Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 600864 (CVE-2016-8641) - <net-analyzer/nagios-core-4.2.3-r1: Root privilege escalation (CVE-2016-8641)
Summary: <net-analyzer/nagios-core-4.2.3-r1: Root privilege escalation (CVE-2016-8641)
Status: RESOLVED FIXED
Alias: CVE-2016-8641
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major
Assignee: Gentoo Security
URL:
Whiteboard: B1 [glsa cve blocked]
Keywords:
Depends on: CVE-2016-9566
Blocks: CVE-2008-7313, CVE-2016-9565
  Show dependency tree
 
Reported: 2016-11-26 02:49 UTC by Tomáš Mózes
Modified: 2017-02-21 00:16 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Tomáš Mózes 2016-11-26 02:49:20 UTC
4.2.3 - 2016-11-21
-------------------
SECURITY FIXES
* Fixed a root privilege escalation (CVE-2016-8641) (John Frickson)

FIXES
* external command during reload doesn't work (John Frickson)
* Nagios provides no error condition as to why it fails on the verify for serviceescalation (John Frickson)
* No root group in FreeBSD and Apple OS X (John Frickson)
* jsonquery.html doesn't display scheduled_time_ok correctly (John Frickson)
* daemon_dumps_core=1 has no effect on Linux when Nagios started as root (John Frickson)
* Configuration check in hostgroup - misspelled hostname does not error (John Frickson)
* contacts or contact_groups directive with no value should not be allowed (John Frickson)
* Compile 64-bit on SPARC produces LD error (John Frickson)
* HOSTSTATEID returns 0 even if host does not exist (John Frickson)
* Submitting UNREACHABLE passive result for host sets it as DOWN if the host has no parents (John Frickson)
* nagios: job XX (pid=YY): read() returned error 11 (changed from LOG_ERR to LOG_NOTICE) (John Frickson)
* Fix for quick search not showing services if wildcard used (John Frickson)
Comment 1 Michael Orlitzky gentoo-dev 2016-12-04 02:58:21 UTC
The new version's in the tree.
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2016-12-04 03:48:36 UTC
@ Maintainer(s): Are we really affected? We don't use upstream's runscript. Because https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c9f880e8b090e0ed41903fe06f4d64f58580b531 didn't touch our runscript, please double check and confirm that we don't do the same mistake:

https://github.com/NagiosEnterprises/nagioscore/commit/f2ed227673d3b2da643eb5cad26b2d87674f28c1.patch

If you do not understand the problem from reviewing upstream changes please ping security for help.
Comment 3 Michael Orlitzky gentoo-dev 2016-12-04 15:36:36 UTC
(In reply to Thomas Deutschmann from comment #2)
> please double check and confirm that we don't do the same mistake:
> 

You're right, I should have checked the diff. I'll have to put out an -r1 with a new init script.
Comment 4 Michael Orlitzky gentoo-dev 2016-12-04 16:12:53 UTC
Done. The init script was fiddling with some things that, in my opinion, it shouldn't have. Hopefully no one reports a crazy corner case that I just broke.


commit 6371a02d00ea5b9bd43d92ab63ee8f81fa9b68e3
Author: Michael Orlitzky <mjo@gentoo.org>
Date:   Sun Dec 4 10:46:25 2016 -0500

    net-analyzer/nagios-core: new revision and init script to fix CVE-2016-8641.

    The new version 4.2.3 was added to fix CVE-2016-8641 in commit
    c9f880e. However, the root privilege exploit results from the use of
    "chown" in the init script. We don't use upstream's init script, so a
    proper fix requires an update to our init script as well.

    The following changes were made to the init script:

      * We no longer attempt to delete the external command file before
        starting or stopping the daemon. It's not clear why this was done,
        and that file should not exist unless the user intentionally
        creates it.

      * We do not create or change ownership of /var/nagios/nagios.log or
        /var/nagios/status.sav when starting the daemon. The log file path
        is defined in the config file, so the hard-coded path in the init
        script might not have referred to the true location of the log file.

        And when the nagios daemon creates these files on its own, they
        should already have the correct permissions and ownership. By
        removing the "chown", we have actually fixed the root privilege
        exploit in CVE-2016-8641.

      * The two files /var/nagios/status.log and /var/nagios/nagios.tmp are
        not deleted after the daemon has shut down. I can come up with no
        compelling argument to do so.

    Gentoo-Bug: 600864

    Package-Manager: portage-2.3.0
Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev 2016-12-04 22:02:16 UTC
Right, on Gentoo exploitation was possible via "/var/nagios/nagios.log" or "/var/nagios/status.sav" file. This is now fixed. Thanks for the rev bump!


@ Arches,

please test and mark stable:

=net-analyzer/nagios-core-4.2.3-r1
=net-analyzer/nagios-4.2.3
Comment 6 Tobias Klausmann (RETIRED) gentoo-dev 2016-12-05 15:49:03 UTC
Stable on alpha.
Comment 7 Agostino Sarubbo gentoo-dev 2016-12-06 11:51:36 UTC
amd64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2016-12-06 11:54:26 UTC
x86 stable
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2017-02-21 00:16:41 UTC
This issue was resolved and addressed in
 GLSA 201702-26 at https://security.gentoo.org/glsa/201702-26
by GLSA coordinator Thomas Deutschmann (whissi).