Looks like most of that .patch file ended in the commit message, but the patch looks ok to me, so not sure what happened.
On Tue, Dec 10, 2024 at 3:01 PM Bruce Ashfield <[email protected]> wrote: > > odd. I don't even have any refuse sitting around in my merge directory. > > I'll revert and re-apply. > > Bruce > > On Tue, Dec 10, 2024 at 3:21 AM Martin Jansa <[email protected]> wrote: >> >> Something went wrong when applying this in kirkstone and >> recipes-extended/nagios/nagios-plugins/CVE-2023-37154.patch doesn't >> exist. >> >> On Tue, Dec 10, 2024 at 4:39 AM Bruce Ashfield via >> lists.yoctoproject.org >> <[email protected]> wrote: >> > >> > merged. >> > >> > Bruce >> > >> > In message: [meta-virtualization] [kirkstone][PATCH] nagios-plugins: fix >> > CVE-2023-37154 >> > on 28/11/2024 Changqing Li via lists.yoctoproject.org wrote: >> > >> > > From: Changqing Li <[email protected]> >> > > >> > > CVE-2023-37154: >> > > check_by_ssh in Nagios nagios-plugins 2.4.5 allows arbitrary command >> > > execution >> > > via ProxyCommand, LocalCommand, and PermitLocalCommand with \${IFS}. >> > > This has >> > > been categorized both as fixed in e8810de, and as intended behavior. >> > > >> > > Refer: >> > > https://nvd.nist.gov/vuln/detail/CVE-2023-37154 >> > > >> > > Signed-off-by: Changqing Li <[email protected]> >> > > --- >> > > .../nagios-plugins/CVE-2023-37154.patch | 69 +++++++++++++++++++ >> > > .../nagios/nagios-plugins_2.2.1.bb | 1 + >> > > 2 files changed, 70 insertions(+) >> > > create mode 100644 >> > > recipes-extended/nagios/nagios-plugins/CVE-2023-37154.patch >> > > >> > > diff --git a/recipes-extended/nagios/nagios-plugins/CVE-2023-37154.patch >> > > b/recipes-extended/nagios/nagios-plugins/CVE-2023-37154.patch >> > > new file mode 100644 >> > > index 00000000..436bba42 >> > > --- /dev/null >> > > +++ b/recipes-extended/nagios/nagios-plugins/CVE-2023-37154.patch >> > > @@ -0,0 +1,69 @@ >> > > +From 7f07a9e89373d5906c2b6a9eee0e74cf69f302c1 Mon Sep 17 00:00:00 2001 >> > > +From: Sebastian Wolf <[email protected]> >> > > +Date: Wed, 31 May 2023 16:43:54 -0400 >> > > +Subject: [PATCH] check_by_ssh: Prevent users from using several SSH >> > > options >> > > + which run local commands. >> > > + >> > > +CVE: CVE-2023-37154 >> > > +Upstream-Status: Backport >> > > [https://github.com/nagios-plugins/nagios-plugins/commit/e8810de21be80148562b7e0168b0a62aeedffde6] >> > > + >> > > +Signed-off-by: Changqing Li <[email protected]> >> > > +--- >> > > + configure.ac | 10 ++++++++++ >> > > + plugins/check_by_ssh.c | 12 +++++++++++- >> > > + 2 files changed, 21 insertions(+), 1 deletion(-) >> > > + >> > > +diff --git a/configure.ac b/configure.ac >> > > +index 963514a..236d233 100644 >> > > +--- a/configure.ac >> > > ++++ b/configure.ac >> > > +@@ -418,6 +418,16 @@ then >> > > + [path and arguments for invoking 'who']) >> > > + fi >> > > + >> > > ++AC_ARG_WITH(unrestricted_ssh_options, >> > > ++ [AS_HELP_STRING([--with-unrestricted-ssh-options], >> > > ++ [allow any SSH options to be used with check_by_ssh])], >> > > ++ [], >> > > ++ [unrestricted_ssh_options=no]) >> > > ++ >> > > ++if test "x$with_unrestricted_ssh_options" = xyes ; then >> > > ++ AC_DEFINE(HAVE_UNRESTRICTED_SSH_OPTIONS,[1],[Allow SSH to use >> > > options that run local commands.]) >> > > ++fi >> > > ++ >> > > + AC_ARG_WITH([ipv6], >> > > + [AS_HELP_STRING([--with-ipv6], [support IPv6 >> > > @<:@default=check@:>@])], >> > > + [], [with_ipv6=check]) >> > > +diff --git a/plugins/check_by_ssh.c b/plugins/check_by_ssh.c >> > > +index b6f3130..6cc6c7a 100644 >> > > +--- a/plugins/check_by_ssh.c >> > > ++++ b/plugins/check_by_ssh.c >> > > +@@ -27,7 +27,7 @@ >> > > + >> > > *****************************************************************************/ >> > > + >> > > + const char *progname = "check_by_ssh"; >> > > +-const char *copyright = "2000-2014"; >> > > ++const char *copyright = "2000-"; >> > > + const char *email = "[email protected]"; >> > > + >> > > + #include "common.h" >> > > +@@ -299,6 +299,16 @@ process_arguments (int argc, char **argv) >> > > + skip_stderr = atoi (optarg); >> > > + break; >> > > + case 'o': >> > > /* Extra options for the ssh command */ >> > > ++ >> > > ++ /* Don't allow the user to run commands local to >> > > the nagios server, unless they decide otherwise at compile time. */ >> > > ++#ifndef HAVE_UNRESTRICTED_SSH_OPTIONS >> > > ++ if ( strcasestr(optarg, "ProxyCommand") != NULL >> > > ++ || strcasestr(optarg, >> > > "PermitLocalCommand") != NULL >> > > ++ || strcasestr(optarg, "LocalCommand") != >> > > NULL) { >> > > ++ break; >> > > ++ } >> > > ++#endif >> > > ++ >> > > + comm_append("-o"); >> > > + comm_append(optarg); >> > > + break; >> > > +-- >> > > +2.23.0 >> > > + >> > > diff --git a/recipes-extended/nagios/nagios-plugins_2.2.1.bb >> > > b/recipes-extended/nagios/nagios-plugins_2.2.1.bb >> > > index 471d4b42..cd89b329 100644 >> > > --- a/recipes-extended/nagios/nagios-plugins_2.2.1.bb >> > > +++ b/recipes-extended/nagios/nagios-plugins_2.2.1.bb >> > > @@ -9,6 +9,7 @@ LICENSE = "GPL-3.0-only" >> > > LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504" >> > > >> > > SRC_URI = "https://www.nagios-plugins.org/download/${BPN}-${PV}.tar.gz \ >> > > + file://CVE-2023-37154.patch \ >> > > " >> > > >> > > SRC_URI[md5sum] = "fb521d5c05897f165b0b1862c1e5cb27" >> > > -- >> > > 2.25.1 >> > > >> > >> > > >> > > >> > > >> > >> > >> > >> > > > > > -- > - Thou shalt not follow the NULL pointer, for chaos and madness await thee at > its end > - "Use the force Harry" - Gandalf, Star Trek II >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#9056): https://lists.yoctoproject.org/g/meta-virtualization/message/9056 Mute This Topic: https://lists.yoctoproject.org/mt/109817333/21656 Group Owner: [email protected] Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
