nagios3: CVE-2013-4214: html/rss-newsfeed.php insecure temporary file usage

Debian Bug report logs - #719056
nagios3: CVE-2013-4214: html/rss-newsfeed.php insecure temporary file usage

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: nagios3: CVE-2013-4214: html/rss-newsfeed.php insecure temporary file usage

Date: Thu, 08 Aug 2013 07:38:53 +0200

Package: nagios3-cgi
Severity: important
Tags: security upstream

Hi,

the following vulnerability was published for nagios3.

CVE-2013-4214[0]:
insecure temporary file usage

The file html/rss-newsfeed.php in nagios3 (installed into nagios3-cgi)
use /tmp insecurely by fixed cache dir name:

  7 define('MAGPIE_CACHE_DIR', '/tmp/magpie_cache');

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] http://security-tracker.debian.org/tracker/CVE-2013-4214
[1] https://bugzilla.redhat.com/show_bug.cgi?id=958002

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #12 received at 719056@bugs.debian.org (full text, mbox, reply):

From: "Thijs Kinkhorst" <thijs@debian.org>

To: 719056@bugs.debian.org

Subject: nagios3 leaks info about install to upstream

Date: Fri, 3 Jan 2014 13:31:32 +0100

Hi,

> The file html/rss-newsfeed.php in nagios3 (installed into nagios3-cgi)
> use /tmp insecurely by fixed cache dir name:

Actually, besides the tempfile usage, this PHP script exists to query the
Nagios upstream website on any load of the front page of the installation,
which leaks information about machines having Nagios installed. Perhaps
it's better to just remove this functionality.


Thijs

Message #17 received at 719056@bugs.debian.org (full text, mbox, reply):

From: Michael Friedrich <michael.friedrich@gmail.com>

To: Thijs Kinkhorst <thijs@debian.org>, 719056@bugs.debian.org

Subject: Re: [Pkg-nagios-devel] Bug#719056: nagios3 leaks info about install to upstream

Date: Fri, 03 Jan 2014 16:08:39 +0100

Hi,

On 03.01.2014 13:31, Thijs Kinkhorst wrote:
> Hi,
>
>> The file html/rss-newsfeed.php in nagios3 (installed into nagios3-cgi)
>> use /tmp insecurely by fixed cache dir name:
> Actually, besides the tempfile usage, this PHP script exists to query the
> Nagios upstream website on any load of the front page of the installation,
> which leaks information about machines having Nagios installed. Perhaps
> it's better to just remove this functionality.

I've refactored an old patch against the 3.4.1 release which Debian uses 
in order to remove that "feature" entirely. It still leaves the php 
requirement intact - re-establishing the old html style will make the 
patch likely incompatible to upstream.
https://github.com/dnsmichi/nagios-fixed/commits/debian/html-remove-call-home

Note: Also applies against 4.x HEAD.

Furthermore, I've ported a core patch I've implemented for Icinga years 
ago, which entirely removes the core's "feature" to schedule daily timed 
events for update checks. Upstream allows you to disable those checks 
via config option, but it still causes some noops for the unused 
functionality. Based on 3.4.1 for Debian too.
https://github.com/dnsmichi/nagios-fixed/commits/debian/core-remove-call-home

Note: Does not apply against 4.x HEAD, there have been too many changes. 
A compatible patch is located here: 
https://github.com/dnsmichi/nagios-fixed/commits/debian/core4x-remove-call-home 


hth
Michael

-- 
DI (FH) Michael Friedrich

mail:     michael.friedrich@gmail.com
twitter:  https://twitter.com/dnsmichi
jabber:   dnsmichi@jabber.ccc.de
irc:      irc.freenode.net/icinga dnsmichi

icinga open source monitoring
position: lead core developer
url:      https://www.icinga.org

Message #22 received at 719056-close@bugs.debian.org (full text, mbox, reply):

