Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bugzilla DB migration completed. Please report issues to Infra team via email via infra@gentoo.org or IRC
Bug 508122 (CVE-2014-2913) - <net-analyzer/nrpe-2.15: nagios metacharacter filtering omission again (CVE-2014-2913)
Summary: <net-analyzer/nrpe-2.15: nagios metacharacter filtering omission again (CVE-2...
Status: RESOLVED FIXED
Alias: CVE-2014-2913
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://www.exploit-db.com/exploits/32...
Whiteboard: B2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-04-19 17:03 UTC by Robin Johnson
Modified: 2014-08-31 11:32 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2014-04-19 17:03:17 UTC
This is not the same as CVE-2013-1362, but a new vulnerability instead.

There is no patch available from upstream, so I wrote one, and put it in our nrpe-2.15 when I did the version bump.
Comment 1 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2014-04-19 17:06:41 UTC
I have personally tested that my patch blocks this new vulnerability, and it does successfully block it.

arches:
please test and stable.
target keywords: alpha amd64 hppa ppc ppc64 sparc x86

security:
I tagged it B2 based on the previous bug 459870 that you tagged the same way
Comment 2 Agostino Sarubbo gentoo-dev 2014-04-20 09:51:53 UTC
amd64 stable
Comment 3 Jeroen Roovers gentoo-dev 2014-04-21 10:09:03 UTC
Stable for HPPA.
Comment 4 Agostino Sarubbo gentoo-dev 2014-04-21 10:44:40 UTC
x86 stable
Comment 5 Agostino Sarubbo gentoo-dev 2014-05-10 14:02:22 UTC
ppc stable
Comment 6 Agostino Sarubbo gentoo-dev 2014-05-11 08:05:43 UTC
ppc64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2014-05-14 16:11:52 UTC
sparc stable
Comment 8 Agostino Sarubbo gentoo-dev 2014-05-17 13:51:02 UTC
alpha stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 9 Yury German Gentoo Infrastructure gentoo-dev Security 2014-05-20 03:59:13 UTC
Arches, Thank you for your work
Maintainer(s), please drop the vulnerable version.

Added to existing GLSA Request
Comment 10 Yury German Gentoo Infrastructure gentoo-dev Security 2014-06-08 14:53:58 UTC
Ping for cleanup.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2014-06-17 23:05:41 UTC
CVE-2014-2913 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2913):
  ** DISPUTED ** Incomplete blacklist vulnerability in nrpe.c in Nagios Remote
  Plugin Executor (NRPE) 2.15 and earlier allows remote attackers to execute
  arbitrary commands via a newline character in the -a option to
  libexec/check_nrpe.  NOTE: this issue is disputed by multiple parties. It
  has been reported that the vendor allows newlines as "expected behavior."
  Also, this issue can only occur when the administrator enables the
  "dont_blame_nrpe" option in nrpe.conf despite the "HIGH security risk"
  warning within the comments.
Comment 12 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2014-06-27 08:23:42 UTC
Maintainer timeout. Cleanup done.
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2014-08-31 11:32:46 UTC
This issue was resolved and addressed in
 GLSA 201408-18 at http://security.gentoo.org/glsa/glsa-201408-18.xml
by GLSA coordinator Kristian Fiskerstrand (K_F).