oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE Request (minor) -- Two Munin graphing framework flaws

From: Jan Lieskovsky <jlieskov () redhat com>
Date: Mon, 16 Apr 2012 15:54:21 +0200
Hello Kurt, Steve, vendors,

  the following three problems has been recently reported against Munin:
  [1] Insecure temp file use in the qmailscan plug-in:

      https://bugzilla.redhat.com/show_bug.cgi?id=812889
      http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=668778

  [2] Possibility to inject escape sequences into Munin's log file:

      https://bugzilla.redhat.com/show_bug.cgi?id=812885
      http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=668666

  [3] Remote users can fill /tmp filesystem:
      Red Hat would not consider this to be a security flaw =>
      no RH BTS entry.

      Original report:
      http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=668667

For the first two -- though both of them having minor security impact,
under suitable circumstances they could lead to trust boundary crossing =>
under our opinion they should get a (CVE-2012-*) identifiers.

For the third issue -- we wouldn't consider it to be a security
flaw. Just as something, which on improperly configured machine
could allow to fill in /tmp filesystem (just another way how to
do it, when the particular service isn't properly configured).

Could you allocate CVE ids for the first two issues?

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team
Previous By Date Next
Previous By Thread Next

Current thread: