[Pkg-nagios-devel] Bug#865497: CVE-2017-9781 not yet fixed in 1.2.8p26-1?

Matt Taggart taggart at debian.org
Fri Oct 6 22:43:38 UTC 2017


On 10/06/2017 02:28 PM, Salvatore Bonaccorso wrote:
> Control: notfixed -1 1.2.8p26-1
> 
> Hi!
> 
> On Fri, Oct 06, 2017 at 09:09:03PM +0000, Debian Bug Tracking System wrote:
>> This is an automatic notification regarding your Bug report
>> which was filed against the src:check-mk package:
>>
>> #865497: check-mk: CVE-2017-9781: reflected XSS in webapi.py
> 
> I looked up the source for 1.2.8p26-1.
> 
> The fix for CVE-2017-9781 is
> 
> http://git.mathias-kettner.de/git/?p=check_mk.git;a=commitdiff;h=c248f0b6ff7b15ced9f07a3df8a80fad656ea5b1
> 
> which does not yet seem to be applied to 1.2.8p26-1?
> 
> Can you please double-check?
> 
> 
> Note, there is a second CVE now for check-mk, that one got addressed
> in 1.2.8p26, but it's not clear yet in which version in was
> introduced.
Hi,

You are right, the fix for CVE-2017-9781, which upstream calls "werk 
#4757" is _not_ in 1.2.8p26. I was confused with upstream #5208 when I 
wrote the changelog that closed the bug.

Upstream lists the following security related fixes for 1.2.8
==============================================================
#5208
http://mathias-kettner.com/check_mk_werks.php?werk_id=5208&HTML=yes
http://git.mathias-kettner.de/git/?p=check_mk.git;a=commitdiff;h=673360408b90f99bd54cf936091cff08d979a057

#4902
http://mathias-kettner.com/check_mk_werks.php?werk_id=4902&HTML=yes
http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=96e39a0f024d9b2b521576c1eb71aca7fb3e818d

#7661 (fixed in 1.4.0p8, supposedly fixed in 1.2.8p25?)
http://mathias-kettner.com/check_mk_werks.php?werk_id=7661&HTML=yes

#7631
http://mathias-kettner.com/check_mk_werks.php?werk_id=7631&HTML=yes

#3970 (fixed in 1.2.8p14)
http://mathias-kettner.com/check_mk_werks.php?werk_id=3970&HTML=yes

#3855 (fixed in 1.2.8p11)
http://mathias-kettner.com/check_mk_werks.php?werk_id=3855&HTML=yes

#3743 (fixed in 1.2.8p10)
http://mathias-kettner.com/check_mk_werks.php?werk_id=3743&HTML=yes

Full list of changes for 1.2.8p26
=================================
http://mathias-kettner.com/check_mk_werks.php?edition_id=raw&branch=1.2.8&version=1.2.8p26&HTML=yes

Full list of changes for 1.4.0p14
=================================
http://mathias-kettner.com/check_mk_werks.php?edition_id=raw&branch=1.4.0&version=1.4.0p14&HTML=yes

which additionally lists

#4757 (as you mentioned above, fixed in 1.4.0p6)
http://mathias-kettner.com/check_mk_werks.php?werk_id=4757&HTML=yes
http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=14a5b79c6f549502244a60146ed6831dc3473f2a

#7643 (only in 1.4 and newer)
http://mathias-kettner.com/check_mk_werks.php?werk_id=7643&HTML=yes

So I think the Debian 1.2.8p16 package is only missing #4757.

I will ask upstream if they intend to fix #4757 in the 1.2.8 series.
Unfortunately due to how the upstream tarball/build works, it is tricky 
to patch upstream files. If upstream doesn't intend to include this fix 
I can generate a patch to make it work.

I had started working on packaging 1.4.0 as a way to fix these security 
bugs (and even did an upload to experimental) but I recently learned 
from upstream that:

"The use of Check_MK without OMD environment and customization of paths 
is explicitly not supported anymore."

ie you can't use check-mk stand-alone, you have to use OMD (and 
livestatus/WATO/multisite, the whole stack) and you have to use 
upstream's installer to upstream's paths. It's very much the "network 
appliance" model (or flatpak, docker image, etc)
I don't know if we'll be able to make this work in Debian. (not to 
mention that nagios is gone and icinga1 will go away at some point)

That prompted me to go back to 1.2.8 and package the latest release 
there in order to at least have something working without the security bugs.

-- 
Matt Taggart
taggart at debian.org



More information about the Pkg-nagios-devel mailing list