[Pkg-nagios-devel] Bug#758883: check-mk: CVE info
Matt Taggart
taggart at debian.org
Fri Jan 9 19:42:07 UTC 2015
I did some research on #758883:
1) CVE-2014-5338 was fixed in 1.2.5i4 with this commit
http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=076468b10e660abdeaaaa6c459a4aa3ce8e07722
The actions.py change should work as is.
The htmllib.py part of the patch needs some minor adjusting but should work.
2) CVE-2014-5339 was also fixed in 1.2.5i4 with this commit
http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=78c0c2779393a822f62924c662b8022572a1be9c
The 1.2.2p3 version of the code is
if not html.has_var('selection'):
sel_id = file('/proc/sys/kernel/random/uuid').read().strip()
html.add_var('selection', sel_id)
return html.var('selection')
Whereas the 1.2.5i4 version uses
if not html.has_var('selection'):
sel_id = lib.gen_id()
html.add_var('selection', sel_id)
else:
sel_id = html.var('selection')
# Avoid illegal file access by introducing .. or /
if not re.match("^[-0-9a-zA-Z]+$", sel_id):
return lib.gen_id()
else:
return sel_id
lib.gen_id doesn't exist in 1.2.2p3 so the patch won't word. But maybe
the patch could be adapted to do the same check around the old way?
3) CVE-2014-5340 was also fixed in 1.2.5i4 with this commit
http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=0fe2a45b299a8f5c5da332410eec2c45aac2ba1e
which uses the python ast library if it exists. ast is a standard lib
and is available on wheezy. This patch should work (might need a little
adjusting, but looks ok)
It would be best to move to a release newer than 1.2.5i4 to fix these
(and other things) but in the interest of getting check-mk back in
jessie, maybe it would make sense to patch 1.2.2p3?
Thanks,
--
Matt Taggart
taggart at debian.org
More information about the Pkg-nagios-devel
mailing list