Bug 10779 - nagstamon new security issue CVE-2013-4114
: nagstamon new security issue CVE-2013-4114
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 3
: i586 Linux
: Normal Severity: critical
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/559053/
: mga3-64-ok
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-07-16 19:38 CEST by David Walser
Modified: 2013-08-30 19:20 CEST (History)
5 users (show)

See Also:
Source RPM: nagstamon-0.9.9-1.mga3.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2013-07-16 19:38:22 CEST
Fedora has issued an advisory on July 7:
https://lists.fedoraproject.org/pipermail/package-announce/2013-July/111698.html

Mageia 3 is also affected.  The issue is fixed in 0.9.10.

Reproducible: 

Steps to Reproduce:
Comment 1 Guillaume Rousse 2013-07-17 09:50:30 CEST
Fixed in cauldron.
Comment 2 David Walser 2013-07-17 13:49:23 CEST
nagstamon-0.9.10-1.mga4.
Comment 3 Guillaume Rousse 2013-07-17 21:20:49 CEST
A fixed 0.9.9-1.1.mga3 release is available in updates_testing.
Comment 4 David Walser 2013-07-17 21:35:18 CEST
Thanks Guillaume!

Advisory:
========================

Updated nagstamon package fixes security vulnerability:

A user details information exposure flaw was found in the way Nagstamon
performed automated requests to get information about available updates.
Remote attackers could use this flaw to obtain user credentials for servers
monitored by the desktop status monitor due to their improper (base64
encoding-based) encoding in the HTTP request, when the HTTP Basic
authentication scheme was used (CVE-2013-4114).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4114
https://lists.fedoraproject.org/pipermail/package-announce/2013-July/111698.html
========================

Updated packages in core/updates_testing:
========================
nagstamon-0.9.9-1.1.mga3

from nagstamon-0.9.9-1.1.mga3.src.rpm
Comment 5 Dave Hodgins 2013-07-19 02:57:15 CEST
Missing requires?

$ nagstamon 

No module named egg.trayicon

Could not load egg.trayicon, so you cannot put nagstamon statusbar into systray.

Traceback (most recent call last):
  File "/usr/bin/nagstamon", line 88, in <module>
    output = GUI.GUI(conf=conf, servers=servers, Resources=Resources, debug_queue=debug_queue, GUILock=GUILock)
  File "/usr/lib/python2.7/site-packages/Nagstamon/GUI.py", line 115, in __init__
    self._CreateOutputVisuals()
  File "/usr/lib/python2.7/site-packages/Nagstamon/GUI.py", line 192, in _CreateOutputVisuals
    gtk.window_set_default_icon_from_file(self.Resources + os.sep + "nagstamon" + self.BitmapSuffix)
glib.GError: Failed to open file '/home/dave/resources/nagstamon.svg': No such file or directory

This happens with both the release and updates testing versions.
Comment 6 Dave Hodgins 2013-07-19 03:02:02 CEST
After installing gnome-python-extras, it still fails with the failure to
open /home/dave/resources/nagstamon.svg.
Comment 7 David Walser 2013-07-20 23:22:38 CEST
Dependency on pygtk2.0 added.

Advisory:
========================

Updated nagstamon package fixes security vulnerability:

A user details information exposure flaw was found in the way Nagstamon
performed automated requests to get information about available updates.
Remote attackers could use this flaw to obtain user credentials for servers
monitored by the desktop status monitor due to their improper (base64
encoding-based) encoding in the HTTP request, when the HTTP Basic
authentication scheme was used (CVE-2013-4114).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4114
https://lists.fedoraproject.org/pipermail/package-announce/2013-July/111698.html
========================

Updated packages in core/updates_testing:
========================
nagstamon-0.9.9-1.2.mga3

from nagstamon-0.9.9-1.2.mga3.src.rpm
Comment 8 Dave Hodgins 2013-07-21 00:32:48 CEST
There's a path search issue. In order to get it to start, I had to run
ln -s /usr/lib/python2.7/site-packages/Nagstamon/resources $HOME/

As this is not a regression, I'll open a separate bug report for that
later.

Advisory 10779.adv updated in svn.

I'll be testing i586 shortly.
Comment 9 Dave Hodgins 2013-07-21 01:25:22 CEST
$ nagstamon 
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/Nagstamon/GUI.py", line 3530, in OK
    self.conf.SaveConfig(output=self.output)   
AttributeError: AuthenticationDialog instance has no attribute 'output'
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/Nagstamon/GUI.py", line 3530, in OK
    self.conf.SaveConfig(output=self.output)   
AttributeError: AuthenticationDialog instance has no attribute 'output'

After selecting no, the the offer to download the latest version, that dialog
closes, and the program continues running, but no icon shows in the system
tray.

While this is also not a regression, I don't see much point in pushing an
update that doesn't work.
Comment 10 claire robinson 2013-07-26 19:41:02 CEST
Assigning back to you David until this is ready, sorry. Thankyou.
Comment 11 Guillaume Rousse 2013-08-23 15:09:08 CEST
I can't reproduce the error you have, all I have is the warning about the lack of systray support, otherwise it works as expected. Warning, the application windows is automatically minimised in the upper left part of your screen...
Comment 12 David Walser 2013-08-25 03:16:44 CEST
Given Comment 11, and the fact that this is a high severity security issue, I'm assigning this back to QA.  We should probably push this and leave the other issues for further investigation later.
Comment 13 William Kenney 2013-08-26 17:11:05 CEST
in VirtualBox

default install nagstamon-0.9.9-1.mga3.noarch from core release
[root@localhost wilcal]# urpmi nagstamon
Package nagstamon-0.9.9-1.mga3.noarch is already installed

I've duplicated falure mode mentioned in Comment 5

install nagstamon-0.9.9-1.2.mga3.noarch from core updates_testing
[root@localhost wilcal]# urpmi nagstamon
Package nagstamon-0.9.9-1.2.mga3.noarch is already installed

I'm getting the same falure mode mentioned by David in Comment 9

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
VirtualBox 4.2.16-1.mga3.x86_64.rpm
Comment 14 claire robinson 2013-08-27 09:57:12 CEST
Testing mga3 64.

I don't see any errors here apart from the usual ~/.fonts.conf being deprecated.

I didn't configure nagios to connect to but clicking the links in the monitor opens the browser at a nagios URL on the host configured.

It doesn't sit in the systray but on the screen as Guillaume mentioned.

Testing complete for me. I'll try i586 too.
Comment 15 claire robinson 2013-08-27 10:42:39 CEST
It does fail i586, which is strange for a noarch. It is a fresher system though. It was installed mga3 rather than upgraded from mga2, if that makes any difference.

I'm guessing an environment variable or missing require.
Comment 16 claire robinson 2013-08-27 12:03:30 CEST
As it's working under the right conditions, whatever they are, it makes sense to push it as per comment 12. It was failing the same as comment 8 for me on i586 where it failed for Dave x86_64.

Bug 11086 created for the 'missing' svg.

Dave could you please create a bug for your error in comment 9 if you haven't already.


Validating.

Could sysadmin please push from 3 core/updates_testing to updates.

Thanks!
Comment 17 Thomas Backlund 2013-08-30 19:20:11 CEST
Update pushed:
http://advisories.mageia.org/MGASA-2013-0262.html

Note You need to log in before you can comment on or make changes to this bug.