[Secure-testing-team] Bug#683998: munin: allows creation of sockets at arbitrary locations (/tmp file vulnerability)
Helmut Grohne
helmut at subdivi.de
Mon Aug 6 07:06:11 UTC 2012
Package: munin
Version: 1.4.5-3
Severity: serious
Tags: security
I wondered where a socket /tmp/munin-master-processmanager-12345.sock
would come from and whether it was created in a secure way. In the
presence of this bug report you may have guessed, that it is not. The
corresponding code can be found in
/usr/share/perl5/Munin/Master/ProcessManager.pm. Apparently rundir is
set to /tmp and the _prepare_unix_socket subroutine happily unlink(2)s
that path and creates a socket. So via a simple race condition (use
inotify!) we can place a symbolic link at the desired location and make
munin place a socket at an arbitrary location. It should also be
possible to turn this into a local denial of service by pointing to a
non-existent directory. Please evaluate the impact of this issue and
downgrade the severity accordingly. Fixing this issue should be easy
changing the default for rundir.
Helmut
More information about the Secure-testing-team
mailing list