From: Alexander Wirt <formorer@debian.org>

To: 719056-close@bugs.debian.org

Subject: Bug#719056: fixed in nagios3 3.5.1-1

Date: Sat, 04 Jan 2014 09:19:48 +0000

Source: nagios3
Source-Version: 3.5.1-1

We believe that the bug you reported is fixed in the latest version of
nagios3, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 719056@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Alexander Wirt <formorer@debian.org> (supplier of updated nagios3 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 03 Jan 2014 23:18:34 +0100
Source: nagios3
Binary: nagios3-common nagios3-cgi nagios3 nagios3-core nagios3-doc nagios3-dbg
Architecture: source amd64 all
Version: 3.5.1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>
Changed-By: Alexander Wirt <formorer@debian.org>
Description: 
 nagios3    - host/service/network monitoring and management system
 nagios3-cgi - cgi files for nagios3
 nagios3-common - support files for nagios3
 nagios3-core - host/service/network monitoring and management system core files
 nagios3-dbg - debugging symbols and debug stuff for nagios3
 nagios3-doc - documentation for nagios3
Closes: 642515 689901 719056 725177
Changes: 
 nagios3 (3.5.1-1) unstable; urgency=medium
 .
   * [bf5522e] Enable cgi module for apache 2.4 (Closes: #725177)
   * [744e794] Stick to 3.x for now
   * [5d1f7c2] Imported Upstream version 3.5.1
               Closes: #642515
   * [43e7d66] Remove obsolete patches
   * [65bee9b] Move to quilt
   * [77d98da] Remove dpatch dependency
   * [63dacfb] Bump standards version
   * [053130c] Take care that /var/run/nagios3 is created at boot time
   * [cfca1db] Remove leading 'a' from description
   * [057dfb9] Remove dpatch from rules file
   * [de834df] Move /var/run/nagios3 creation to initscript (Closes: #689901)
   * [ee6422c] Make 3.0 quilt more vcs friendly
   * [c88bef8] don't let nagios call home. This fixes CVE-2013-4214.
     (Closes: #719056)
   * [828c43f] Bump standards version.
   * [611d0f9] Don't ship folder in /var/run (Closes: #689901)
Checksums-Sha1: 
 0e09a12e92b1dc7b95bd6ba3f46159116a859194 2338 nagios3_3.5.1-1.dsc
 486fd6c75db47000b96d6eebb1654c30d5e9bc72 1763584 nagios3_3.5.1.orig.tar.gz
 c2917dcdab66f113683a54007fd1c690cf724b7e 84454 nagios3_3.5.1-1.debian.tar.gz
 d36be693efe93f708afdd71e6a8073f5393591f5 854224 nagios3-cgi_3.5.1-1_amd64.deb
 9ba7ae1d47b2d0f22f4eec50b37f0d53921d0059 1492 nagios3_3.5.1-1_amd64.deb
 21db1f18b113c1ba6f07731a5292b546b7412fe8 231234 nagios3-core_3.5.1-1_amd64.deb
 d4feda386126f5c1596492dcd0292825291ec992 1520930 nagios3-dbg_3.5.1-1_amd64.deb
 7230a4242356d2fa96392062df18f3d63f02a3ae 75922 nagios3-common_3.5.1-1_all.deb
 27a2a12ed06d4df140f131c6eacb356b99e47f14 27016 nagios3-doc_3.5.1-1_all.deb
Checksums-Sha256: 
 323eba07d08b85c16a763b7ca8225a229e7440c8b1a0665099e4da8f6b590cdd 2338 nagios3_3.5.1-1.dsc
 ca9dd68234fa090b3c35ecc8767b2c9eb743977eaf32612fa9b8341cc00a0f99 1763584 nagios3_3.5.1.orig.tar.gz
 165adb979261aa3cbe55c7672488aaaeaf1973e2a6346a7ead98a603111b1792 84454 nagios3_3.5.1-1.debian.tar.gz
 fce0749436ba1c2d24d760343396c2dbb8c1828a052fce14af8a0f96299fe9b7 854224 nagios3-cgi_3.5.1-1_amd64.deb
 668395dc35fdfd9325200b55fa3d2320c7a4d31f163674d6b784284b75d524b2 1492 nagios3_3.5.1-1_amd64.deb
 c0711ab7d7a7fc287bb1b7aadd95d9b9432f8558f49f65de46ea1c6980574c1b 231234 nagios3-core_3.5.1-1_amd64.deb
 3bcf676ae63898b3cd182fe95b64a2c8c383de6d3fe3e157789a90d1ec8aed6d 1520930 nagios3-dbg_3.5.1-1_amd64.deb
 05f4f90bac7afea9438016f7e559cafb92fd5fba068d0e5c45c66d6c2f427bc3 75922 nagios3-common_3.5.1-1_all.deb
 639ac1b1f4e2e47dd7c159cf27c42d43ddd4d4695a87628cf5e49261ab73ed2e 27016 nagios3-doc_3.5.1-1_all.deb
Files: 
 78a84d16c7287a9bce02768495c57a26 2338 net optional nagios3_3.5.1-1.dsc
 9947ed3d220b4da86710884260d42856 1763584 net optional nagios3_3.5.1.orig.tar.gz
 f2fd201d3aa691b030444bd812a498a6 84454 net optional nagios3_3.5.1-1.debian.tar.gz
 81af01d5ae0e34b4bfea9119a08f2269 854224 net optional nagios3-cgi_3.5.1-1_amd64.deb
 b459622f006b30fbfe0ef4cfa646bb5c 1492 net optional nagios3_3.5.1-1_amd64.deb
 4f50174ee619e52b3c982412ec8a21a0 231234 net optional nagios3-core_3.5.1-1_amd64.deb
 0a6e0d4f7dea6e939e4258e57be70382 1520930 debug extra nagios3-dbg_3.5.1-1_amd64.deb
 121eab92055844a8ada344f0aec184e0 75922 net optional nagios3-common_3.5.1-1_all.deb
 e3d5b3667916b013069ec4bb398b6aec 27016 doc optional nagios3-doc_3.5.1-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)

