[Pkg-nagios-devel] Bug#701227: Bug#701227: nagios-nrpe: CVE-2013-1362: allows the passing of $() as command arguments to execute shell commands
Alexander Wirt
formorer at debian.org
Mon Mar 4 08:06:52 UTC 2013
Salvatore Bonaccorso schrieb am Sunday, den 03. March 2013:
> Control: tags -1 + patch
>
> Hi Alex
>
> On Sat, Feb 23, 2013 at 01:19:14PM +0100, Alexander Wirt wrote:
> > On Sat, 23 Feb 2013, Salvatore Bonaccorso wrote:
> >
> > > On Sat, Feb 23, 2013 at 08:33:20AM +0100, Salvatore Bonaccorso wrote:
> > > > In the debian package we have explicitly --enable-command-args so the
> > > > Debian packages looks affected.
> > >
> > > But needs to be explicitly enabled in /etc/nagios/nrpe.cfg, should be
> > > added to the above.
> > Yeah we disable that feature by default and add some big warnings to the
> > documentation. Nobody ever thought that command-args via nrpe are secure.
>
> How about dissalowing $() completly if command arguments in case are
> enabled? I tried to extract the relevant part, see attached debdiff.
> But it's not yet tested.
In fact it looks like the patch on my disk :). I am sorry for not handling
this earlier, but our new bathroom took my whole spare time in the last
weeks.
It should be better this week.
Alex
--
Alexander Wirt, formorer at formorer.de
CC99 2DDD D39E 75B0 B0AA B25C D35B BC99 BC7D 020A
More information about the Pkg-nagios-devel
mailing list