Bug 13842

Summary: nagios-plugins new security issues CVE-2014-470[1-3]
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: Guillaume Rousse <guillomovitch>
Status: RESOLVED INVALID QA Contact: Sec team <security>
Severity: critical    
Priority: Normal    
Version: Cauldron   
Target Milestone: ---   
Hardware: i586   
OS: Linux   
Whiteboard: MGA4TOO, MGA3TOO
Source RPM: nagios-plugins-1.5-1.mga5.src.rpm CVE:
Status comment:

Description David Walser 2014-08-01 19:43:53 CEST 
Security issues in nagios-plugins were fixed in version 2.0.2 and 2.0.3:
https://bugzilla.redhat.com/show_bug.cgi?id=1114841
https://bugzilla.redhat.com/show_bug.cgi?id=1098531

It's not entirely clear whether or not 1.x are affected.

Reproducible: 

Steps to Reproduce:
David Walser 2014-08-01 19:44:01 CEST

Whiteboard: (none) => MGA4TOO, MGA3TOO

Comment 1 Guillaume Rousse 2014-08-02 15:26:13 CEST 
The issue appears on every version, but is only relevant if the install permissions allows a regular user to exploit it, which is not the case on mageia:
[guillomovitch@haiku ~]$ ls -l /usr/lib64/nagios/plugins/check_icmp
-r-sr-x--- 1 root nagios 58072 oct.  21  2013 /usr/lib64/nagios/plugins/check_icmp

An user part of the nagios group would, but that's quite a corner case. I guess that's also the reason why RHEL didn't provided any security update.
Comment 2 David Walser 2014-08-02 16:34:08 CEST 
Works for me.  Thanks Guillaume!

Status: NEW => RESOLVED
Resolution: (none) => INVALID