Bug#856219: marked as done (unblock: munin/2.0.31-1)

To: Jonathan Wiltshire <jmw@debian.org>
Subject: Bug#856219: marked as done (unblock: munin/2.0.31-1)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Sun, 26 Feb 2017 18:39:07 +0000
Message-id: <[🔎] handler.856219.D856219.14881342775501.ackdone@bugs.debian.org>
References: <20170226183755.4edomd7jgd5yhzvd@powdarrmonkey.net> <[🔎] 20170226174135.GA24459@layer-acht.org>

Your message dated Sun, 26 Feb 2017 18:37:55 +0000
with message-id <20170226183755.4edomd7jgd5yhzvd@powdarrmonkey.net>
and subject line Re: Bug#856219: unblock: munin/2.0.31-1
has caused the Debian Bug report #856219,
regarding unblock: munin/2.0.31-1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
856219: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=856219
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: unblock: munin/2.0.31-1
From: Holger Levsen <holger@debian.org>
Date: Sun, 26 Feb 2017 18:41:35 +0100
Message-id: <[🔎] 20170226174135.GA24459@layer-acht.org>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package munin, it fixes CVE-2017-6188, a local file write
vulnerability also tracked as #855705.

The ntp plugin change is unrelated but trivial and small (and part of the new
upstream release carrying the CVE fix).

$ diffstat munin_2.0.31-1.diff
 ChangeLog                            |   36 +++++++++++++++++++++++++++++++++++
 RELEASE                              |    2 -
 debian/changelog                     |    6 +++++
 master/_bin/munin-cgi-graph.in       |   22 +++++++++++++--------
 plugins/node.d/ntp_kernel_err.in     |    6 +----
 plugins/node.d/ntp_kernel_pll_off.in |    6 +----
 6 files changed, 61 insertions(+), 17 deletions(-)

unblock munin/2.0.31-1

The full debdiff is:


diff -Nru munin-2.0.30/ChangeLog munin-2.0.31/ChangeLog
--- munin-2.0.30/ChangeLog	2017-01-18 21:25:20.000000000 +0100
+++ munin-2.0.31/ChangeLog	2017-02-25 17:19:55.000000000 +0100
@@ -1,5 +1,41 @@
 -*- text -*-
 
+munin-2.0.31, 2017-02-25
+
+-------
+Summary
+-------
+
+Bugfix release.
+
+Closes: GH:607
+
+------------------
+Detailed Changelog
+------------------
+
+Kenyon Ralph (1):
+      ntp_kernel plugins: convert ntpq output to seconds
+
+
+munin-2.0.30.1, 2017-02-25
+
+-------
+Summary
+-------
+
+Security release.
+
+Closes: GH:721, D:855705, CVE-2017-6188
+
+------------------
+Detailed Changelog
+------------------
+
+Steve Schnepp (1):
+      Fix wrong parameter expansion in CGI
+
+
 munin-2.0.30, 2017-01-18
 
 -------
diff -Nru munin-2.0.30/debian/changelog munin-2.0.31/debian/changelog
--- munin-2.0.30/debian/changelog	2017-01-21 12:58:51.000000000 +0100
+++ munin-2.0.31/debian/changelog	2017-02-25 23:24:27.000000000 +0100
@@ -1,3 +1,9 @@
+munin (2.0.31-1) unstable; urgency=medium
+
+  * New upstream release, fixing CVE-2017-6188. (Closes: #855705)
+
+ -- Holger Levsen <holger@debian.org>  Sat, 25 Feb 2017 23:24:27 +0100
+
 munin (2.0.30-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru munin-2.0.30/master/_bin/munin-cgi-graph.in munin-2.0.31/master/_bin/munin-cgi-graph.in
--- munin-2.0.30/master/_bin/munin-cgi-graph.in	2017-01-18 21:25:20.000000000 +0100
+++ munin-2.0.31/master/_bin/munin-cgi-graph.in	2017-02-25 17:19:55.000000000 +0100
@@ -447,14 +447,20 @@
 		   '--output-file', $filename );
 
