Bugzilla – Bug 759910
VUL-1: CVE-2012-2147: munin: remote denial of service by large image sizes
Last modified: 2019-08-31 06:46:44 UTC
is public, via oss-sec
Statistics scripts in munin can be passed the desired imagesize by remote
attackers, allowing to pass very huge image sizes into the process, which
effectively could run the machine out of memory.
a) common reproducer to obtain an existing image and store it into
HTTP/1.0\r\nHost: localhost\r\nConnection: close\r\n\r\n' | netcat localhost 80
(this was for a different issue, where you could fill /tmp with such images that are cached -Marcus)
b) reproducer for excessive memory / storage usage (previous part
is same as in case a) ):
In general the munin developers appear to recommend that access to this is limited
Can you enlighten us how it is limited, and how the ATK setup of munin is?
bugbot adjusting priority
There is a patch at the end of the debian bug report that checks for image size:
cc wolfgang, maintainer of munin in server:monitoring
tentatively fixed in server:monitoring fwiw, I need to verify once OBS builds packages again
As this is not default accessible in Studio, and the admin has to enable it first,
I am putting this on the planned update list only.
We can merge this bug into a future munin update, if one happens.