Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 602216 (CVE-2016-9566) - <net-analyzer/nagios-core-4.2.4: Root privilege escalation (CVE-2016-9566)
Summary: <net-analyzer/nagios-core-4.2.4: Root privilege escalation (CVE-2016-9566)
Status: RESOLVED FIXED
Alias: CVE-2016-9566
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B1 [glsa cve]
Keywords:
Depends on: 605724
Blocks: CVE-2016-8641
  Show dependency tree
 
Reported: 2016-12-10 06:00 UTC by Tomáš Mózes
Modified: 2017-10-18 01:18 UTC (History)
3 users (show)

See Also:
Package list:
=net-analyzer/nagios-core-4.2.4 =net-analyzer/nagios-4.2.4
Runtime testing required: ---
kensington: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Tomáš Mózes 2016-12-10 06:00:00 UTC
4.2.4 - 2016-12-07
------------------
SECURITY FIXES
* Fixed another root privilege escalation (CVE-2016-9566) Thanks for bringing this to our attention go to Dawid Golunski (http://legalhackers.com).
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2016-12-10 15:33:37 UTC
From https://bugzilla.redhat.com/show_bug.cgi?id=1402869#c0:

An unsafe file opening/creation of logging files that can be misused for root privilege escalation was found in base/logging.c.

Upstream patch:

https://github.com/NagiosEnterprises/nagioscore/commit/c29557dec91eba2306f5fb11b8da4474ba63f8c4


@ Maintainer(s): Please bump to =net-analyzer/nagios-core-4.2.4 which is already available.
Comment 2 Michael Orlitzky gentoo-dev 2016-12-11 17:11:47 UTC
(In reply to Thomas Deutschmann from comment #1)
> 
> @ Maintainer(s): Please bump to =net-analyzer/nagios-core-4.2.4 which is
> already available.

It's in the tree.
Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev 2016-12-11 20:45:56 UTC
@ Arches,

please test and mark stable:

=net-analyzer/nagios-core-4.2.4
=net-analyzer/nagios-4.2.4
Comment 4 Tobias Klausmann (RETIRED) gentoo-dev 2016-12-12 15:57:58 UTC
Stable on alpha.
Comment 5 Agostino Sarubbo gentoo-dev 2016-12-13 11:07:21 UTC
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2016-12-13 11:32:33 UTC
x86 stable
Comment 7 Agostino Sarubbo gentoo-dev 2016-12-19 14:44:12 UTC
sparc stable
Comment 8 Agostino Sarubbo gentoo-dev 2016-12-20 09:53:32 UTC
ppc stable
Comment 9 Agostino Sarubbo gentoo-dev 2016-12-22 09:41:47 UTC
ppc64 stable
Comment 10 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2016-12-23 03:17:43 UTC
https://bugs.gentoo.org/show_bug.cgi?id=603534 and 
https://bugs.gentoo.org/show_bug.cgi?id=603536
have the same issue but are cleaned up and done
Comment 11 Jeroen Roovers (RETIRED) gentoo-dev 2017-01-14 12:01:17 UTC
Stable for HPPA.
Comment 12 Michael Orlitzky gentoo-dev 2017-01-14 21:08:14 UTC
Old versions have been cleaned up.
Comment 13 Michael Orlitzky gentoo-dev 2017-01-14 23:32:08 UTC
(In reply to Michael Orlitzky from comment #12)
> Old versions have been cleaned up.

Nevermind, the removal of nagios-3.x broke the tree because net-analyzer/pnp4nagios requires it on three arches. I've filed a keyword request for icinga, which can satisfy the same dependency. Once that's done in bug 605724, some version of icinga can be stabilized, and then I can finally get rid of nagios-3.x.
Comment 14 Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-30 01:55:35 UTC
New GLSA request filed.
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2017-02-21 00:16:52 UTC
This issue was resolved and addressed in
 GLSA 201702-26 at https://security.gentoo.org/glsa/201702-26
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 16 Thomas Deutschmann (RETIRED) gentoo-dev 2017-02-21 00:18:36 UTC
Re-opening for cleanup.
Comment 17 Yury German Gentoo Infrastructure gentoo-dev 2017-05-27 01:01:05 UTC
Maintainer(s), please drop the vulnerable version(s).
Comment 18 Michael Orlitzky gentoo-dev 2017-05-27 11:16:49 UTC
I can't without breaking the tree (bug 605724).
Comment 19 GLSAMaker/CVETool Bot gentoo-dev 2017-10-18 01:18:41 UTC
This issue was resolved and addressed in
 GLSA 201710-20 at https://security.gentoo.org/glsa/201710-20
by GLSA coordinator Aaron Bauman (b-man).