Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 397603 - <net-analyzer/nrpe-2.13-r2: always enables command arguments (security risk if dont_blame_nrpe=1 in config)
Summary: <net-analyzer/nrpe-2.13-r2: always enables command arguments (security risk i...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2012-01-04 08:29 UTC by Marcel Pennewiß
Modified: 2014-08-31 11:32 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
configure-patch (command-args-configure.patch,454 bytes, text/plain)
2012-01-04 08:33 UTC, Marcel Pennewiß
no flags Details
configure.in-patch (command-args-configure.in.patch,689 bytes, patch)
2012-01-04 08:51 UTC, Marcel Pennewiß
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Marcel Pennewiß 2012-01-04 08:29:19 UTC
nagios-nrpe has a useflag "command-args" with is disabled by default. But configure seems not to respect --disable-command-args.

Reproducible: Always

Steps to Reproduce:
1. USE="-command-args" emerge nagios-nrpe
Actual Results:  
dev marcel # /usr/bin/nrpe
NRPE - Nagios Remote Plugin Executor
Copyright (c) 1999-2008 Ethan Galstad (nagios@nagios.org)
Version: 2.12
Last Modified: 03-10-2008
License: GPL v2 with exemptions (-l for more info)
SSL/TLS Available: Anonymous DH Mode, OpenSSL 0.9.6 or higher required
TCP Wrappers Available

***************************************************************
** POSSIBLE SECURITY RISK - COMMAND ARGUMENTS ARE SUPPORTED! **
**      Read the NRPE SECURITY file for more information     **
***************************************************************


Expected Results:  
dev marcel # /usr/bin/nrpe
NRPE - Nagios Remote Plugin Executor
Copyright (c) 1999-2008 Ethan Galstad (nagios@nagios.org)
Version: 2.12
Last Modified: 03-10-2008
License: GPL v2 with exemptions (-l for more info)
SSL/TLS Available: Anonymous DH Mode, OpenSSL 0.9.6 or higher required
TCP Wrappers Available

***************************************************************
** POSSIBLE SECURITY RISK - COMMAND ARGUMENTS ARE SUPPORTED! **
**      Read the NRPE SECURITY file for more information     **
***************************************************************
Comment 1 Marcel Pennewiß 2012-01-04 08:33:13 UTC
Created attachment 297887 [details]
configure-patch

Fix for configure
Comment 2 Marcel Pennewiß 2012-01-04 08:34:41 UTC
(In reply to comment #0)
> Expected Results:  
> ...
> ***************************************************************
> ** POSSIBLE SECURITY RISK - COMMAND ARGUMENTS ARE SUPPORTED! **
> **      Read the NRPE SECURITY file for more information     **
> ***************************************************************

Expected Results should certainly be...

dev marcel # /usr/bin/nrpe
NRPE - Nagios Remote Plugin Executor
Copyright (c) 1999-2008 Ethan Galstad (nagios@nagios.org)
Version: 2.12
Last Modified: 03-10-2008
License: GPL v2 with exemptions (-l for more info)
SSL/TLS Available: Anonymous DH Mode, OpenSSL 0.9.6 or higher required
TCP Wrappers Available

without Command Arguments-Information
Comment 3 Marcel Pennewiß 2012-01-04 08:51:13 UTC
Created attachment 297893 [details, diff]
configure.in-patch

A possible configure.in-patch (i'm not very familar with build systems ;)) to use autoconf afterwards. Works for me...
Comment 4 Richard Lynch 2012-03-29 16:19:32 UTC
If UNCONFIRMED refers to the bug, I can confirm I did not change that setting, and an emerge of 3.2.3 (#nagios says is last stable) yielded:

nrpe --version
nrpe: unrecognized option '--version'

NRPE - Nagios Remote Plugin Executor
Copyright (c) 1999-2008 Ethan Galstad (nagios@nagios.org)
Version: 2.12
Last Modified: 03-10-2008
License: GPL v2 with exemptions (-l for more info)
SSL/TLS Available: Anonymous DH Mode, OpenSSL 0.9.6 or higher required
TCP Wrappers Available

***************************************************************
** POSSIBLE SECURITY RISK - COMMAND ARGUMENTS ARE SUPPORTED! **
**      Read the NRPE SECURITY file for more information     **
***************************************************************

If the patch is UNCONFIRMED, sorry, I haven't the skill to test that, and this comment is just noise.
Comment 5 Richard Lynch 2012-03-29 16:37:18 UTC
Weird!

