Summary: | <net-analyzer/nrpe-2.15: nagios metacharacter filtering omission again (CVE-2014-2913) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Robin Johnson <robbat2> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | bug, sysadmin |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.exploit-db.com/exploits/32925/ | ||
Whiteboard: | B2 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Robin Johnson
2014-04-19 17:03:17 UTC
I have personally tested that my patch blocks this new vulnerability, and it does successfully block it. arches: please test and stable. target keywords: alpha amd64 hppa ppc ppc64 sparc x86 security: I tagged it B2 based on the previous bug 459870 that you tagged the same way amd64 stable Stable for HPPA. x86 stable ppc stable ppc64 stable sparc stable alpha stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one. Arches, Thank you for your work Maintainer(s), please drop the vulnerable version. Added to existing GLSA Request Ping for cleanup. CVE-2014-2913 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2913): ** DISPUTED ** Incomplete blacklist vulnerability in nrpe.c in Nagios Remote Plugin Executor (NRPE) 2.15 and earlier allows remote attackers to execute arbitrary commands via a newline character in the -a option to libexec/check_nrpe. NOTE: this issue is disputed by multiple parties. It has been reported that the vendor allows newlines as "expected behavior." Also, this issue can only occur when the administrator enables the "dont_blame_nrpe" option in nrpe.conf despite the "HIGH security risk" warning within the comments. Maintainer timeout. Cleanup done. This issue was resolved and addressed in GLSA 201408-18 at http://security.gentoo.org/glsa/glsa-201408-18.xml by GLSA coordinator Kristian Fiskerstrand (K_F). |