Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 712908 (CVE-2020-6581, CVE-2020-6582) - <net-analyzer/nrpe-4.0.0: Multiple vulnerabilities (CVE-2020-{6581,6582})
Summary: <net-analyzer/nrpe-4.0.0: Multiple vulnerabilities (CVE-2020-{6581,6582})
Status: RESOLVED FIXED
Alias: CVE-2020-6581, CVE-2020-6582
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-03-16 19:06 UTC by Sam James
Modified: 2020-05-04 01:25 UTC (History)
3 users (show)

See Also:
Package list:
net-analyzer/nrpe-4.0.0
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James gentoo-dev Security 2020-03-16 19:06:35 UTC
1) CVE-2020-6581

Description:
"Nagios NRPE 3.2.1 has Insufficient Filtering because, for example, nasty_metachars interprets \n as the character \ and the character n (not as the \n newline sequence). This can cause command injection."


URL: https://herolab.usd.de/security-advisories/usd-2020-0002/
NOTE: "NRPE has to be compiled with command line parameter support. Additionally, dont_blame_nrpe option inside the NRPE configuration file has to be enabled."

Patch: https://github.com/NagiosEnterprises/nrpe/commit/0db345444d0dcb3e37cca1bcbb0027dcbb764197

2) CVE-2020-6582

Description:
"Nagios NRPE 3.2.1 has a Heap-Based Buffer Overflow, as demonstrated by interpretation of a small negative number as a large positive number during a bzero call."

URL: https://herolab.usd.de/security-advisories/usd-2020-0001/

Patch: not worth determining a single patch, a variety of fixes have been applied since.

(In my opinion, not worth trying to apply manually. The upstream hasn't split the commits into atomic changes and there's subsequent fixes for other bugs intermingled across several commits.)

----

All fixes seem to be in 4.0.2. The fixes for these particular CVEs may be in 3.3.0 but subsequent improvements have been made to the same areas of code up to 4.0.2, so it is IMO safer to just go for that.
Comment 1 Michael Orlitzky gentoo-dev 2020-03-16 19:19:12 UTC
v4.0.0 is the latest release on github, but those two advisories say that 4.0 should have the fix. Feel free to stabilize it. (I don't actually use NRPE, but I'm the only one who works on it in Gentoo.)
Comment 2 Thomas Deutschmann gentoo-dev Security 2020-03-16 23:55:25 UTC
Let's hold stabilization. Sam pointed out that 4.0.2 has additional fixes. So we should bump first and go with 4.0.2 instead.
Comment 3 Thomas Deutschmann gentoo-dev Security 2020-03-17 00:01:48 UTC
Forget previous comment, 4.0.1+ is not available on GitHub.
Comment 4 Tomáš Mózes 2020-03-17 08:57:39 UTC
Using 4.0.0 in production, works fine.
Comment 5 Agostino Sarubbo gentoo-dev 2020-03-17 16:01:55 UTC
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2020-03-18 09:51:27 UTC
sparc stable
Comment 7 Agostino Sarubbo gentoo-dev 2020-03-18 11:06:22 UTC
x86 stable
Comment 8 Agostino Sarubbo gentoo-dev 2020-03-18 11:12:51 UTC
ppc stable
Comment 9 Agostino Sarubbo gentoo-dev 2020-03-18 11:14:43 UTC
ppc64 stable
Comment 10 Sam James gentoo-dev Security 2020-03-18 22:20:33 UTC
(In reply to Michael Orlitzky from comment #1)
> v4.0.0 is the latest release on github, but those two advisories say that
> 4.0 should have the fix. Feel free to stabilize it. (I don't actually use
> NRPE, but I'm the only one who works on it in Gentoo.)

Bit late now but the maintainer after a poke has released 4.0.2, so may be useful for somebody to bump it in the future.
Comment 11 Rolf Eike Beer 2020-03-20 08:35:57 UTC
Dropped to ~hppa, feel free to get rid of old versions.
Comment 12 Larry the Git Cow gentoo-dev 2020-03-25 12:34:15 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6605f564beba67c715410948f4b770077153aaa7

commit 6605f564beba67c715410948f4b770077153aaa7
Author:     Michael Orlitzky <mjo@gentoo.org>
AuthorDate: 2020-03-25 12:32:36 +0000
Commit:     Michael Orlitzky <mjo@gentoo.org>
CommitDate: 2020-03-25 12:32:36 +0000

    net-analyzer/nrpe: drop vulnerable 3.x versions.
    
    Bug: https://bugs.gentoo.org/712908
    Package-Manager: Portage-2.3.89, Repoman-2.3.20
    Signed-off-by: Michael Orlitzky <mjo@gentoo.org>

 net-analyzer/nrpe/Manifest             |  1 -
 net-analyzer/nrpe/nrpe-3.2.1-r1.ebuild | 89 --------------------------------
 net-analyzer/nrpe/nrpe-3.2.1-r3.ebuild | 93 ----------------------------------
 3 files changed, 183 deletions(-)
Comment 13 Sam James gentoo-dev Security 2020-04-02 08:58:45 UTC
Tree is clean.
Comment 14 NATTkA bot gentoo-dev 2020-04-06 11:21:19 UTC
Resetting sanity check; keywords are not fully specified and arches are not CC-ed.