I have dont_blame_nrpe=0 in the config file.

Apparently the binary alarms even if it's not set to 1 in the config file...

This might be better handled by the Nagios team to alarm only if both conditions (compile flag PLUS config change) have happened.

Obviously you don't want to assume either way in the compilation for a distro...

Or, at least, I wouldn't.

I apologize that so many people will receive two emails from me in rapid succession...
Comment 6 Christian Ruppert (idl0r) archtester Gentoo Infrastructure gentoo-dev Security 2012-06-10 18:26:16 UTC
Fixed in 2.13-r1.
Comment 7 Tim Sammut (RETIRED) gentoo-dev 2012-06-10 23:06:13 UTC
Christian, netmon, can we stabilize 2.13-r1?
Comment 8 Christian Ruppert (idl0r) archtester Gentoo Infrastructure gentoo-dev Security 2012-06-11 19:09:25 UTC
(In reply to comment #7)
> Christian, netmon, can we stabilize 2.13-r1?

We're using 2.13 since a few days now on about 50 servers so I'd tend to say yes.
Comment 9 Christian Ruppert (idl0r) archtester Gentoo Infrastructure gentoo-dev Security 2012-06-11 20:17:07 UTC
I just bumped to -r2 because of a typo.
Comment 10 Tim Sammut (RETIRED) gentoo-dev 2012-06-12 12:58:11 UTC
Ok, thanks, let's go.

Arches, please test and mark stable:
=net-analyzer/nagios-nrpe-2.13-r2
Target keywords : "alpha amd64 hppa ppc ppc64 sparc x86"
Comment 11 Agostino Sarubbo gentoo-dev 2012-06-12 13:31:30 UTC
amd64 stable
Comment 12 Jeroen Roovers gentoo-dev 2012-06-13 14:59:14 UTC
Stable for HPPA.
Comment 13 Jeff (JD) Horelick (RETIRED) gentoo-dev 2012-06-14 06:01:25 UTC
x86 stable
Comment 14 Michael Weber (RETIRED) gentoo-dev 2012-06-14 14:12:40 UTC
ppc stable
Comment 15 Marcin Mirosław 2012-07-06 11:13:04 UTC
Is it continuation of bug #289722?:)
Comment 16 Marcel Pennewiß 2012-07-06 12:55:55 UTC
(In reply to comment #15)
> Is it continuation of bug #289722?:)

Seems so ;) But now with really conditional command-args-feature...
Comment 17 Raúl Porcel (RETIRED) gentoo-dev 2012-07-15 17:01:08 UTC
alpha/sparc stable
Comment 18 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2012-09-18 10:19:56 UTC
ppc64 stable, last arch done
Comment 19 Tim Sammut (RETIRED) gentoo-dev 2012-09-21 17:08:38 UTC
Thanks, folks. This feels like a B2 issue to me, user-assisted code execution. GLSA request filed.
Comment 20 GLSAMaker/CVETool Bot gentoo-dev 2014-08-30 01:29:53 UTC
This issue was resolved and addressed in
 GLSA 201408-18 at http://security.gentoo.org/glsa/glsa-201408-18.xml
by GLSA coordinator Kristian Fiskerstrand (K_F).
Comment 21 GLSAMaker/CVETool Bot gentoo-dev 2014-08-31 11:32:31 UTC
This issue was resolved and addressed in
 GLSA 201408-18 at http://security.gentoo.org/glsa/glsa-201408-18.xml
by GLSA coordinator Kristian Fiskerstrand (K_F).