A CVE has been assigned for an incomplete fix for CVE-2016-8641 in Nagios 4.2.4: http://openwall.com/lists/oss-security/2016/12/30/6 We do have the protected_hardlinks feature enabled in the kernel, so this isn't a big deal for us, but we should fix it in Cauldron if a fix becomes available.
There's also CVE-2014-5009: https://lwn.net/Vulnerabilities/713145/
CVE: (none) => CVE-2016-10089CC: (none) => mageia
CVE-2014-5009 does not apply, the vulnerable PHP code is not present in nagios 4.x. The status of CVE-2016-10089 is quite unclear: the original description says it applies to release 4.2.4 and earlier, but newer releases changelog does not mention having fixed it, nor does any commit. I guess we're still vulnerable.
Status: NEW => ASSIGNED
Thanks for looking into this. I don't think the new CVE affects the first hunk with the ramdisk dir, as you can't make a hardlink to a directory. For the 4 file ones, it looks like it's concerned that if the file doesn't already exist, the echo command (or touch in the last case) will create it, and it will then be owned as root, so they chown it back to nagios. I would think that it would be better to start with a su nagios -c "touch $file", before echoing data to the file, that way it would ensure it would either be created and owned by nagios, or retain its previous ownership, and the chown wouldn't be necessary.
I was referring to the fix for previous CVE, just to be clear: https://github.com/NagiosEnterprises/nagioscore/commit/f2ed227673d3b2da643eb5cad26b2d87674f28c1
There's an upstream bug report for CVE-2016-10089 which was closed without any comment... ¯\_(ツ)_/¯ https://github.com/NagiosEnterprises/nagioscore/issues/353
(In reply to Rémi Verschelde from comment #5) > There's an upstream bug report for CVE-2016-10089 which was closed without > any comment... ¯\_(ツ)_/¯ > > https://github.com/NagiosEnterprises/nagioscore/issues/353 That's strange. It appears it would be a fairly simple patch to write. I just described how to do it in Comment 3. It's just a matter of doing it :o)
Created attachment 9453 [details] Fix for CVE-2016-10089 OK I wrote a patch to fix this, which you can submit upstream. See the exploit details in the link in Comment 0. Even with protected_hardlinks disabled, it should no longer work.
Fixed in nagios-4.3.1-2.mga6.
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED