[Pkg-nagios-devel] Bug#701227: nagios-nrpe: CVE-2013-1362: allows the passing of $() as command arguments to execute shell commands

Salvatore Bonaccorso carnil at debian.org
Sat Feb 23 07:33:20 UTC 2013

Package: nagios-nrpe
Severity: grave
Tags: security


On bugtraq mailinglist it was reported publicly[1]. If support for
command argument in the daemon are enabled then it would be possible
to pass $() and possibly executing shell commands when run unter bash.

Upstream has released 2.14 containing a patch and disabling bash
command substitutions by default:

2.14 - 12/21/2012
- Added configure option to allow bash command substitutions, disabled by default [bug #400] (Eric Stanley)
- Patched to shutdown SSL connection completely (Jari Takkala)
- Added SRC support on AIX (Thierry Bertaud)
- Updated RPM SPEC file to support creating RPMs on AIX (Eric Stanley)
- Updated logging to support compiling on AIX (Eric Stanley)

According to [1], there is CVE-2013-1362 assigned to it.

In the debian package we have explicitly --enable-command-args so the
Debian packages looks affected.
 [1]: http://seclists.org/bugtraq/2013/Feb/119


More information about the Pkg-nagios-devel mailing list