13842 – nagios-plugins new security issues CVE-2014-470[1-3]

Bug 13842 - nagios-plugins new security issues CVE-2014-470[1-3]

Summary: nagios-plugins new security issues CVE-2014-470[1-3]

Status:	RESOLVED INVALID

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	Cauldron
Hardware:	i586 Linux

Priority:	Normal Severity: critical
Target Milestone:	---
Assignee:	Guillaume Rousse
QA Contact:	Sec team

URL:
Whiteboard:	MGA4TOO, MGA3TOO
Keywords:

Depends on:
Blocks:

Reported:	2014-08-01 19:43 CEST by David Walser
Modified:	2014-08-02 16:34 CEST (History)
CC List:	0 users

See Also:
Source RPM:	nagios-plugins-1.5-1.mga5.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2014-08-01 19:43:53 CEST

Security issues in nagios-plugins were fixed in version 2.0.2 and 2.0.3:
https://bugzilla.redhat.com/show_bug.cgi?id=1114841
https://bugzilla.redhat.com/show_bug.cgi?id=1098531

It's not entirely clear whether or not 1.x are affected.

Reproducible: 

Steps to Reproduce:

David Walser 2014-08-01 19:44:01 CEST

Whiteboard: (none) => MGA4TOO, MGA3TOO

Comment 1 Guillaume Rousse 2014-08-02 15:26:13 CEST

The issue appears on every version, but is only relevant if the install permissions allows a regular user to exploit it, which is not the case on mageia:
[guillomovitch@haiku ~]$ ls -l /usr/lib64/nagios/plugins/check_icmp
-r-sr-x--- 1 root nagios 58072 oct.  21  2013 /usr/lib64/nagios/plugins/check_icmp

An user part of the nagios group would, but that's quite a corner case. I guess that's also the reason why RHEL didn't provided any security update.

Comment 2 David Walser 2014-08-02 16:34:08 CEST

Works for me.  Thanks Guillaume!

Status: NEW => RESOLVED
Resolution: (none) => INVALID

Note You need to log in before you can comment on or make changes to this bug.