Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 208398 (CVE-2007-5803) - net-analyzer/nagios-core <2.12 XSS issues (CVE-2007-5803)
Summary: net-analyzer/nagios-core <2.12 XSS issues (CVE-2007-5803)
Alias: CVE-2007-5803
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
Whiteboard: B4 [noglsa]
Depends on:
Reported: 2008-02-01 08:43 UTC by Robert Buchholz (RETIRED)
Modified: 2008-05-31 11:06 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

CVE-2007-5803.diff (CVE-2007-5803.diff,39.87 KB, patch)
2008-02-01 08:44 UTC, Robert Buchholz (RETIRED)
no flags Details | Diff
nagios-core-2.10-r2.ebuild (nagios-core-2.10-r2.ebuild,6.26 KB, text/plain)
2008-02-01 14:01 UTC, Tobias Scherbaum (RETIRED)
no flags Details
nagios-2.9-CVE-2007-5803.diff (nagios-2.9-CVE-2007-5803.diff,40.00 KB, patch)
2008-05-14 16:56 UTC, Robert Buchholz (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2008-02-01 08:43:14 UTC
The upstream fix for CVE-2007-5624 (bug 196732) is incomplete, there are further possibilities for XSS -- This is CVE-2007-5803.

The new issue is not public as Nagios developers did not reply to the report, so please do not act on this yet.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-02-01 08:44:11 UTC
Created attachment 142361 [details, diff]

Patch proposed by Ludwig Nussel.
Comment 2 Tobias Scherbaum (RETIRED) gentoo-dev 2008-02-01 14:01:57 UTC
Created attachment 142376 [details]

Find attached a nagios-core-2.10-r2 ebuild which includes CVE-2007-5803.diff. (Just an additional epatch) Compiles fine, will do further testing.
Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2008-02-26 20:47:48 UTC
Any news about a release date?
Comment 4 Tobias Scherbaum (RETIRED) gentoo-dev 2008-03-14 07:34:40 UTC
nagios-2.11 has been released on wednesday, its Changelog mentions 

"Fix for a potential cross site scripting vulnerability in the CGIs"

though the proposed patch for this bug ("CVE-2007-5803") hasn't been applied yet ...
Comment 5 Robert Buchholz (RETIRED) gentoo-dev 2008-05-14 16:54:35 UTC
This is public via URL.
Comment 6 Robert Buchholz (RETIRED) gentoo-dev 2008-05-14 16:56:15 UTC
Created attachment 153125 [details, diff]

Extracted from nagios-2.9-48.4.src.rpm.
Comment 7 Robert Buchholz (RETIRED) gentoo-dev 2008-05-21 02:09:00 UTC
2.12 was released with the fix.
Comment 8 Tobias Scherbaum (RETIRED) gentoo-dev 2008-05-21 17:45:38 UTC
Added both 2.12 and 3.0.2, the latter one is still p.masked.

Please mark as stable:
Comment 9 Ferris McCormick (RETIRED) gentoo-dev 2008-05-21 18:59:16 UTC
Sparc stable.
Comment 10 Christian Faulhammer (RETIRED) gentoo-dev 2008-05-21 19:12:31 UTC
x86 stable
Comment 11 Markus Rothe (RETIRED) gentoo-dev 2008-05-22 07:33:23 UTC
ppc64 stable
Comment 12 Markus Meier gentoo-dev 2008-05-22 18:35:38 UTC
amd64 stable, all arches done.
Comment 13 Peter Volkov (RETIRED) gentoo-dev 2008-05-23 05:56:26 UTC
Fixed in release snapshot.
Comment 14 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-05-23 07:22:02 UTC
sorry for the lag :/
time for glsa decision... XSS => I vote NO.
Comment 15 Robert Buchholz (RETIRED) gentoo-dev 2008-05-31 11:06:12 UTC
NO, closing.