From 40db143d1578bd528d7beb563e77b1adf4252dbfa45825fee205024551f479ab Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aeneas=20Jai=C3=9Fle?= Date: Thu, 2 Mar 2017 13:20:39 +0000 Subject: [PATCH 1/7] Accepting request 460029 from home:wrosenauer:devel - fix CVE-2017-6188: munin-cgi-graph local file write vulnerability (boo#1026539, CVE-2017-6188-fix-parameter-injection.patch) - update to version 2.0.30 Bugfix releases (closes the following issues since 2.0.25) 2.0.26: Closes: D:761190, GH:426 2.0.27: Closes: D:767032, D:768553, D:825136, D:834194, GH:690, GH:714 2.0.29: Closes: D:847649, D:849383 2.0.30: Closes: GH:745, GH:771, GH:783 OBS-URL: https://build.opensuse.org/request/show/460029 OBS-URL: https://build.opensuse.org/package/show/server:monitoring/munin?expand=0&rev=29 --- CVE-2017-6188-fix-parameter-injection.patch | 29 +++++++++++++++++++++ munin-2.0.25.tar.gz | 3 --- munin-2.0.30.tar.gz | 3 +++ munin.changes | 16 ++++++++++++ munin.spec | 8 +++--- 5 files changed, 53 insertions(+), 6 deletions(-) create mode 100644 CVE-2017-6188-fix-parameter-injection.patch delete mode 100644 munin-2.0.25.tar.gz create mode 100644 munin-2.0.30.tar.gz diff --git a/CVE-2017-6188-fix-parameter-injection.patch b/CVE-2017-6188-fix-parameter-injection.patch new file mode 100644 index 0000000..84d76a8 --- /dev/null +++ b/CVE-2017-6188-fix-parameter-injection.patch @@ -0,0 +1,29 @@ +From: Tomaž Šolc +Date: Tue, 21 Feb 2017 14:42:26 +0100 +Subject: CVE-2017-6188: munin-cgi-graph local file write vulnerability +References: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=855705 + boo#1026539 +Upstream: https://github.com/munin-monitoring/munin/issues/721 + +Index: munin-2.0.25/master/_bin/munin-cgi-graph.in +=================================================================== +--- munin-2.0.25.orig/master/_bin/munin-cgi-graph.in ++++ munin-2.0.25/master/_bin/munin-cgi-graph.in +@@ -447,13 +447,13 @@ sub draw_graph { + '--output-file', $filename ); + + # Sets the correct size on a by_graph basis +- push @params, "--size_x", CGI::param("size_x") ++ push @params, "--size_x", scalar CGI::param("size_x") + if (defined(CGI::param("size_x"))); +- push @params, "--size_y", CGI::param("size_y") ++ push @params, "--size_y", scalar CGI::param("size_y") + if (defined(CGI::param("size_y"))); +- push @params, "--upper_limit", CGI::param("upper_limit") ++ push @params, "--upper_limit", scalar CGI::param("upper_limit") + if (CGI::param("upper_limit")); +- push @params, "--lower_limit", CGI::param("lower_limit") ++ push @params, "--lower_limit", scalar CGI::param("lower_limit") + if (CGI::param("lower_limit")); + + # Sometimes we want to set the IMG size, and not the canvas. diff --git a/munin-2.0.25.tar.gz b/munin-2.0.25.tar.gz deleted file mode 100644 index 281d52d..0000000 --- a/munin-2.0.25.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:6832bc5839d03639e4309178d9370697fc8a80a83d9b6653953f40161e949694 -size 1337586 diff --git a/munin-2.0.30.tar.gz b/munin-2.0.30.tar.gz new file mode 100644 index 0000000..911ff98 --- /dev/null +++ b/munin-2.0.30.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:c6be23035c31ab6b7910ae1080159ae8263759f783a1b10002f44456c4aace61 +size 1342168 diff --git a/munin.changes b/munin.changes index 837b7cb..d049f05 100644 --- a/munin.changes +++ b/munin.changes @@ -1,3 +1,19 @@ +------------------------------------------------------------------- +Thu Feb 23 12:33:21 UTC 2017 - wr@rosenauer.org + +- fix CVE-2017-6188: munin-cgi-graph local file write vulnerability + (boo#1026539, CVE-2017-6188-fix-parameter-injection.patch) + +------------------------------------------------------------------- +Sun Feb 19 16:08:24 UTC 2017 - wr@rosenauer.org + +- update to version 2.0.30 + Bugfix releases (closes the following issues since 2.0.25) + 2.0.26: Closes: D:761190, GH:426 + 2.0.27: Closes: D:767032, D:768553, D:825136, D:834194, GH:690, GH:714 + 2.0.29: Closes: