[Pkg-nagios-devel] Bug#865497: CVE-2017-9781 not yet fixed in 1.2.8p26-1?

Salvatore Bonaccorso carnil at debian.org
Sat Oct 7 07:38:33 UTC 2017 

Hi Matt!

On Fri, Oct 06, 2017 at 03:43:38PM -0700, Matt Taggart wrote:
> On 10/06/2017 02:28 PM, Salvatore Bonaccorso wrote:
> > Control: notfixed -1 1.2.8p26-1
> >
> > Hi!
> >
> > On Fri, Oct 06, 2017 at 09:09:03PM +0000, Debian Bug Tracking System wrote:
> > > This is an automatic notification regarding your Bug report
> > > which was filed against the src:check-mk package:
> > >
> > > #865497: check-mk: CVE-2017-9781: reflected XSS in webapi.py
> >
> > I looked up the source for 1.2.8p26-1.
> >
> > The fix for CVE-2017-9781 is
> >
> > http://git.mathias-kettner.de/git/?p=check_mk.git;a=commitdiff;h=c248f0b6ff7b15ced9f07a3df8a80fad656ea5b1
> >
> > which does not yet seem to be applied to 1.2.8p26-1?
> >
> > Can you please double-check?
> >
> >
> > Note, there is a second CVE now for check-mk, that one got addressed
> > in 1.2.8p26, but it's not clear yet in which version in was
> > introduced.
> Hi,
>
> You are right, the fix for CVE-2017-9781, which upstream calls "werk #4757"
> is _not_ in 1.2.8p26. I was confused with upstream #5208 when I wrote the
> changelog that closed the bug.

Thanks for confirming!

> Upstream lists the following security related fixes for 1.2.8
> ==============================================================
> #5208
> http://mathias-kettner.com/check_mk_werks.php?werk_id=5208&HTML=yes
> http://git.mathias-kettner.de/git/?p=check_mk.git;a=commitdiff;h=673360408b90f99bd54cf936091cff08d979a057
>
> #4902
> http://mathias-kettner.com/check_mk_werks.php?werk_id=4902&HTML=yes
> http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=96e39a0f024d9b2b521576c1eb71aca7fb3e818d
>
> #7661 (fixed in 1.4.0p8, supposedly fixed in 1.2.8p25?)
> http://mathias-kettner.com/check_mk_werks.php?werk_id=7661&HTML=yes
>
> #7631
> http://mathias-kettner.com/check_mk_werks.php?werk_id=7631&HTML=yes
>
> #3970 (fixed in 1.2.8p14)
> http://mathias-kettner.com/check_mk_werks.php?werk_id=3970&HTML=yes
>
> #3855 (fixed in 1.2.8p11)
> http://mathias-kettner.com/check_mk_werks.php?werk_id=3855&HTML=yes
>
> #3743 (fixed in 1.2.8p10)
> http://mathias-kettner.com/check_mk_werks.php?werk_id=3743&HTML=yes
>
> Full list of changes for 1.2.8p26
> =================================
> http://mathias-kettner.com/check_mk_werks.php?edition_id=raw&branch=1.2.8&version=1.2.8p26&HTML=yes
>
> Full list of changes for 1.4.0p14
> =================================
> http://mathias-kettner.com/check_mk_werks.php?edition_id=raw&branch=1.4.0&version=1.4.0p14&HTML=yes
>
> which additionally lists
>
> #4757 (as you mentioned above, fixed in 1.4.0p6)
> http://mathias-kettner.com/check_mk_werks.php?werk_id=4757&HTML=yes
> http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=14a5b79c6f549502244a60146ed6831dc3473f2a
>
> #7643 (only in 1.4 and newer)
> http://mathias-kettner.com/check_mk_werks.php?werk_id=7643&HTML=yes
>
> So I think the Debian 1.2.8p16 package is only missing #4757.

Ok. Do you know something about
https://mathias-kettner.de/check_mk_werks.php?werk_id=5208&HTML=yes .
I twas fixed in 1.2.8p26, but I failed to see if it was introduced
*after* 1.2.8p14-1. But I will try to handle that in a seprate bug. I
tried to git clone the git repository mentioned at
http://git.mathias-kettner.de/check_mk.git but that just does not work
for me.
>
> I will ask upstream if they intend to fix #4757 in the 1.2.8 series.
> Unfortunately due to how the upstream tarball/build works, it is tricky to
> patch upstream files. If upstream doesn't intend to include this fix I can
> generate a patch to make it work.

Ok thanks.

> I had started working on packaging 1.4.0 as a way to fix these security bugs
> (and even did an upload to experimental) but I recently learned from
> upstream that:
>
> "The use of Check_MK without OMD environment and customization of paths is
> explicitly not supported anymore."
>
> ie you can't use check-mk stand-alone, you have to use OMD (and
> livestatus/WATO/multisite, the whole stack) and you have to use upstream's
> installer to upstream's paths. It's very much the "network appliance" model
> (or flatpak, docker image, etc)
> I don't know if we'll be able to make this work in Debian. (not to mention
> that nagios is gone and icinga1 will go away at some point)

Hmm, that sounds bad. I guess if that turns out to be true, then would
better alternative to drop check-mk completely from the Debian
archive? I mean specifically, for the buster release cycle, if 1.2.8
based series should be included then still.

> That prompted me to go back to 1.2.8 and package the latest release there in
> order to at least have something working without the security bugs.

Ok. I'm not too familiar with check-mk itself, I only worked on it
from tracking security fixes point of view. Can you say something, on
how long are the 1.2.8 series planned to be supported upstream?

Regards,
Salvatore

More information about the Pkg-nagios-devel mailing list