[Pkg-nagios-devel] Bug#683320: Bug#683320: Bug#683320: CVE-2012-3441: insecure permissions in DB creation scripts

[Michael Friedrich]

On 30.07.2012 21:09, Alexander Wirt wrote:
> On Mon, 30 Jul 2012, Yves-Alexis Perez wrote:
>
>> Source: icinga
>> Severity: grave
>> Tags: security
>> Justification: user security hole
>>
>> Hi,
>>
>> DB creation scripts shipped in icinga-idoutils are insecure (they grant
>> privileges for all users). See
>> https://bugzilla.novell.com/show_bug.cgi?id=767319 and:
>>
>> https://git.icinga.org/?p=icinga-doc.git;a=commitdiff;h=619a08ca1178144b8a3a5caafff32a2d3918edab
>> https://git.icinga.org/?p=icinga-core.git;a=commitdiff;h=712813d3118a5b9e5a496179cab81dbe91f69d63
>>
>> As far as I can tell the bug in stable is only in documentation, but in
>> Wheezy it affects the scripts too. Please backport the changes and only
>> upload a targeted fix.
> hmm? we use dbconfig-common. We don't use this script, we also don't install
> README.RHEL.idoutils anywhere. So this is docs only.

docs was fixed in 1.7.1, since this was released on 18.6.2012

see icinga-core.git branch r1.7, cd docbook, git pull && git log

commit 619a08ca1178144b8a3a5caafff32a2d3918edab
Author: Wolfgang <wnd at gmx.net>
Date:   Fri Jun 15 19:08:55 2012 +0200

     docs issue #2690: limit grant to icinga db

so it's a bug in a script which is shipped example wise upstream. SuSe 
packages are the only known pkg source using those scripts, even the 
repoforge rpms do not use those scripts (therefore the 
README.RHEL.idoutils fix by me). so this might still be an issue, but 
only for those manually invoking such scripts from the examples.

kind regards,
Michael

-- 
DI (FH) Michael Friedrich

Vienna University Computer Center
Universitaetsstrasse 7 A-1010 Vienna, Austria

email:     michael.friedrich at univie.ac.at
phone:     +43 1 4277 14359
mobile:    +43 664 60277 14359
fax:	   +43 1 4277 14338
web:       http://www.univie.ac.at/zid
            http://www.aco.net

Lead Icinga Core Developer
http://www.icinga.org