     # Sets the correct size on a by_graph basis
-    push @params, "--size_x", CGI::param("size_x")
-      if (defined(CGI::param("size_x")));
-    push @params, "--size_y", CGI::param("size_y")
-      if (defined(CGI::param("size_y")));
-    push @params, "--upper_limit", CGI::param("upper_limit")
-      if (CGI::param("upper_limit"));
-    push @params, "--lower_limit", CGI::param("lower_limit")
-      if (CGI::param("lower_limit"));
+
+    # using a temporary variable to avoid expansion in list context and fix CVE-2017-6188
+    my $size_x = CGI::param("size_x");
+    push @params, "--size_x", $size_x if defined $size_x;
+
+    my $size_y = CGI::param("size_y");
+    push @params, "--size_y", $size_y if defined $size_y;
+
+    my $upper_limit = CGI::param("upper_limit");
+    push @params, "--upper_limit", $upper_limit if defined $upper_limit;
+
+    my $lower_limit = CGI::param("lower_limit");
+    push @params, "--lower_limit", $lower_limit if defined $lower_limit;
+
 
     # Sometimes we want to set the IMG size, and not the canvas.
     push @params, "--full_size_mode"
diff -Nru munin-2.0.30/plugins/node.d/ntp_kernel_err.in munin-2.0.31/plugins/node.d/ntp_kernel_err.in
--- munin-2.0.30/plugins/node.d/ntp_kernel_err.in	2017-01-18 21:25:20.000000000 +0100
+++ munin-2.0.31/plugins/node.d/ntp_kernel_err.in	2017-02-25 17:19:55.000000000 +0100
@@ -53,9 +53,7 @@
 
 if [ $(ntpq -c version | grep --extended-regexp --only-matching '[[:digit:]]\.[[:digit:]]\.[[:digit:]]' | tr -d '.') -ge 427 ]
 then
-    cmd=ntpq
+    ntpq -c kerninfo | awk '/^estimated error:/ { print $3 / 1000 }'
 else
-    cmd=ntpdc
+    ntpdc -c kerninfo | awk '/^estimated error:/ { print $3 }'
 fi
-
-$cmd -c kerninfo | awk '/^estimated error:/ { print $3 }'
diff -Nru munin-2.0.30/plugins/node.d/ntp_kernel_pll_off.in munin-2.0.31/plugins/node.d/ntp_kernel_pll_off.in
--- munin-2.0.30/plugins/node.d/ntp_kernel_pll_off.in	2017-01-18 21:25:20.000000000 +0100
+++ munin-2.0.31/plugins/node.d/ntp_kernel_pll_off.in	2017-02-25 17:19:55.000000000 +0100
@@ -53,9 +53,7 @@
 
 if [ $(ntpq -c version | grep --extended-regexp --only-matching '[[:digit:]]\.[[:digit:]]\.[[:digit:]]' | tr -d '.') -ge 427 ]
 then
-    cmd=ntpq
+    ntpq -c kerninfo | awk '/^pll offset:/ { print $3 / 1000 }'
 else
-    cmd=ntpdc
+    ntpdc -c kerninfo | awk '/^pll offset:/ { print $3 }'
 fi
-
-$cmd -c kerninfo | awk '/^pll offset:/ { print $3 }'
diff -Nru munin-2.0.30/RELEASE munin-2.0.31/RELEASE
--- munin-2.0.30/RELEASE	2017-01-18 21:26:23.000000000 +0100
+++ munin-2.0.31/RELEASE	2017-02-25 20:58:15.000000000 +0100
@@ -1 +1 @@
-2.0.30
+2.0.31

-- 
cheers,
	Holger

Attachment: signature.asc
Description: Digital signature

--- End Message ---

--- Begin Message ---

To: Holger Levsen <holger@debian.org>, 856219-done@bugs.debian.org

Subject: Re: Bug#856219: unblock: munin/2.0.31-1

From: Jonathan Wiltshire <jmw@debian.org>

Date: Sun, 26 Feb 2017 18:37:55 +0000

Message-id: <20170226183755.4edomd7jgd5yhzvd@powdarrmonkey.net>

In-reply-to: <[🔎] 20170226174135.GA24459@layer-acht.org>

References: <[🔎] 20170226174135.GA24459@layer-acht.org>
On Sun, Feb 26, 2017 at 06:41:35PM +0100, Holger Levsen wrote:
> Please unblock package munin, it fixes CVE-2017-6188, a local file write
> vulnerability also tracked as #855705.

Unblocked and aged to 2 by Niels earlier; should migrate on Tuesday. 

Thanks,

-- 
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51
--- End Message ---

Reply to:

References:
- Bug#856219: unblock: munin/2.0.31-1
  - From: Holger Levsen <holger@debian.org>

Prev by Date: Bug#856225: unblock: sugar-irc-activity/8-1.3
Next by Date: Bug#856220: marked as done (unblock: debian-edu-config/1.923)
Previous by thread: Bug#856219: unblock: munin/2.0.31-1
Next by thread: Bug#855835: marked as done (unblock: libebur128/1.2.0-2)
Index(es):
- Date
- Thread