Bugzilla – Bug 759910
VUL-1: CVE-2012-2147: munin: remote denial of service by large image sizes
Last modified: 2019-08-31 06:46:44 UTC
is public, via oss-sec http://www.openwall.com/lists/oss-security/2012/04/29/2 CVE-2012-2147 Statistics scripts in munin can be passed the desired imagesize by remote attackers, allowing to pass very huge image sizes into the process, which effectively could run the machine out of memory. also references: https://bugzilla.redhat.com/show_bug.cgi?id=817488 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=670811#14 Reproducers: a) common reproducer to obtain an existing image and store it into Munin's cache: printf 'GET /cgi-bin/munin-cgi-graph/localdomain/localhost.localdomain/vmstat-day.png?foo HTTP/1.0\r\nHost: localhost\r\nConnection: close\r\n\r\n' | netcat localhost 80 (this was for a different issue, where you could fill /tmp with such images that are cached -Marcus) b) reproducer for excessive memory / storage usage (previous part is same as in case a) ): ..png?size_x=20000&size_y=20000&uniquestuff
In general the munin developers appear to recommend that access to this is limited to administrators. Can you enlighten us how it is limited, and how the ATK setup of munin is?
bugbot adjusting priority
There is a patch at the end of the debian bug report that checks for image size: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=670811#14
cc wolfgang, maintainer of munin in server:monitoring
tentatively fixed in server:monitoring fwiw, I need to verify once OBS builds packages again
As this is not default accessible in Studio, and the admin has to enable it first, I am putting this on the planned update list only. We can merge this bug into a future munin update, if one happens.