This is not the same as CVE-2013-1362, but a new vulnerability instead. There is no patch available from upstream, so I wrote one, and put it in our nrpe-2.15 when I did the version bump.
I have personally tested that my patch blocks this new vulnerability, and it does successfully block it. arches: please test and stable. target keywords: alpha amd64 hppa ppc ppc64 sparc x86 security: I tagged it B2 based on the previous bug 459870 that you tagged the same way
amd64 stable
Stable for HPPA.
x86 stable
ppc stable
ppc64 stable
sparc stable
alpha stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
Arches, Thank you for your work Maintainer(s), please drop the vulnerable version. Added to existing GLSA Request
Ping for cleanup.
CVE-2014-2913 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2913): ** DISPUTED ** Incomplete blacklist vulnerability in nrpe.c in Nagios Remote Plugin Executor (NRPE) 2.15 and earlier allows remote attackers to execute arbitrary commands via a newline character in the -a option to libexec/check_nrpe. NOTE: this issue is disputed by multiple parties. It has been reported that the vendor allows newlines as "expected behavior." Also, this issue can only occur when the administrator enables the "dont_blame_nrpe" option in nrpe.conf despite the "HIGH security risk" warning within the comments.
Maintainer timeout. Cleanup done.
This issue was resolved and addressed in GLSA 201408-18 at http://security.gentoo.org/glsa/glsa-201408-18.xml by GLSA coordinator Kristian Fiskerstrand (K_F).