks for filing this bug report!

On Donnerstag, 12. April 2012, Helmut Grohne wrote:
> /usr/lib/cgi-bin/munin-cgi-graph uses predictable filenames in /tmp
> which might allow privilege escalation to www-data or denial of serving
> graphs. The filenames always start with /tmp/munin-cgi-graph/.

doh. To be clear: The path always start with /tmp/munin-cgi-graph/ and then 
it's fully and easily predictable:

the relevant code from master/_bin/munin-cgi-graph.in:

sub get_picture_filename {
[...]
my $cgi_tmp_dir = $config->{cgitmpdir} || "/tmp/munin-cgi-tmp";
[...]
return "$cgi_tmp_dir/$domain/$name/$service-$scale.png" . $params;

 
cheers,
Holger



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#668536: munin: predictable tmpfile location /tmp/munin-cgi-tmp

[Helmut Grohne]

Package: munin
Version: 2.0~rc4-1
Severity: important
Tags: security

/usr/lib/cgi-bin/munin-cgi-graph uses predictable filenames in /tmp
which might allow privilege escalation to www-data or denial of serving
graphs. The filenames always start with /tmp/munin-cgi-graph/.

At the moment this issue affects only unstable.

A quick workaround for this issue is to change the location to
/var/cache/munin/graph or something similar. Note that this directory
would need to be created with write permission to the user running cgi
scripts (presumably www-data) by postinst.

Helmut



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org