D:847649, D:849383 + 2.0.30: Closes: GH:745, GH:771, GH:783 + ------------------------------------------------------------------- Tue Jan 17 13:04:06 UTC 2017 - bwiedemann@suse.com diff --git a/munin.spec b/munin.spec index ebfc537..a6f2c5b 100644 --- a/munin.spec +++ b/munin.spec @@ -1,7 +1,7 @@ # # spec file for package munin # -# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -24,7 +24,7 @@ %define active_by_default 0 Name: munin -Version: 2.0.25 +Version: 2.0.30 Release: 0 Summary: Network-wide graphing framework (grapher/gatherer) License: GPL-2.0 @@ -48,6 +48,7 @@ Source13: gsa-munin.zip # https://svn.koumbit.net/koumbit/trunk/munin-plugins/quota-usage Patch: munin-plugin-quota_usage_warnings.patch Patch2: mysql55.patch +Patch3: CVE-2017-6188-fix-parameter-injection.patch BuildRequires: html2text BuildRequires: perl-HTML-Template BuildRequires: perl-Log-Log4perl @@ -100,10 +101,10 @@ RRDtool. %package node Summary: Network-wide graphing framework (node) -Group: System/Monitoring # some scripts need logtail which is part of package logdigest in openSUSE # problem with logdigest is that it installs a cronjob for itself which # might be unwanted +Group: System/Monitoring Recommends: logdigest Requires: perl-HTML-Template Requires: perl-Log-Log4perl @@ -153,6 +154,7 @@ unzip %{SOURCE12} unzip %{SOURCE13} %patch %patch2 -p1 +%patch3 -p1 %build %__make HOSTNAME=yourhostname From 91228af5e20dbc8f6c2297e756f0f0a322799fa24b027eb0a43280d18309dcc1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aeneas=20Jai=C3=9Fle?= Date: Thu, 2 Mar 2017 13:45:08 +0000 Subject: [PATCH 2/7] OBS-URL: https://build.opensuse.org/package/show/server:monitoring/munin?expand=0&rev=30 --- munin.spec | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/munin.spec b/munin.spec index a6f2c5b..9f04d39 100644 --- a/munin.spec +++ b/munin.spec @@ -16,12 +16,12 @@ # -%define htmldir /srv/www/htdocs/munin -%define cgidir /srv/www/cgi-bin -%define dbdir /var/lib/munin -%define logdir /var/log/munin -%define plugindir /usr/lib/munin/plugins -%define active_by_default 0 +%define htmldir /srv/www/htdocs/munin +%define cgidir /srv/www/cgi-bin +%define dbdir /var/lib/munin +%define logdir /var/log/munin +%define plugindir /usr/lib/munin/plugins +%define active_by_default 0 Name: munin Version: 2.0.30 @@ -30,7 +30,7 @@ Summary: Network-wide graphing framework (grapher/gatherer) License: GPL-2.0 Group: System/Monitoring Url: http://munin-monitoring.org/ -Source0: http://heanet.dl.sourceforge.net/sourceforge/%{name}/%{name}-%{version}.tar.gz +Source0: http://downloads.munin-monitoring.org/%{name}/stable/%{version}/%{name}-%{version}.tar.gz Source1: Makefile.config Source2: munin-node.rc Source3: munin.cron.d From f5f652a988b01fc889ffb385be1985bdbc323c47c5d961e9aa2581fa2a0c53a5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aeneas=20Jai=C3=9Fle?= Date: Thu, 2 Mar 2017 13:47:00 +0000 Subject: [PATCH 3/7] OBS-URL: https://build.opensuse.org/package/show/server:monitoring/munin?expand=0&rev=31 --- munin.changes | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/munin.changes b/munin.changes index d049f05..301b6a7 100644 --- a/munin.changes +++ b/munin.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Thu Mar 2 13:45:33 UTC 2017 - aj@ajaissle.de + +- fix source url +- update to 2.0.32 +- remove CVE-2017-6188-fix-parameter-injection.patch (applied upstream) + ------------------------------------------------------------------- Thu Feb 23 12:33:21 UTC 2017 - wr@rosenauer.org From 0d344169e68521841446077cc7cc012129378963d97a4a68d52c920cbfe87862 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aeneas=20Jai=C3=9Fle?= Date: Thu, 2 Mar 2017 13:47:26 +0000 Subject: [PATCH 4/7] OBS-URL: https://build.opensuse.org/package/show/server:monitoring/munin?expand=0&rev=32 --- munin-2.0.32.tar.gz | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 munin-2.0.32.tar.gz diff --git a/munin-2.0.32.tar.gz b/munin-2.0.32.tar.gz new file mode 100644 index 0000000..7fa8b74 --- /dev/null +++ b/munin-2.0.32.