Summary: | <net-analyzer/pnp4nagios-0.6.26-r9: Root privilege escalation via insecure permissions (CVE-2017-16834) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Christopher Díaz Riveros (RETIRED) <chrisadr> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | mjo, prometheanfire, sysadmin |
Priority: | Normal | Flags: | stable-bot:
sanity-check+
|
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://github.com/lingej/pnp4nagios/issues/140 | ||
Whiteboard: | B1 [glsa+ cve] | ||
Package list: |
=net-analyzer/icinga-1.14.2
=net-analyzer/icinga2-2.8.1
=net-analyzer/pnp4nagios-0.6.26-r9
|
Runtime testing required: | --- |
Description
Christopher Díaz Riveros (RETIRED)
2017-11-16 02:25:42 UTC
I think we can proceed with stabilization. @Arches please test and mark stable. Thank you An automated check of this bug failed - repoman reported dependency errors (27 lines truncated):
> dependency.bad net-analyzer/pnp4nagios/pnp4nagios-0.6.26-r9.ebuild: DEPEND: ppc(default/linux/powerpc/ppc32/13.0) ['net-analyzer/icinga2']
> dependency.bad net-analyzer/pnp4nagios/pnp4nagios-0.6.26-r9.ebuild: RDEPEND: ppc(default/linux/powerpc/ppc32/13.0) ['net-analyzer/icinga2']
> dependency.bad net-analyzer/pnp4nagios/pnp4nagios-0.6.26-r9.ebuild: DEPEND: ppc(default/linux/powerpc/ppc32/13.0/desktop) ['net-analyzer/icinga2']
Thanks stable-bot. The dependency error is due to https://gitweb.gentoo.org/repo/gentoo.git/commit/net-analyzer/pnp4nagios?id=8a6c86311831919c79c94f0b4744e05691fe5045 where I fixed the "nagios or icinga" dependency. Now it's possible for the user to wind up in a situation where either-icinga-or-icinga2 is pulled in via USE=icinga. As a result, we need either icinga or icinga2 stable on all arches where pnp4nagios is slated to be stabilized. One solution would be to stabilize icinga2-2.7.1-r1 on ppc and ppc64 as a prerequisite for this. @prometheanfire please let us know what you prefer. I'd prefer stabilizing icinga2 (In reply to Matthew Thode ( prometheanfire ) from comment #5) > I'd prefer stabilizing icinga2 Any particular version? Version 2.7.1-r1 only needs ppc/ppc64, unless you want to do all of the arches for v2.8.0. 2.8.0 would be best icinga2 pulls in icinga-1.x with USE=classicui, so it looks like we have to get both stablebot, tell me I'm right An automated check of this bug succeeded - the previous repoman errors are now resolved. amd64 stable x86 stable An automated check of this bug failed - the following atom is unknown: net-analyzer/icinga-1.14.0 Please verify the atom list. icinga2 and icinga are both already fully stablized, they can be removed if you want. An automated check of this bug succeeded - the previous repoman errors are now resolved. An automated check of this bug failed - the following atom is unknown: net-analyzer/icinga2-2.8.0 Please verify the atom list. An automated check of this bug succeeded - the previous repoman errors are now resolved. ppc stable ppc64 stable The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1b7ee5b1a4c5828b756ebbf767091192cfee5cdc commit 1b7ee5b1a4c5828b756ebbf767091192cfee5cdc Author: Michael Orlitzky <mjo@gentoo.org> AuthorDate: 2018-06-19 22:08:53 +0000 Commit: Michael Orlitzky <mjo@gentoo.org> CommitDate: 2018-06-19 22:11:15 +0000 net-analyzer/pnp4nagios: remove "unused" vulnerable versions. Bug: https://bugs.gentoo.org/637640 Package-Manager: Portage-2.3.40, Repoman-2.3.9 net-analyzer/pnp4nagios/Manifest | 2 - net-analyzer/pnp4nagios/pnp4nagios-0.6.24.ebuild | 84 ---------------- .../pnp4nagios/pnp4nagios-0.6.25-r1.ebuild | 105 -------------------- .../pnp4nagios/pnp4nagios-0.6.25-r2.ebuild | 108 --------------------- .../pnp4nagios/pnp4nagios-0.6.25-r3.ebuild | 101 ------------------- net-analyzer/pnp4nagios/pnp4nagios-0.6.25.ebuild | 105 -------------------- 6 files changed, 505 deletions(-) GLSA request filed. This issue was resolved and addressed in GLSA 201806-09 at https://security.gentoo.org/glsa/201806-09 by GLSA coordinator Aaron Bauman (b-man). |