#1397 closed defect (fixed)

Malicious plugin can abort data collection for a node

Reported by: cbiedl Owned by: nobody
Priority: high Milestone:
Component: master Version: 2.0.6
Severity: major Keywords:


Hi there,

using "multigraph" as a multigraph service name is not accepted by
Munin::Master::Node. The check however dies (in config) or croaks
(in fetch), causing in the connection being dropped and no data
gathered for that node. That's a bit harsh.

The patch below lowers that situation to two error messages.

Impact is rather small as this affects the data for that node itself.
A malicious plugin still does harm, but if an evil guy is able to
control which plugins are run on a node, no longer collecting munin
data for that one is not one of the bigger concerns.



Attachments (1)

1397.patch (1.4 KB) - added by cbiedl at 2013-10-26T16:59:11+02:00.

Download all attachments as: .zip

Change History (2)

Changed at 2013-10-26T16:59:11+02:00 by cbiedl

comment:1 Changed at 2013-12-02T13:55:35+01:00 by cbiedl

  • Resolution set to fixed
  • Status changed from new to closed

This was assigned CVE-2013-6359 and fixed in 2.0.18

Note: See TracTickets for help on using tickets.