Hi. process_perfdata.cfg shouldn't be world-readable. Event though not used per default, it contains the "KEY" option which may be used (in alternative to "KEY_FILE") to hold the Gearman shared secret,
CVE-2012-3457 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3457): PNP4Nagios 0.6 through 0.6.16 uses world-readable permissions for process_perfdata.cfg, which allows local users to obtain the Gearman shared secret by reading the file.
Feel free to stabilize pnp4nagios-0.6.18.
(In reply to comment #2) > Feel free to stabilize pnp4nagios-0.6.18. Hi, do we know if 0.6.18 is fixed? I cannot see anything relevant in the ChangeLog or repo.
Hm, sorry.. Somehow I thought I've read that it has been fixed in .19 but apparently it hasn't. I fixed it by hand though, in 0.6.19-r1.
Great, thank you. Arches, please test and mark stable: =net-analyzer/pnp4nagios-0.6.19-r1 Target keywords : "amd64 ppc ppc64 x86"
amd64 stable
x86 done
ppc64 stable
ppc stable
Thanks, everyone. Closing noglsa for C4 issue.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=184ae2c637ba60cd8f65d33c9098a2f4a079b4dc commit 184ae2c637ba60cd8f65d33c9098a2f4a079b4dc Author: Michael Orlitzky <mjo@gentoo.org> AuthorDate: 2017-11-02 17:08:14 +0000 Commit: Michael Orlitzky <mjo@gentoo.org> CommitDate: 2017-11-04 23:37:20 +0000 net-analyzer/pnp4nagios: new revision with a better fix for CVE-2012-3457. In CVE-2012-3457, it was reported that one particular file should not be world-readable. To fix that, our ebuild made all of /etc/pnp unreadable; that made other permissions issues difficult to work around. This r2 sets o-rwx only on /etc/pnp/process_perfdata.cfg. Bug: https://bugs.gentoo.org/430358 Package-Manager: Portage-2.3.8, Repoman-2.3.3 ...0.6.26-r1.ebuild => pnp4nagios-0.6.26-r2.ebuild} | 21 +++++++-------------- 1 file changed, 7 insertions(+), 14 deletions(-)}