This is not the same as CVE-2013-1362, but a new vulnerability instead.
There is no patch available from upstream, so I wrote one, and put it in our nrpe-2.15 when I did the version bump.
I have personally tested that my patch blocks this new vulnerability, and it does successfully block it.
please test and stable.
target keywords: alpha amd64 hppa ppc ppc64 sparc x86
I tagged it B2 based on the previous bug 459870 that you tagged the same way
Stable for HPPA.
Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Arches, Thank you for your work
Maintainer(s), please drop the vulnerable version.
Added to existing GLSA Request
Ping for cleanup.
** DISPUTED ** Incomplete blacklist vulnerability in nrpe.c in Nagios Remote
Plugin Executor (NRPE) 2.15 and earlier allows remote attackers to execute
arbitrary commands via a newline character in the -a option to
libexec/check_nrpe. NOTE: this issue is disputed by multiple parties. It
has been reported that the vendor allows newlines as "expected behavior."
Also, this issue can only occur when the administrator enables the
"dont_blame_nrpe" option in nrpe.conf despite the "HIGH security risk"
warning within the comments.
Maintainer timeout. Cleanup done.
This issue was resolved and addressed in
GLSA 201408-18 at http://security.gentoo.org/glsa/glsa-201408-18.xml
by GLSA coordinator Kristian Fiskerstrand (K_F).