Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: unblock Please unblock package munin, it fixes CVE-2017-6188, a local file write vulnerability also tracked as #855705. The ntp plugin change is unrelated but trivial and small (and part of the new upstream release carrying the CVE fix). $ diffstat munin_2.0.31-1.diff ChangeLog | 36 +++++++++++++++++++++++++++++++++++ RELEASE | 2 - debian/changelog | 6 +++++ master/_bin/munin-cgi-graph.in | 22 +++++++++++++-------- plugins/node.d/ntp_kernel_err.in | 6 +---- plugins/node.d/ntp_kernel_pll_off.in | 6 +---- 6 files changed, 61 insertions(+), 17 deletions(-) unblock munin/2.0.31-1 The full debdiff is: diff -Nru munin-2.0.30/ChangeLog munin-2.0.31/ChangeLog --- munin-2.0.30/ChangeLog 2017-01-18 21:25:20.000000000 +0100 +++ munin-2.0.31/ChangeLog 2017-02-25 17:19:55.000000000 +0100 @@ -1,5 +1,41 @@ -*- text -*- +munin-2.0.31, 2017-02-25 + +------- +Summary +------- + +Bugfix release. + +Closes: GH:607 + +------------------ +Detailed Changelog +------------------ + +Kenyon Ralph (1): + ntp_kernel plugins: convert ntpq output to seconds + + +munin-2.0.30.1, 2017-02-25 + +------- +Summary +------- + +Security release. + +Closes: GH:721, D:855705, CVE-2017-6188 + +------------------ +Detailed Changelog +------------------ + +Steve Schnepp (1): + Fix wrong parameter expansion in CGI + + munin-2.0.30, 2017-01-18 ------- diff -Nru munin-2.0.30/debian/changelog munin-2.0.31/debian/changelog --- munin-2.0.30/debian/changelog 2017-01-21 12:58:51.000000000 +0100 +++ munin-2.0.31/debian/changelog 2017-02-25 23:24:27.000000000 +0100 @@ -1,3 +1,9 @@ +munin (2.0.31-1) unstable; urgency=medium + + * New upstream release, fixing CVE-2017-6188. (Closes: #855705) + + -- Holger Levsen <holger@debian.org> Sat, 25 Feb 2017 23:24:27 +0100 + munin (2.0.30-1) unstable; urgency=medium * New upstream release. diff -Nru munin-2.0.30/master/_bin/munin-cgi-graph.in munin-2.0.31/master/_bin/munin-cgi-graph.in --- munin-2.0.30/master/_bin/munin-cgi-graph.in 2017-01-18 21:25:20.000000000 +0100 +++ munin-2.0.31/master/_bin/munin-cgi-graph.in 2017-02-25 17:19:55.000000000 +0100 @@ -447,14 +447,20 @@ '--output-file', $filename ); # Sets the correct size on a by_graph basis - push @params, "--size_x", CGI::param("size_x") - if (defined(CGI::param("size_x"))); - push @params, "--size_y", CGI::param("size_y") - if (defined(CGI::param("size_y"))); - push @params, "--upper_limit", CGI::param("upper_limit") - if (CGI::param("upper_limit")); - push @params, "--lower_limit", CGI::param("lower_limit") - if (CGI::param("lower_limit")); + + # using a temporary variable to avoid expansion in list context and fix CVE-2017-6188 + my $size_x = CGI::param("size_x"); + push @params, "--size_x", $size_x if defined $size_x; + + my $size_y = CGI::param("size_y"); + push @params, "--size_y", $size_y if defined $size_y; + + my $upper_limit = CGI::param("upper_limit"); + push @params, "--upper_limit", $upper_limit if defined $upper_limit; + + my $lower_limit = CGI::param("lower_limit"); + push @params, "--lower_limit", $lower_limit if defined $lower_limit; + # Sometimes we want to set the IMG size, and not the canvas. push @params, "--full_size_mode" diff -Nru munin-2.0.30/plugins/node.d/ntp_kernel_err.in munin-2.0.31/plugins/node.d/ntp_kernel_err.in --- munin-2.0.30/plugins/node.d/ntp_kernel_err.in 2017-01-18 21:25:20.000000000 +0100 +++ munin-2.0.31/plugins/node.d/ntp_kernel_err.in 2017-02-25 17:19:55.000000000 +0100 @@ -53,9 +53,7 @@ if [ $(ntpq -c version | grep --extended-regexp --only-matching '[[:digit:]]\.[[:digit:]]\.[[:digit:]]' | tr -d '.') -ge 427 ] then - cmd=ntpq + ntpq -c kerninfo | awk '/^estimated error:/ { print $3 / 1000 }' else - cmd=ntpdc + ntpdc -c kerninfo | awk '/^estimated error:/ { print $3 }' fi - -$cmd -c kerninfo | awk '/^estimated error:/ { print $3 }' diff -Nru munin-2.0.30/plugins/node.d/ntp_kernel_pll_off.in munin-2.0.31/plugins/node.d/ntp_kernel_pll_off.in --- munin-2.0.30/plugins/node.d/ntp_kernel_pll_off.in 2017-01-18 21:25:20.000000000 +0100 +++ munin-2.0.31/plugins/node.d/ntp_kernel_pll_off.in 2017-02-25 17:19:55.000000000 +0100 @@ -53,9 +53,7 @@ if [ $(ntpq -c version | grep --extended-regexp --only-matching '[[:digit:]]\.[[:digit:]]\.[[:digit:]]' | tr -d '.') -ge 427 ] then - cmd=ntpq + ntpq -c kerninfo | awk '/^pll offset:/ { print $3 / 1000 }' else - cmd=ntpdc + ntpdc -c kerninfo | awk '/^pll offset:/ { print $3 }' fi - -$cmd -c kerninfo | awk '/^pll offset:/ { print $3 }' diff -Nru munin-2.0.30/RELEASE munin-2.0.31/RELEASE --- munin-2.0.30/RELEASE 2017-01-18 21:26:23.000000000 +0100 +++ munin-2.0.31/RELEASE 2017-02-25 20:58:15.000000000 +0100 @@ -1 +1 @@ -2.0.30 +2.0.31 -- cheers, Holger
Attachment:
signature.asc
Description: Digital signature