[Pkg-nagios-devel] Bug#701227: Bug#701227: nagios-nrpe: CVE-2013-1362: allows the passing of $() as command arguments to execute shell commands
formorer at debian.org
Mon Mar 4 08:06:52 UTC 2013
Salvatore Bonaccorso schrieb am Sunday, den 03. March 2013:
> Control: tags -1 + patch
> Hi Alex
> On Sat, Feb 23, 2013 at 01:19:14PM +0100, Alexander Wirt wrote:
> > On Sat, 23 Feb 2013, Salvatore Bonaccorso wrote:
> > > On Sat, Feb 23, 2013 at 08:33:20AM +0100, Salvatore Bonaccorso wrote:
> > > > In the debian package we have explicitly --enable-command-args so the
> > > > Debian packages looks affected.
> > >
> > > But needs to be explicitly enabled in /etc/nagios/nrpe.cfg, should be
> > > added to the above.
> > Yeah we disable that feature by default and add some big warnings to the
> > documentation. Nobody ever thought that command-args via nrpe are secure.
> How about dissalowing $() completly if command arguments in case are
> enabled? I tried to extract the relevant part, see attached debdiff.
> But it's not yet tested.
In fact it looks like the patch on my disk :). I am sorry for not handling
this earlier, but our new bathroom took my whole spare time in the last
It should be better this week.
Alexander Wirt, formorer at formorer.de
CC99 2DDD D39E 75B0 B0AA B25C D35B BC99 BC7D 020A
More information about the Pkg-nagios-devel