From 41f5cccaab0e752dee080ae4e546f484b5dfd9c0 Mon Sep 17 00:00:00 2001 From: d. johnson Date: Feb 27 2017 04:04:14 +0000 Subject: CVE-2017-6188: Upstream PR 797: Fix wrong parameter expansion in CGI --- diff --git a/797.patch b/797.patch new file mode 100644 index 0000000..3cd6ff4 --- /dev/null +++ b/797.patch @@ -0,0 +1,70 @@ +From 42ce18f24d3eae8be33526a198bf21e4f2330230 Mon Sep 17 00:00:00 2001 +From: Steve Schnepp +Date: Sat, 25 Feb 2017 11:20:52 +0100 +Subject: [PATCH] Fix wrong parameter expansion in CGI +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +As Tomaž Šolc said : + + Munin package in Jessie has a local file write vulnerability when CGI graphs are + enabled. Setting multiple "upper_limit" GET parameters allows overwriting any + file accessible to the www-data user. + +And sstj said : + + Running munin-2.0.25 on Gentoo. I observed this message in the logs + + 2016/07/26 21:57:54 [PERL WARNING] CGI::param called in list context + from /usr/libexec/munin/cgi/munin-cgi-graph line 450, this can lead to + vulnerabilities. See the warning in "Fetching the value or values of a + single named parameter" at /usr/lib64/perl5/vendor_perl/5.20.2/CGI.pm + line 404. + + This allows injecting options into munin-cgi-graph (similar to + http://munin-monitoring.org/ticket/1238 ), by doing something like + this: + + &upper_limit=500&upper_limit=--output-file&upper_limit=/tmp/test.txt + + which wrote the graph to /tmp/test.txt + +Closes: #721, D:855705, CVE-2017-6188 +--- + master/_bin/munin-cgi-graph.in | 22 ++++++++++++++-------- + 1 file changed, 14 insertions(+), 8 deletions(-) + +diff --git a/master/_bin/munin-cgi-graph.in b/master/_bin/munin-cgi-graph.in +index 092458b..09bc3f2 100755 +--- a/master/_bin/munin-cgi-graph.in ++++ b/master/_bin/munin-cgi-graph.in +@@ -335,14 +335,20 @@ sub draw_graph { + '--output-file', $filename ); + + # Sets the correct size on a by_graph basis +- push @params, "--size_x", CGI::param("size_x") +- if (defined(CGI::param("size_x"))); +- push @params, "--size_y", CGI::param("size_y") +- if (defined(CGI::param("size_y"))); +- push @params, "--upper_limit", CGI::param("upper_limit") +- if (CGI::param("upper_limit")); +- push @params, "--lower_limit", CGI::param("lower_limit") +- if (CGI::param("lower_limit")); ++ ++ # using a temporary variable to avoid expansion in list context and fix CVE-2017-6188 ++ my $size_x = CGI::param("size_x"); ++ push @params, "--size_x", $size_x if defined $size_x; ++ ++ my $size_y = CGI::param("size_y"); ++ push @params, "--size_y", $size_y if defined $size_y; ++ ++ my $upper_limit = CGI::param("upper_limit"); ++ push @params, "--upper_limit", $upper_limit if defined $upper_limit; ++ ++ my $lower_limit = CGI::param("lower_limit"); ++ push @params, "--lower_limit", $lower_limit if defined $lower_limit; ++ + + graph_main(\@params); + diff --git a/munin.spec b/munin.spec index f35d4f5..5d223c2 100644 --- a/munin.spec +++ b/munin.spec @@ -1,6 +1,6 @@ Name: munin Version: 2.0.30 -Release: 4%{?dist} +Release: 5%{?dist} Summary: Network-wide graphing framework (grapher/gatherer) Group: System Environment/Daemons @@ -51,6 +51,7 @@ Patch13: mariadb-show-status.patch Patch14: mariadb-innodb.patch #Patch15: https://patch-diff.githubusercontent.com/raw/munin-monitoring/munin/pull/737.patch #Patch16: https://patch-diff.githubusercontent.com/raw/munin-monitoring/munin/pull/759.patch +Patch17: https://patch-diff.githubusercontent.com/raw/munin-monitoring/munin/pull/797.patch BuildArch: noarch @@ -361,6 +362,8 @@ install -c %{SOURCE13} ./resources/ install -c %{SOURCE20} . sed -i -e 's,^PERLSITELIB := \(.*\),PERLSITELIB := %{perl_vendorlib},;' Makefile.config-dist +%patch17 -p1 -F2 + %build %if 0%{?rhel} > 6 @@ -877,6 +880,10 @@ exit 0 %changelog +* Mon Feb 27 2017 "D. Johnson" - 2.0.30-5 +- CVE-2017-6188: Upstream PR 797: Fix wrong parameter expansion in CGI +- RHBZ#: 1425855,1425857,1425858 + * Fri Feb 10 2017 "D. Johnson" - 2.0.30-4 - added Pablo Chamorro packaging suggestions for helping CGI scripts