iQIcBAEBAgAGBQJSx8QHAAoJEB5F+Mqd4jsWj5cP/iXfUK5uUdAb/pgWpkG2n8Fc
Yl6YnUSdCqzMJc8Wqnmly1JsJ0tL8qZ4+A4Yw4d/PJc2OJNzOnkWTrPyG3MEiN+J
M9tH+pPm03KfJUuoSBpwHtBYlG60bYWJ+kBZkkDmIXPWN+AQ+wHBfSHtY+A+4wn7
JuUPLs46Mbx4qCn50oJLGYlm5qvRJUfq09xbsUEnpgWzpmn0KXykyIOnIug8sBwa
eaUgF/WErs8nzTq/7EkBvSXf421jFeV8FboS2aeh+jFVDIy0P6rk50oneJqVPo1K
Lx66n8QxxMIqWraEqGH8mMcXOXd+ZF09xGyoehL5/BMC9kwuNQ9fu8lw0SgWQ2aL
VMtvU5fitAFhib6EWP2xT3a6G5CyKaqGv6PaadIxsAUVu4xiZ47D4HjQKnD1KlI+
3zCjluuBHnHBztm/BBxG+T0tGlxu4/WIpLovnk0gQCr1xRRecLAiN60q6yaEa7la
VH1VZDM/COkU0o3MGS7hK9YdurAHyXrsd1mX86TzAqYn8lw+nOcDbhzZTxhrn6NH
WawcFbpoJI879cFEptg2YWW1XY7qzo18CA+qFzehLKRpuNmBa5X9bcNviXefPhnx
ecH1wqrkyB/UN7BPrpzabw+rL5nMrXbnTR2kHB7OlJmdxxXcVSK6/xI2jPbzjdd0
zkSwqQ/ZWaI4VPpwcSLC
=+sRg
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.