Summary: | <net-analyzer/nrpe-2.13-r2: always enables command arguments (security risk if dont_blame_nrpe=1 in config) | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Marcel Pennewiß <gentoo> | ||||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||||
Status: | RESOLVED FIXED | ||||||||
Severity: | normal | CC: | bug, dertobi123, idl0r, sysadmin | ||||||
Priority: | Normal | ||||||||
Version: | unspecified | ||||||||
Hardware: | All | ||||||||
OS: | Linux | ||||||||
Whiteboard: | B2 [glsa] | ||||||||
Package list: | Runtime testing required: | --- | |||||||
Attachments: |
|
Description
Marcel Pennewiß
2012-01-04 08:29:19 UTC
Created attachment 297887 [details]
configure-patch
Fix for configure
(In reply to comment #0) > Expected Results: > ... > *************************************************************** > ** POSSIBLE SECURITY RISK - COMMAND ARGUMENTS ARE SUPPORTED! ** > ** Read the NRPE SECURITY file for more information ** > *************************************************************** Expected Results should certainly be... dev marcel # /usr/bin/nrpe NRPE - Nagios Remote Plugin Executor Copyright (c) 1999-2008 Ethan Galstad (nagios@nagios.org) Version: 2.12 Last Modified: 03-10-2008 License: GPL v2 with exemptions (-l for more info) SSL/TLS Available: Anonymous DH Mode, OpenSSL 0.9.6 or higher required TCP Wrappers Available without Command Arguments-Information Created attachment 297893 [details, diff]
configure.in-patch
A possible configure.in-patch (i'm not very familar with build systems ;)) to use autoconf afterwards. Works for me...
If UNCONFIRMED refers to the bug, I can confirm I did not change that setting, and an emerge of 3.2.3 (#nagios says is last stable) yielded: nrpe --version nrpe: unrecognized option '--version' NRPE - Nagios Remote Plugin Executor Copyright (c) 1999-2008 Ethan Galstad (nagios@nagios.org) Version: 2.12 Last Modified: 03-10-2008 License: GPL v2 with exemptions (-l for more info) SSL/TLS Available: Anonymous DH Mode, OpenSSL 0.9.6 or higher required TCP Wrappers Available *************************************************************** ** POSSIBLE SECURITY RISK - COMMAND ARGUMENTS ARE SUPPORTED! ** ** Read the NRPE SECURITY file for more information ** *************************************************************** If the patch is UNCONFIRMED, sorry, I haven't the skill to test that, and this comment is just noise. Weird! I have dont_blame_nrpe=0 in the config file. Apparently the binary alarms even if it's not set to 1 in the config file... This might be better handled by the Nagios team to alarm only if both conditions (compile flag PLUS config change) have happened. Obviously you don't want to assume either way in the compilation for a distro... Or, at least, I wouldn't. I apologize that so many people will receive two emails from me in rapid succession... Fixed in 2.13-r1. Christian, netmon, can we stabilize 2.13-r1? (In reply to comment #7) > Christian, netmon, can we stabilize 2.13-r1? We're using 2.13 since a few days now on about 50 servers so I'd tend to say yes. I just bumped to -r2 because of a typo. Ok, thanks, let's go. Arches, please test and mark stable: =net-analyzer/nagios-nrpe-2.13-r2 Target keywords : "alpha amd64 hppa ppc ppc64 sparc x86" amd64 stable Stable for HPPA. x86 stable ppc stable Is it continuation of bug #289722?:) (In reply to comment #15) > Is it continuation of bug #289722?:) Seems so ;) But now with really conditional command-args-feature... alpha/sparc stable ppc64 stable, last arch done Thanks, folks. This feels like a B2 issue to me, user-assisted code execution. GLSA request filed. This issue was resolved and addressed in GLSA 201408-18 at http://security.gentoo.org/glsa/glsa-201408-18.xml by GLSA coordinator Kristian Fiskerstrand (K_F). This issue was resolved and addressed in GLSA 201408-18 at http://security.gentoo.org/glsa/glsa-201408-18.xml by GLSA coordinator Kristian Fiskerstrand (K_F). |