Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package monitoring-plugins-smart for
openSUSE:Factory checked in at 2026-04-29 19:19:22
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/monitoring-plugins-smart (Old)
and /work/SRC/openSUSE:Factory/.monitoring-plugins-smart.new.30200 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "monitoring-plugins-smart"
Wed Apr 29 19:19:22 2026 rev:18 rq:1349885 version:6.18.1
Changes:
--------
---
/work/SRC/openSUSE:Factory/monitoring-plugins-smart/monitoring-plugins-smart.changes
2026-04-22 16:56:30.916349994 +0200
+++
/work/SRC/openSUSE:Factory/.monitoring-plugins-smart.new.30200/monitoring-plugins-smart.changes
2026-04-29 19:20:31.419668306 +0200
@@ -1,0 +2,7 @@
+Mon Apr 27 11:42:11 UTC 2026 - Martin Hauke <[email protected]>
+
+- Update to version 6.18.1
+ * This is a security release, fixing a potential command
+ injection vulnerability.
+
+-------------------------------------------------------------------
Old:
----
check_smart-6.18.0.tar.gz
New:
----
check_smart-6.18.1.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ monitoring-plugins-smart.spec ++++++
--- /var/tmp/diff_new_pack.HdCom3/_old 2026-04-29 19:20:32.035693542 +0200
+++ /var/tmp/diff_new_pack.HdCom3/_new 2026-04-29 19:20:32.039693707 +0200
@@ -17,7 +17,7 @@
Name: monitoring-plugins-smart
-Version: 6.18.0
+Version: 6.18.1
Release: 0
Summary: Check SMART status of a given disk
License: GPL-3.0-or-later
++++++ check_smart-6.18.0.tar.gz -> check_smart-6.18.1.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/check_smart-6.18.0/check_smart.pl
new/check_smart-6.18.1/check_smart.pl
--- old/check_smart-6.18.0/check_smart.pl 2026-04-21 13:58:20.000000000
+0200
+++ new/check_smart-6.18.1/check_smart.pl 2026-04-24 14:55:25.000000000
+0200
@@ -67,13 +67,14 @@
# Dec 15, 2025: Florian Sager - Fix evaluating ATA Error Count: 0 as a warning
(6.17.0)
# Dec 15, 2025: Philippe Beaumont - Add areca devices (6.17.0)
# Apr 21, 2026: Claudio Kuenzler - Fix sys path for sudo command. Detect NVME
input/output error (6.18.0)
+# Apr 24, 2026: Claudio Kuenzler - Fix command injection vulnerability in
interface parameter (6.18.1)
use strict;
use Getopt::Long;
use File::Basename qw(basename);
my $basename = basename($0);
-my $revision = '6.18.0';
+my $revision = '6.18.1';
# Standard Nagios return codes
my %ERRORS=('OK'=>0,'WARNING'=>1,'CRITICAL'=>2,'UNKNOWN'=>3,'DEPENDENT'=>4);
@@ -157,12 +158,13 @@
}
foreach my $opt_dl (@dev){
- warn "Found $opt_dl\n" if $opt_debug;
- if (-b $opt_dl || -c $opt_dl || $opt_dl =~ m/^\/dev\/bus\/\d$/) {
+ warn "(debug) Found $opt_dl\n" if $opt_debug;
+ if (-l $opt_dl) {
+ warn "(debug) $opt_dl is a symlink, skipping for security
reasons\n" if $opt_debug;
+ } elsif (-b $opt_dl || -c $opt_dl || $opt_dl =~
m/^\/dev\/bus\/\d$/) {
$device .= $opt_dl."|";
-
} else {
- warn "$opt_dl is not a valid block/character special
device!\n\n" if $opt_debug;
+ warn "(debug) $opt_dl is not a valid block/character special
device!\n\n" if $opt_debug;
}
}
@@ -174,8 +176,11 @@
# Allow all device types currently supported by smartctl
# See http://www.smartmontools.org/wiki/Supported_RAID-Controllers
-
- if ($opt_i =~
m/^(ata|scsi|3ware|areca|hpt|aacraid|cciss|megaraid|sat|auto|nvme|usbjmicron)/)
{
+ # Validate interface parameter strictly to prevent command injection
+ # Simple interfaces must match exactly; RAID interfaces allow device
specifiers (see --help)
+ if ($opt_i =~ m/^(ata|scsi|sat|auto|nvme)$/ ||
+ $opt_i =~
m/^(3ware|areca|aacraid|cciss|megaraid|usbjmicron),(\d+|\[\d+-\d+\])$/ ||
+ $opt_i =~ m/^hpt,\d+\/\d+\/\d+$/) {
$interface = $opt_i;
if($interface =~ m/megaraid,\[(\d{1,2})-(\d{1,2})\]/) {
$interface = "";
