Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 632648 (CVE-2017-14955, RCESEC-2017-001) - net-analyzer/check_mk: GUI crash report reveals sensitive user information to remote attackers
Summary: net-analyzer/check_mk: GUI crash report reveals sensitive user information to...
Status: RESOLVED FIXED
Alias: CVE-2017-14955, RCESEC-2017-001
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Low trivial (vote)
Assignee: Gentoo Security
URL: https://mathias-kettner.de/check_mk_w...
Whiteboard: ~4 [noglsa cve]
Keywords: PMASKED
Depends on:
Blocks:
 
Reported: 2017-10-01 20:01 UTC by Aleksandr Wagner (Kivak)
Modified: 2019-03-13 12:33 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Aleksandr Wagner (Kivak) 2017-10-01 20:01:18 UTC
CVE-2017-14955 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14955):

Check_MK before 1.2.8p26 mishandles certain errors within the failed-login save feature because of a race condition, which allows remote attackers to obtain sensitive user information by reading a GUI crash report. 

References:

http://mathias-kettner.com/check_mk_werks.php?edition_id=raw&branch=1.2.8
https://mathias-kettner.de/check_mk_werks.php?werk_id=5208&HTML=yes

@Maintainer(s): Please provide a fixed ebuild, thank you.
Comment 1 Jonas Stein gentoo-dev 2018-04-05 22:23:48 UTC
net-analyzer/check_mk is now maintainer-needed.
Comment 2 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2018-08-26 11:41:37 UTC
I should point out that this ebuild is now half-useless because we needed to force USE=agent-only after removing mod_python.  Let's last-rite it.
Comment 3 Larry the Git Cow gentoo-dev 2018-08-26 11:54:53 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0c413569dc8e1ccbcadc6d3dd94fbeb5fb2d5cb9

commit 0c413569dc8e1ccbcadc6d3dd94fbeb5fb2d5cb9
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2018-08-26 11:54:20 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2018-08-26 11:54:20 +0000

    package.mask: Last rite net-analyzer/check_mk
    
    Bug: https://bugs.gentoo.org/632648

 profiles/package.mask | 7 +++++++
 1 file changed, 7 insertions(+)
Comment 4 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2018-08-26 11:55:38 UTC
(CC-ing maintainer of net-analyzer/check_mk_agent just in case the other package was affected as well)
Comment 5 Ian Stakenvicius (RETIRED) gentoo-dev 2018-08-26 15:11:51 UTC
Thanks!  check_mk_agent isn't affected by this.
Comment 6 Larry the Git Cow gentoo-dev 2018-09-29 10:08:57 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a69dd861c8eceb208df573afaa97e9312bdf41b7

commit a69dd861c8eceb208df573afaa97e9312bdf41b7
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2018-09-29 10:06:27 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2018-09-29 10:08:45 +0000

    net-analyzer/check_mk: Remove last-rited pkg
    
    Bug: https://bugs.gentoo.org/632648
    Closes: https://bugs.gentoo.org/652634
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 net-analyzer/check_mk/Manifest                     |   2 -
 net-analyzer/check_mk/check_mk-1.2.4_p5-r1.ebuild  | 323 -------------------
 net-analyzer/check_mk/check_mk-1.2.8_p16.ebuild    | 351 ---------------------
 .../check_mk/files/check_mk-1.2.4p5-setup.sh.patch |  39 ---
 .../files/check_mk-1.2.8p16-setup.sh.patch         |  35 --
 net-analyzer/check_mk/metadata.xml                 |  29 --
 profiles/base/package.use.force                    |   5 -
 profiles/base/package.use.mask                     |   6 -
 profiles/package.mask                              |   7 -
 9 files changed, 797 deletions(-)
Comment 7 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2019-03-13 11:40:07 UTC
unCC-ing treecleaners
Comment 8 Kristian Fiskerstrand (RETIRED) gentoo-dev 2019-03-13 12:33:54 UTC
Closing NoGLSA