Bug 759910 - (CVE-2012-2147) VUL-1: CVE-2012-2147: munin: remote denial of service by large image sizes
VUL-1: CVE-2012-2147: munin: remote denial of service by large image sizes
Status: NEW
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Other
: P4 - Low : Normal
: ---
Assigned To: Jordi Massaguer
Security Team bot
. maint:planned:update
Depends on:
  Show dependency treegraph
Reported: 2012-04-30 13:25 UTC by Marcus Meissner
Modified: 2019-08-31 06:46 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2012-04-30 13:25:29 UTC
is public, via oss-sec



Statistics scripts in munin can be passed the desired imagesize by remote
attackers, allowing to pass very huge image sizes into the process, which
effectively could run the machine out of memory.

also references:


a) common reproducer to obtain an existing image and store it into
   Munin's cache:

   printf 'GET
HTTP/1.0\r\nHost: localhost\r\nConnection: close\r\n\r\n' | netcat localhost 80

   (this was for a different issue, where you could fill /tmp with such images that are cached -Marcus)

b) reproducer for excessive memory / storage usage (previous part
   is same as in case a) ):
Comment 1 Marcus Meissner 2012-04-30 13:27:01 UTC
In general the munin developers appear to recommend that access to this is limited
to administrators.

Can you enlighten us how it is limited, and how the ATK setup of munin is?
Comment 2 Swamp Workflow Management 2012-04-30 22:00:15 UTC
bugbot adjusting priority
Comment 3 Jordi Massaguer 2012-05-02 09:17:30 UTC
There is a patch at the end of the debian bug report that checks for image size:

Comment 8 Marcus Meissner 2012-05-03 11:41:27 UTC
cc wolfgang, maintainer of munin in server:monitoring
Comment 9 Wolfgang Rosenauer 2012-05-03 16:26:34 UTC
tentatively fixed in server:monitoring fwiw, I need to verify once OBS builds packages again
Comment 11 Marcus Meissner 2012-05-07 09:28:52 UTC
As this is not default accessible in Studio, and the admin has to enable it first,
I am putting this on the planned update list only.

We can merge this bug into a future munin update, if one happens.