Control: tags -1 + patch Hi Alex
On Sat, Feb 23, 2013 at 01:19:14PM +0100, Alexander Wirt wrote: > On Sat, 23 Feb 2013, Salvatore Bonaccorso wrote: > > > On Sat, Feb 23, 2013 at 08:33:20AM +0100, Salvatore Bonaccorso wrote: > > > In the debian package we have explicitly --enable-command-args so the > > > Debian packages looks affected. > > > > But needs to be explicitly enabled in /etc/nagios/nrpe.cfg, should be > > added to the above. > Yeah we disable that feature by default and add some big warnings to the > documentation. Nobody ever thought that command-args via nrpe are secure. How about dissalowing $() completly if command arguments in case are enabled? I tried to extract the relevant part, see attached debdiff. But it's not yet tested. Regards, Salvatore
diff -u nagios-nrpe-2.13/debian/changelog nagios-nrpe-2.13/debian/changelog --- nagios-nrpe-2.13/debian/changelog +++ nagios-nrpe-2.13/debian/changelog @@ -1,3 +1,15 @@ +nagios-nrpe (2.13-2.1) unstable; urgency=low + + * Non-maintainer upload. + * Add 08_CVE-2013-1362.dpatch patch. + If command arguments are enabled in the NRPE configuration, it was + possible to pass $() as arguments as the checking for nasty caracters + was not strict enough to catch $(). This allowed executing shell + commands under a subprocess and pass the output as a parameter to the + called script (if run under bash). CVE-2013-1362 (Closes: #701227) + + -- Salvatore Bonaccorso <car...@debian.org> Sun, 03 Mar 2013 23:39:37 +0100 + nagios-nrpe (2.13-2) unstable; urgency=high [ Thijs Kinkhorst ] diff -u nagios-nrpe-2.13/debian/patches/00list nagios-nrpe-2.13/debian/patches/00list --- nagios-nrpe-2.13/debian/patches/00list +++ nagios-nrpe-2.13/debian/patches/00list @@ -7,0 +8 @@ +08_CVE-2013-1362.dpatch only in patch2: unchanged: --- nagios-nrpe-2.13.orig/debian/patches/08_CVE-2013-1362.dpatch +++ nagios-nrpe-2.13/debian/patches/08_CVE-2013-1362.dpatch @@ -0,0 +1,26 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 08_CVE-2013-1362.dpatch by Salvatore Bonaccorso <car...@debian.org> +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: nagios-nrpe prior to 2.14 allows the passing of $() as command +## DP: arguments to execute shell commands if command arguments are +## DP: explicitly enabled. Filtering out nasty caracters is not +## DP: strict enough to disallow $(), allowing executing shell commands +## DP: under a subprocess and pass the output as a parameter to the +## DP: called script (if run under bash). + +@DPATCH@ +diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' nagios-nrpe~/src/nrpe.c nagios-nrpe/src/nrpe.c +--- nagios-nrpe~/src/nrpe.c 2013-03-03 23:13:22.000000000 +0100 ++++ nagios-nrpe/src/nrpe.c 2013-03-03 23:15:51.621025795 +0100 +@@ -1749,6 +1749,10 @@ + syslog(LOG_ERR,"Error: Request contained an empty command argument"); + return ERROR; + } ++ if(strstr(macro_argv[x],"$(")) { ++ syslog(LOG_ERR,"Error: Request contained a bash command substitution!"); ++ return ERROR; ++ } + } + } + #endif