Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 637640 (CVE-2017-16834)

Summary: <net-analyzer/pnp4nagios-0.6.26-r9: Root privilege escalation via insecure permissions (CVE-2017-16834)
Product: Gentoo Security Reporter: Christopher Díaz Riveros (RETIRED) <chrisadr>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: mjo, prometheanfire, sysadmin
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/lingej/pnp4nagios/issues/140
Whiteboard: B1 [glsa+ cve]
Package list:
=net-analyzer/icinga-1.14.2 =net-analyzer/icinga2-2.8.1 =net-analyzer/pnp4nagios-0.6.26-r9
Runtime testing required: ---

Description Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-11-16 02:25:42 UTC
@maintainers please call for stabilization when ready.

Thank you
Comment 1 Michael Orlitzky gentoo-dev 2017-11-21 12:52:21 UTC
I think we can proceed with stabilization.
Comment 2 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-11-21 16:53:36 UTC
@Arches please test and mark stable.

Thank you
Comment 3 Stabilization helper bot gentoo-dev 2017-11-21 17:01:11 UTC
An automated check of this bug failed - repoman reported dependency errors (27 lines truncated): 

> dependency.bad net-analyzer/pnp4nagios/pnp4nagios-0.6.26-r9.ebuild: DEPEND: ppc(default/linux/powerpc/ppc32/13.0) ['net-analyzer/icinga2']
> dependency.bad net-analyzer/pnp4nagios/pnp4nagios-0.6.26-r9.ebuild: RDEPEND: ppc(default/linux/powerpc/ppc32/13.0) ['net-analyzer/icinga2']
> dependency.bad net-analyzer/pnp4nagios/pnp4nagios-0.6.26-r9.ebuild: DEPEND: ppc(default/linux/powerpc/ppc32/13.0/desktop) ['net-analyzer/icinga2']
Comment 4 Michael Orlitzky gentoo-dev 2017-11-21 22:34:13 UTC
Thanks stable-bot. The dependency error is due to

https://gitweb.gentoo.org/repo/gentoo.git/commit/net-analyzer/pnp4nagios?id=8a6c86311831919c79c94f0b4744e05691fe5045

where I fixed the "nagios or icinga" dependency. Now it's possible for the user to wind up in a situation where either-icinga-or-icinga2 is pulled in via USE=icinga. As a result, we need either icinga or icinga2 stable on all arches where pnp4nagios is slated to be stabilized.

One solution would be to stabilize icinga2-2.7.1-r1 on ppc and ppc64 as a prerequisite for this.

@prometheanfire please let us know what you prefer.
Comment 5 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2017-11-21 22:45:16 UTC
I'd prefer stabilizing icinga2
Comment 6 Michael Orlitzky gentoo-dev 2017-11-21 22:49:41 UTC
(In reply to Matthew Thode ( prometheanfire ) from comment #5)
> I'd prefer stabilizing icinga2

Any particular version? Version 2.7.1-r1 only needs ppc/ppc64, unless you want to do all of the arches for v2.8.0.
Comment 7 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2017-11-21 22:59:11 UTC
2.8.0 would be best
Comment 8 Michael Orlitzky gentoo-dev 2017-11-22 23:28:43 UTC
icinga2 pulls in icinga-1.x with USE=classicui, so it looks like we have to get both

stablebot, tell me I'm right
Comment 9 Stabilization helper bot gentoo-dev 2017-11-23 00:01:30 UTC
An automated check of this bug succeeded - the previous repoman errors are now resolved.
Comment 10 Agostino Sarubbo gentoo-dev 2017-11-29 13:38:36 UTC
amd64 stable
Comment 11 Thomas Deutschmann (RETIRED) gentoo-dev 2017-11-29 18:54:14 UTC
x86 stable
Comment 12 Stabilization helper bot gentoo-dev 2018-01-01 00:00:35 UTC
An automated check of this bug failed - the following atom is unknown:

net-analyzer/icinga-1.14.0

Please verify the atom list.
Comment 13 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2018-01-01 00:44:28 UTC
icinga2 and icinga are both already fully stablized, they can be removed if you want.
Comment 14 Stabilization helper bot gentoo-dev 2018-01-01 01:01:01 UTC
An automated check of this bug succeeded - the previous repoman errors are now resolved.
Comment 15 Stabilization helper bot gentoo-dev 2018-02-20 09:00:38 UTC
An automated check of this bug failed - the following atom is unknown:

net-analyzer/icinga2-2.8.0

Please verify the atom list.
Comment 16 Stabilization helper bot gentoo-dev 2018-02-20 15:01:09 UTC
An automated check of this bug succeeded - the previous repoman errors are now resolved.
Comment 17 Sergei Trofimovich (RETIRED) gentoo-dev 2018-03-19 22:39:24 UTC
ppc stable
Comment 18 Sergei Trofimovich (RETIRED) gentoo-dev 2018-03-19 23:24:30 UTC
ppc64 stable
Comment 19 Larry the Git Cow gentoo-dev 2018-06-19 22:24:39 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1b7ee5b1a4c5828b756ebbf767091192cfee5cdc

commit 1b7ee5b1a4c5828b756ebbf767091192cfee5cdc
Author:     Michael Orlitzky <mjo@gentoo.org>
AuthorDate: 2018-06-19 22:08:53 +0000
Commit:     Michael Orlitzky <mjo@gentoo.org>
CommitDate: 2018-06-19 22:11:15 +0000

    net-analyzer/pnp4nagios: remove "unused" vulnerable versions.
    
    Bug: https://bugs.gentoo.org/637640
    Package-Manager: Portage-2.3.40, Repoman-2.3.9

 net-analyzer/pnp4nagios/Manifest                   |   2 -
 net-analyzer/pnp4nagios/pnp4nagios-0.6.24.ebuild   |  84 ----------------
 .../pnp4nagios/pnp4nagios-0.6.25-r1.ebuild         | 105 --------------------
 .../pnp4nagios/pnp4nagios-0.6.25-r2.ebuild         | 108 ---------------------
 .../pnp4nagios/pnp4nagios-0.6.25-r3.ebuild         | 101 -------------------
 net-analyzer/pnp4nagios/pnp4nagios-0.6.25.ebuild   | 105 --------------------
 6 files changed, 505 deletions(-)
Comment 20 Aaron Bauman (RETIRED) gentoo-dev 2018-06-19 23:52:43 UTC
GLSA request filed.
Comment 21 GLSAMaker/CVETool Bot gentoo-dev 2018-06-24 03:12:07 UTC
This issue was resolved and addressed in
 GLSA 201806-09 at https://security.gentoo.org/glsa/201806-09
by GLSA coordinator Aaron Bauman (b-man).