diff --git a/CVE-2017-6188-fix-parameter-injection.patch b/CVE-2017-6188-fix-parameter-injection.patch new file mode 100644 index 0000000..84d76a8 --- /dev/null +++ b/CVE-2017-6188-fix-parameter-injection.patch @@ -0,0 +1,29 @@ +From: Tomaž Šolc +Date: Tue, 21 Feb 2017 14:42:26 +0100 +Subject: CVE-2017-6188: munin-cgi-graph local file write vulnerability +References: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=855705 + boo#1026539 +Upstream: https://github.com/munin-monitoring/munin/issues/721 + +Index: munin-2.0.25/master/_bin/munin-cgi-graph.in +=================================================================== +--- munin-2.0.25.orig/master/_bin/munin-cgi-graph.in ++++ munin-2.0.25/master/_bin/munin-cgi-graph.in +@@ -447,13 +447,13 @@ sub draw_graph { + '--output-file', $filename ); + + # Sets the correct size on a by_graph basis +- push @params, "--size_x", CGI::param("size_x") ++ push @params, "--size_x", scalar CGI::param("size_x") + if (defined(CGI::param("size_x"))); +- push @params, "--size_y", CGI::param("size_y") ++ push @params, "--size_y", scalar CGI::param("size_y") + if (defined(CGI::param("size_y"))); +- push @params, "--upper_limit", CGI::param("upper_limit") ++ push @params, "--upper_limit", scalar CGI::param("upper_limit") + if (CGI::param("upper_limit")); +- push @params, "--lower_limit", CGI::param("lower_limit") ++ push @params, "--lower_limit", scalar CGI::param("lower_limit") + if (CGI::param("lower_limit")); + + # Sometimes we want to set the IMG size, and not the canvas. diff --git a/munin-2.0.25.tar.gz b/munin-2.0.25.tar.gz deleted file mode 100644 index 281d52d..0000000 --- a/munin-2.0.25.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:6832bc5839d03639e4309178d9370697fc8a80a83d9b6653953f40161e949694 -size 1337586 diff --git a/munin-2.0.30.tar.gz b/munin-2.0.30.tar.gz new file mode 100644 index 0000000..911ff98 --- /dev/null +++ b/munin-2.0.30.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:c6be23035c31ab6b7910ae1080159ae8263759f783a1b10002f44456c4aace61 +size 1342168 diff --git a/munin.changes b/munin.changes index 837b7cb..d049f05 100644 --- a/munin.changes +++ b/munin.changes @@ -1,3 +1,19 @@ +------------------------------------------------------------------- +Thu Feb 23 12:33:21 UTC 2017 - wr@rosenauer.org + +- fix CVE-2017-6188: munin-cgi-graph local file write vulnerability + (boo#1026539, CVE-2017-6188-fix-parameter-injection.patch) + +------------------------------------------------------------------- +Sun Feb 19 16:08:24 UTC 2017 - wr@rosenauer.org + +- update to version 2.0.30 + Bugfix releases (closes the following issues since 2.0.25) + 2.0.26: Closes: D:761190, GH:426 + 2.0.27: Closes: D:767032, D:768553, D:825136, D:834194, GH:690, GH:714 + 2.0.29: Closes: D:847649, D:849383 + 2.0.30: Closes: GH:745, GH:771, GH:783 + ------------------------------------------------------------------- Tue Jan 17 13:04:06 UTC 2017 - bwiedemann@suse.com diff --git a/munin.spec b/munin.spec index ebfc537..a6f2c5b 100644 --- a/munin.spec +++ b/munin.spec @@ -1,7 +1,7 @@ # # spec file for package munin # -# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -24,7 +24,7 @@ %define active_by_default 0 Name: munin -Version: 2.0.25 +Version: 2.0.30 Release: 0 Summary: Network-wide graphing framework (grapher/gatherer) License: GPL-2.0 @@ -48,6 +48,7 @@ Source13: gsa-munin.zip # https://svn.koumbit.net/koumbit/trunk/munin-plugins/quota-usage Patch: munin-plugin-quota_usage_warnings.patch Patch2: mysql55.patch +Patch3: CVE-2017-6188-fix-parameter-injection.patch BuildRequires: html2text BuildRequires: perl-HTML-Template BuildRequires: perl-Log-Log4perl @@ -100,10 +101,10 @@ RRDtool. %package node Summary: Network-wide graphing framework (node) -Group: System/Monitoring # some scripts need logtail which is part of package logdigest in openSUSE # problem with logdigest is that it installs a cronjob for itself which # might be unwanted +Group: System/Monitoring Recommends: logdigest Requires: perl-HTML-Template Requires: perl-Log-Log4perl @@ -153,6 +154,7 @@ unzip %{SOURCE12} unzip %{SOURCE13} %patch %patch2 -p1 +%patch3 -p1 %build %__make HOSTNAME=yourhostname