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:132ed808f637af661b5ec8d51415638a53d175a8e0ab10878b89a28f67d018a8 +size 1342572 From 81056ada028c5b0d36d8970277935d713213f9ab609ed400b7f25cc40f4d06e2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aeneas=20Jai=C3=9Fle?= Date: Thu, 2 Mar 2017 13:48:04 +0000 Subject: [PATCH 5/7] OBS-URL: https://build.opensuse.org/package/show/server:monitoring/munin?expand=0&rev=33 --- munin.spec | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/munin.spec b/munin.spec index 9f04d39..fbfc24d 100644 --- a/munin.spec +++ b/munin.spec @@ -24,7 +24,7 @@ %define active_by_default 0 Name: munin -Version: 2.0.30 +Version: 2.0.32 Release: 0 Summary: Network-wide graphing framework (grapher/gatherer) License: GPL-2.0 @@ -48,7 +48,6 @@ Source13: gsa-munin.zip # https://svn.koumbit.net/koumbit/trunk/munin-plugins/quota-usage Patch: munin-plugin-quota_usage_warnings.patch Patch2: mysql55.patch -Patch3: CVE-2017-6188-fix-parameter-injection.patch BuildRequires: html2text BuildRequires: perl-HTML-Template BuildRequires: perl-Log-Log4perl @@ -154,7 +153,6 @@ unzip %{SOURCE12} unzip %{SOURCE13} %patch %patch2 -p1 -%patch3 -p1 %build %__make HOSTNAME=yourhostname From c3e80bde3395e3eddc61311d4f719d7775cf93a5fd3b2f58bdd8c61e6fb92a4e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aeneas=20Jai=C3=9Fle?= Date: Thu, 2 Mar 2017 13:48:38 +0000 Subject: [PATCH 6/7] OBS-URL: https://build.opensuse.org/package/show/server:monitoring/munin?expand=0&rev=34 --- CVE-2017-6188-fix-parameter-injection.patch | 29 --------------------- 1 file changed, 29 deletions(-) delete mode 100644 CVE-2017-6188-fix-parameter-injection.patch diff --git a/CVE-2017-6188-fix-parameter-injection.patch b/CVE-2017-6188-fix-parameter-injection.patch deleted file mode 100644 index 84d76a8..0000000 --- a/CVE-2017-6188-fix-parameter-injection.patch +++ /dev/null @@ -1,29 +0,0 @@ -From: Tomaž Šolc -Date: Tue, 21 Feb 2017 14:42:26 +0100 -Subject: CVE-2017-6188: munin-cgi-graph local file write vulnerability -References: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=855705 - boo#1026539 -Upstream: https://github.com/munin-monitoring/munin/issues/721 - -Index: munin-2.0.25/master/_bin/munin-cgi-graph.in -=================================================================== ---- munin-2.0.25.orig/master/_bin/munin-cgi-graph.in -+++ munin-2.0.25/master/_bin/munin-cgi-graph.in -@@ -447,13 +447,13 @@ sub draw_graph { - '--output-file', $filename ); - - # Sets the correct size on a by_graph basis -- push @params, "--size_x", CGI::param("size_x") -+ push @params, "--size_x", scalar CGI::param("size_x") - if (defined(CGI::param("size_x"))); -- push @params, "--size_y", CGI::param("size_y") -+ push @params, "--size_y", scalar CGI::param("size_y") - if (defined(CGI::param("size_y"))); -- push @params, "--upper_limit", CGI::param("upper_limit") -+ push @params, "--upper_limit", scalar CGI::param("upper_limit") - if (CGI::param("upper_limit")); -- push @params, "--lower_limit", CGI::param("lower_limit") -+ push @params, "--lower_limit", scalar CGI::param("lower_limit") - if (CGI::param("lower_limit")); - - # Sometimes we want to set the IMG size, and not the canvas. From c285c516e22997ea2ab58deec30fdd4713b00182bd28686aa2df26ce7b9e8107 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aeneas=20Jai=C3=9Fle?= Date: Thu, 2 Mar 2017 13:48:43 +0000 Subject: [PATCH 7/7] OBS-URL: https://build.opensuse.org/package/show/server:monitoring/munin?expand=0&rev=35 --- munin-2.0.30.tar.gz | 3 --- 1 file changed, 3 deletions(-) delete mode 100644 munin-2.0.30.tar.gz diff --git a/munin-2.0.30.tar.gz b/munin-2.0.30.tar.gz deleted file mode 100644 index 911ff98..0000000 --- a/munin-2.0.30.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:c6be23035c31ab6b7910ae1080159ae8263759f783a1b10002f44456c4aace61 -size 1342168