Message info
 
To:Debian Bug Tracking System From:Helmut Grohne Subject:Bug#668536: munin: predictable tmpfile location /tmp/munin-cgi-tmp Date:Thu, 12 Apr 2012 17:16:16 +0200
 

Package: munin
Version: 2.0~rc4-1
Severity: important
Tags: security

/usr/lib/cgi-bin/munin-cgi-graph uses predictable filenames in /tmp
which might allow privilege escalation to www-data or denial of serving
graphs. The filenames always start with /tmp/munin-cgi-graph/.

At the moment this issue affects only unstable.

A quick workaround for this issue is to change the location to
/var/cache/munin/graph or something similar. Note that this directory
would need to be created with write permission to the user running cgi
scripts (presumably www-data) by postinst.

Helmut



--
To UNSUBSCRIBE, email to debian-bugs-dist-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org