Bug 10874 - xymon new security issue CVE-2013-4173
Summary: xymon new security issue CVE-2013-4173
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 3
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA2TOO MGA2-64-OK MGA2-32-OK MGA3-64...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2013-07-29 13:47 CEST by David Walser
Modified: 2013-08-11 14:21 CEST (History)
4 users (show)

See Also:
Source RPM: xymon-4.2.3-13.mga4.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2013-07-29 13:47:55 CEST 
A CVE was assigned to a security issue fixed in xymon 4.3.12:
http://openwall.com/lists/oss-security/2013/07/27/3

Mageia 2 and Mageia 3 are also affected.

This package is also maintained and needs updated.

Reproducible: 

Steps to Reproduce:
Comment 1 Thomas Backlund 2013-08-05 18:49:17 CEST 
Cauldron rpm patched: xymon-4.2.3-14.mga4
(I'll leave version upgrade to the maintainer)

Mga3 rpms:
xymon-4.2.3-13.mga3 (also name of srpm)
xymon-client-4.2.3-13.mga3

Mga2 rpms:
xymon-4.2.3-11.mga2 (also name of srpm)
xymon-client-4.2.3-11.mga2


Advisory:
This xymon update addresses the following security issue:

A security vulnerability has been found in version 4.x of the
Xymon Systems & Network Monitor tool 

The error permits a remote attacker to delete files on the server
running the Xymon trend-data daemon "xymond_rrd".
File deletion is done with the privileges of the user that Xymon is
running with, so it is limited to files available to the userid
running the Xymon service. This includes all historical data stored
by the Xymon monitoring system. (CVE-2013-4173)

CC: (none) => bgmilne, tmb
Hardware: i586 => All
Version: Cauldron => 3
Assignee: bgmilne => qa-bugs
Whiteboard: (none) => MGA2TOO

Comment 2 Dave Hodgins 2013-08-06 03:12:06 CEST 
Advisory 10874.adv uploaded to svn.

CC: (none) => davidwhodgins

Comment 3 Dave Hodgins 2013-08-11 04:24:51 CEST 
I'm not clear on how to reproduce the poc, so just testing that xymon is working.
After installing xymon on Mageia 2 i586 and x86_64 vb guest, in each ...
htpasswd -c /etc/xymon/hobbitpasswd dave
Edit /etc/xymon/bb-hosts, and add a line like
192.168.10.110 x2v.hodgins.homeip.net

The line added to the i2v guest points to the x2v guest, and vice-versa.

service xymon start
firefox http://localhost/xymon &

Checked the various reports etc.

Testing complete on Mageia 2.

Whiteboard: MGA2TOO => MGA2TOO MGA2-64-OK MGA2-32-OK

Comment 4 Dave Hodgins 2013-08-11 04:46:58 CEST 
Mageia 3 is not working. Getting a 404 status code (Object not found)
After running
cp /etc/httpd/conf.d/hobbit-apache.conf /etc/httpd/conf/conf.d/
service httpd restart
I get a 403 status code (Access forbidden).

Whiteboard: MGA2TOO MGA2-64-OK MGA2-32-OK => MGA2TOO MGA2-64-OK MGA2-32-OK feedback

Comment 5 David Walser 2013-08-11 05:28:08 CEST 
xymon-4.2.3-13.mga3 is building now, converting it for proper apache 2.4 support.
David Walser 2013-08-11 05:28:25 CEST

Whiteboard: MGA2TOO MGA2-64-OK MGA2-32-OK feedback => MGA2TOO MGA2-64-OK MGA2-32-OK

Comment 6 Dave Hodgins 2013-08-11 06:03:09 CEST 
Advisory 10874.adv updated for new srpm.  Have to wait for the mirrors to
sync, so I'll likely leave the mga3 testing till tomorrow (later today now),
unless someone else tests it first.
Comment 7 Dave Hodgins 2013-08-11 07:16:34 CEST 
Testing complete on Mageia 3 i586 and x86_64.

Could someone from the sysadmin team push 10874.adv to updates.

Keywords: (none) => validated_update
Whiteboard: MGA2TOO MGA2-64-OK MGA2-32-OK => MGA2TOO MGA2-64-OK MGA2-32-OK MGA3-64-OK MGA3-32-OK
CC: (none) => sysadmin-bugs

Comment 8 Thomas Backlund 2013-08-11 14:21:20 CEST 
David, thanks for fixing mga3 and cauldron packages.


update pushed:
http://advisories.mageia.org/MGASA-2013-0243.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.