Summary: | <net-analyzer/icinga-1.14.2: root privilege escalation via insecure permissions | ||||||
---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Michael Orlitzky <mjo> | ||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||
Status: | RESOLVED FIXED | ||||||
Severity: | normal | ||||||
Priority: | Normal | ||||||
Version: | unspecified | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
URL: | https://github.com/Icinga/icinga-core/issues/1601 | ||||||
Whiteboard: | B1 [glsa+ cve] | ||||||
Package list: | Runtime testing required: | --- | |||||
Attachments: |
|
Description
Michael Orlitzky
![]() at least with icinga the src-install install's unstripped by default, but working on it now Created attachment 505596 [details, diff]
proposed patch
I don't run icinga anymore (moved entirely to icinga2), not sure who to get to test this as this point, but everything is moved to root:root like nagios.
OK, committed it as a revbump to 1.14.0, but as this isn't the best tested I'll wait a month before asking for stable. prometheanfire: Here's an issue I see: fowners icinga:icinga /etc/icinga/eventhandlers Is later overwritten by fowners -R root:root /etc/icinga/ If eventhandlers doesn't need icinga:icinga, just kill that first line? Doesn't seem like a hard issue, but it should be simplified, I'll comment it out for now though. *** Bug 629282 has been marked as a duplicate of this bug. *** Most of the permissions/ownership should be fixed in the latest v1.14.2, so that you no longer need to run fperms/fowners a million times. 1.14.2 is stable and the old bad versions are removed. cleaned up, removing me from cc Clean up done... @security please proceed. Keywords for net-analyzer/icinga: | a | | | m | | | d x | | | 6 8 | | | 4 6 | u | | a a a p r s | | | n | | l m r i p i h m s p m f f | e u s | r | p d a m a p c s x p 6 3 a i b b | a s l | e | h 6 r 6 6 p 6 c 8 p 8 9 s r p s s | p e o | p | a 4 m 4 4 c 4 v 6 a k 0 h c s d d | i d t | o -------+-----------------------------------+-------+------- 1.14.2 | o + ~ o o + + o + ~ o o o o o o o | 6 o 0 | gentoo Removed on 17th March 2020: https://gitweb.gentoo.org/repo/gentoo.git/commit?id=d4e5a319c2fb1f17a2e26e5f560f15d1bd2f13de This issue was resolved and addressed in GLSA 202007-31 at https://security.gentoo.org/glsa/202007-31 by GLSA coordinator Sam James (sam_c). |