Accepting request 460029 from home:wrosenauer:devel

- fix CVE-2017-6188: munin-cgi-graph local file write vulnerability (boo#1026539, CVE-2017-6188-fix-parameter-injection.patch) - update to version 2.0.30 Bugfix releases (closes the following issues since 2.0.25) 2.0.26: Closes: D:761190, GH:426 2.0.27: Closes: D:767032, D:768553, D:825136, D:834194, GH:690, GH:714 2.0.29: Closes: D:847649, D:849383 2.0.30: Closes: GH:745, GH:771, GH:783 OBS-URL: https://build.opensuse.org/request/show/460029 OBS-URL: https://build.opensuse.org/package/show/server:monitoring/munin?expand=0&rev=29
2017-03-02 13:20:39 +00:00 · 2017-03-02 13:20:39 +00:00 · 40db143d15
commit 40db143d15
parent 4c4a818972
5 changed files with 53 additions and 6 deletions
--- a/CVE-2017-6188-fix-parameter-injection.patch
+++ b/CVE-2017-6188-fix-parameter-injection.patch
@ -0,0 +1,29 @@
+From: Tomaž Šolc <tomaz.solc@tablix.org>
+Date: Tue, 21 Feb 2017 14:42:26 +0100
+Subject: CVE-2017-6188: munin-cgi-graph local file write vulnerability
+References: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=855705
+            boo#1026539
+Upstream: https://github.com/munin-monitoring/munin/issues/721
+
+Index: munin-2.0.25/master/_bin/munin-cgi-graph.in
+===================================================================
+--- munin-2.0.25.orig/master/_bin/munin-cgi-graph.in
+++ munin-2.0.25/master/_bin/munin-cgi-graph.in
+@@ -447,13 +447,13 @@ sub draw_graph {
+ 		   '--output-file', $filename );
+ 
+     # Sets the correct size on a by_graph basis
+-    push @params, "--size_x", CGI::param("size_x")
+    push @params, "--size_x", scalar CGI::param("size_x")
+       if (defined(CGI::param("size_x")));
+-    push @params, "--size_y", CGI::param("size_y")
+    push @params, "--size_y", scalar CGI::param("size_y")
+       if (defined(CGI::param("size_y")));
+-    push @params, "--upper_limit", CGI::param("upper_limit")
+    push @params, "--upper_limit", scalar CGI::param("upper_limit")
+       if (CGI::param("upper_limit"));
+-    push @params, "--lower_limit", CGI::param("lower_limit")
+    push @params, "--lower_limit", scalar CGI::param("lower_limit")
+       if (CGI::param("lower_limit"));
+ 
+     # Sometimes we want to set the IMG size, and not the canvas.
--- a/munin-2.0.25.tar.gz
+++ b/munin-2.0.25.tar.gz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:6832bc5839d03639e4309178d9370697fc8a80a83d9b6653953f40161e949694
-size 1337586
--- a/munin-2.0.30.tar.gz
+++ b/munin-2.0.30.tar.gz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:c6be23035c31ab6b7910ae1080159ae8263759f783a1b10002f44456c4aace61
+size 1342168
--- a/munin.changes
+++ b/munin.changes
@ -1,3 +1,19 @@
+-------------------------------------------------------------------
+Thu Feb 23 12:33:21 UTC 2017 - wr@rosenauer.org
+
+- fix CVE-2017-6188: munin-cgi-graph local file write vulnerability
+  (boo#1026539, CVE-2017-6188-fix-parameter-injection.patch)
+
+-------------------------------------------------------------------
+Sun Feb 19 16:08:24 UTC 2017 - wr@rosenauer.org
+
+- update to version 2.0.30
+  Bugfix releases (closes the following issues since 2.0.25)
+  2.0.26: Closes: D:761190, GH:426
+  2.0.27: Closes: D:767032, D:768553, D:825136, D:834194, GH:690, GH:714
+  2.0.29: Closes: D:847649, D:849383
+  2.0.30: Closes: GH:745, GH:771, GH:783
+
 -------------------------------------------------------------------
 Tue Jan 17 13:04:06 UTC 2017 - bwiedemann@suse.com

--- a/munin.spec
+++ b/munin.spec
@ -1,7 +1,7 @@
 #
 # spec file for package munin
 #
-# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -24,7 +24,7 @@
 %define 	active_by_default 0

 Name:           munin
-Version:        2.0.25
+Version:        2.0.30
 Release:        0
 Summary:        Network-wide graphing framework (grapher/gatherer)
 License:        GPL-2.0
@ -48,6 +48,7 @@ Source13:       gsa-munin.zip
 # https://svn.koumbit.net/koumbit/trunk/munin-plugins/quota-usage
 Patch:          munin-plugin-quota_usage_warnings.patch
 Patch2:         mysql55.patch
+Patch3:         CVE-2017-6188-fix-parameter-injection.patch
 BuildRequires:  html2text
 BuildRequires:  perl-HTML-Template
 BuildRequires:  perl-Log-Log4perl
@ -100,10 +101,10 @@ RRDtool.

 %package node
 Summary:        Network-wide graphing framework (node)
-Group:          System/Monitoring
 # some scripts need logtail which is part of package logdigest in openSUSE
 # problem with logdigest is that it installs a cronjob for itself which
 # might be unwanted
+Group:          System/Monitoring
 Recommends:     logdigest
 Requires:       perl-HTML-Template
 Requires:       perl-Log-Log4perl
@ -153,6 +154,7 @@ unzip %{SOURCE12}
 unzip %{SOURCE13}
 %patch
 %patch2 -p1
+%patch3 -p1

 %build
 %__make HOSTNAME=yourhostname