534676 – <net-analyzer/nagios-plugins-2.0.3-r2: Multiple information disclosure vulnerabilities (CVE-2014-{4701,4702,4703})

Bug 534676 - <net-analyzer/nagios-plugins-2.0.3-r2: Multiple information disclosure vulnerabilities (CVE-2014-{4701,4702,4703})

Summary: <net-analyzer/nagios-plugins-2.0.3-r2: Multiple information disclosure vulner...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	B4 [noglsa/cve]
Keywords:

Depends on:
Blocks:

Reported:	2015-01-04 17:56 UTC by GLSAMaker/CVETool Bot
Modified:	2015-08-04 16:54 UTC (History)
CC List:	6 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description GLSAMaker/CVETool Bot gentoo-dev

2015-01-04 17:56:49 UTC

CVE-2014-4703 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4703):
  lib/parse_ini.c in Nagios Plugins 2.0.2 allows local users to obtain
  sensitive information via a symlink attack on the configuration file in the
  extra-opts flag.  NOTE: this vulnerability exists because of an incomplete
  fix for CVE-2014-4701.

CVE-2014-4702 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4702):
  The check_icmp plugin in Nagios Plugins before 2.0.2 allows local users to
  obtain sensitive information from INI configuration files via the extra-opts
  flag, a different vulnerability than CVE-2014-4701.

CVE-2014-4701 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4701):
  The check_dhcp plugin in Nagios Plugins before 2.0.2 allows local users to
  obtain sensitive information from INI configuration files via the extra-opts
  flag, a different vulnerability than CVE-2014-4702.


Maintainer(s), should we stabilize 2.0.3 or 2.0.3-r1?

Comment 1 Michael Orlitzky gentoo-dev

2015-06-23 00:19:38 UTC

Huh, I missed this. I just committed an -r2 with some small fixes. Please stabilize that.

Comment 2 Yury German Gentoo Infrastructure

2015-06-23 02:22:28 UTC

Arches, please test and mark stable:

=net-analyzer/nagios-plugins-2.0.3-r2

Target Keywords : "alpha amd64 hppa ppc ppc64 sparc x86"

Thank you!

Comment 3 Agostino Sarubbo gentoo-dev

2015-06-23 15:19:21 UTC

amd64 stable

Comment 4 Agostino Sarubbo gentoo-dev

2015-06-24 07:53:22 UTC

ppc stable

Comment 5 Agostino Sarubbo gentoo-dev

2015-06-26 08:05:25 UTC

x86 stable

Comment 6 Jeroen Roovers (RETIRED) gentoo-dev

2015-07-02 05:09:50 UTC

Stable for HPPA PPC64.

Comment 7 Agostino Sarubbo gentoo-dev

2015-07-03 08:33:33 UTC

alpha stable

Comment 8 Agostino Sarubbo gentoo-dev

2015-07-23 09:36:25 UTC

sparc stable.

Maintainer(s), please cleanup.
Security, please vote.

Comment 9 Michael Orlitzky gentoo-dev

2015-07-25 04:28:55 UTC

The older versions have been removed:

  25 Jul 2015; Michael Orlitzky <mjo@gentoo.org>
  -nagios-plugins-1.4.16-r2.ebuild, -nagios-plugins-1.4.16-r3.ebuild,
  -nagios-plugins-2.0.3.ebuild, metadata.xml:
  Remove old versions for bug #534676.

One of the 1.4.x versions was stable on arm64, so I've CCed them just in case that was important to someone.

Comment 10 Yury German Gentoo Infrastructure

2015-08-04 16:49:53 UTC

Arches and Maintainer(s), Thank you for your work.

GLSA Vote: No

Comment 11 Kristian Fiskerstrand (RETIRED) gentoo-dev

2015-08-04 16:54:37 UTC

GLSA Vote: No