Re: [meta-virtualization] [kirkstone][PATCH] nagios-plugins: fix CVE-2023-37154

Tue, 10 Dec 2024 07:25:34 -0800 

On Tue, Dec 10, 2024 at 9:20 AM Martin Jansa <[email protected]> wrote:

> Looks like most of that .patch file ended in the commit message, but
> the patch looks ok to me, so not sure what happened.
>

My scripts/utilities that save patches to mbox just can't deal with that
message.

I tried a new save. Same result. Hopefully this is a one-off formatting
issue, or
I'm going to need to modify my scripts.

I manually saved the patch, and it looks ok now. So the branch should now
build again.

Bruce


> On Tue, Dec 10, 2024 at 3:01 PM Bruce Ashfield <[email protected]>
> wrote:
> >
> > odd. I don't even have any refuse sitting around in my merge directory.
> >
> > I'll revert and re-apply.
> >
> > Bruce
> >
> > On Tue, Dec 10, 2024 at 3:21 AM Martin Jansa <[email protected]>
> wrote:
> >>
> >> Something went wrong when applying this in kirkstone and
> >> recipes-extended/nagios/nagios-plugins/CVE-2023-37154.patch doesn't
> >> exist.
> >>
> >> On Tue, Dec 10, 2024 at 4:39 AM Bruce Ashfield via
> >> lists.yoctoproject.org
> >> <[email protected]> wrote:
> >> >
> >> > merged.
> >> >
> >> > Bruce
> >> >
> >> > In message: [meta-virtualization] [kirkstone][PATCH] nagios-plugins:
> fix CVE-2023-37154
> >> > on 28/11/2024 Changqing Li via lists.yoctoproject.org wrote:
> >> >
> >> > > From: Changqing Li <[email protected]>
> >> > >
> >> > > CVE-2023-37154:
> >> > > check_by_ssh in Nagios nagios-plugins 2.4.5 allows arbitrary
> command execution
> >> > > via ProxyCommand, LocalCommand, and PermitLocalCommand with
> \${IFS}. This has
> >> > > been categorized both as fixed in e8810de, and as intended behavior.
> >> > >
> >> > > Refer:
> >> > > https://nvd.nist.gov/vuln/detail/CVE-2023-37154
> >> > >
> >> > > Signed-off-by: Changqing Li <[email protected]>
> >> > > ---
> >> > >  .../nagios-plugins/CVE-2023-37154.patch       | 69
> +++++++++++++++++++
> >> > >  .../nagios/nagios-plugins_2.2.1.bb            |  1 +
> >> > >  2 files changed, 70 insertions(+)
> >> > >  create mode 100644
> recipes-extended/nagios/nagios-plugins/CVE-2023-37154.patch
> >> > >
> >> > > diff --git
> a/recipes-extended/nagios/nagios-plugins/CVE-2023-37154.patch
> b/recipes-extended/nagios/nagios-plugins/CVE-2023-37154.patch
> >> > > new file mode 100644
> >> > > index 00000000..436bba42
> >> > > --- /dev/null
> >> > > +++ b/recipes-extended/nagios/nagios-plugins/CVE-2023-37154.patch
> >> > > @@ -0,0 +1,69 @@
> >> > > +From 7f07a9e89373d5906c2b6a9eee0e74cf69f302c1 Mon Sep 17 00:00:00
> 2001
> >> > > +From: Sebastian Wolf <[email protected]>
> >> > > +Date: Wed, 31 May 2023 16:43:54 -0400
> >> > > +Subject: [PATCH] check_by_ssh: Prevent users from using several
> SSH options
> >> > > + which run local commands.
> >> > > +
> >> > > +CVE: CVE-2023-37154
> >> > > +Upstream-Status: Backport [
> https://github.com/nagios-plugins/nagios-plugins/commit/e8810de21be80148562b7e0168b0a62aeedffde6
> ]
> >> > > +
> >> > > +Signed-off-by: Changqing Li <[email protected]>
> >> > > +---
> >> > > + configure.ac           | 10 ++++++++++
> >> > > + plugins/check_by_ssh.c | 12 +++++++++++-
> >> > > + 2 files changed, 21 insertions(+), 1 deletion(-)
> >> > > +
> >> > > +diff --git a/configure.ac b/configure.ac
> >> > > +index 963514a..236d233 100644
> >> > > +--- a/configure.ac
> >> > > ++++ b/configure.ac
> >> > > +@@ -418,6 +418,16 @@ then
> >> > > +             [path and arguments for invoking 'who'])
> >> > > + fi
> >> > > +
> >> > > ++AC_ARG_WITH(unrestricted_ssh_options,
> >> > > ++    [AS_HELP_STRING([--with-unrestricted-ssh-options],
> >> > > ++            [allow any SSH options to be used with
> check_by_ssh])],
> >> > > ++    [],
> >> > > ++    [unrestricted_ssh_options=no])
> >> > > ++
> >> > > ++if test "x$with_unrestricted_ssh_options" = xyes ; then
> >> > > ++    AC_DEFINE(HAVE_UNRESTRICTED_SSH_OPTIONS,[1],[Allow SSH to use
> options that run local commands.])
> >> > > ++fi
> >> > > ++
> >> > > + AC_ARG_WITH([ipv6],
> >> > > +     [AS_HELP_STRING([--with-ipv6], [support IPv6
> @<:@default=check@:>@])],
> >> > > +     [], [with_ipv6=check])
> >> > > +diff --git a/plugins/check_by_ssh.c b/plugins/check_by_ssh.c
> >> > > +index b6f3130..6cc6c7a 100644
> >> > > +--- a/plugins/check_by_ssh.c
> >> > > ++++ b/plugins/check_by_ssh.c
> >> > > +@@ -27,7 +27,7 @@
> >> > > +
> *****************************************************************************/
> >> > > +
> >> > > + const char *progname = "check_by_ssh";
> >> > > +-const char *copyright = "2000-2014";
> >> > > ++const char *copyright = "2000-";
> >> > > + const char *email = "[email protected]";
> >> > > +
> >> > > + #include "common.h"
> >> > > +@@ -299,6 +299,16 @@ process_arguments (int argc, char **argv)
> >> > > +                             skip_stderr = atoi (optarg);
> >> > > +                     break;
> >> > > +             case 'o':
>                            /* Extra options for the ssh command */
> >> > > ++
> >> > > ++                    /* Don't allow the user to run commands local
> to the nagios server, unless they decide otherwise at compile time. */
> >> > > ++#ifndef HAVE_UNRESTRICTED_SSH_OPTIONS
> >> > > ++                    if (   strcasestr(optarg, "ProxyCommand") !=
> NULL
> >> > > ++                            || strcasestr(optarg,
> "PermitLocalCommand") != NULL
> >> > > ++                            || strcasestr(optarg, "LocalCommand")
> != NULL) {
> >> > > ++                            break;
> >> > > ++                    }
> >> > > ++#endif
> >> > > ++
> >> > > +                     comm_append("-o");
> >> > > +                     comm_append(optarg);
> >> > > +                     break;
> >> > > +--
> >> > > +2.23.0
> >> > > +
> >> > > diff --git a/recipes-extended/nagios/nagios-plugins_2.2.1.bb
> b/recipes-extended/nagios/nagios-plugins_2.2.1.bb
> >> > > index 471d4b42..cd89b329 100644
> >> > > --- a/recipes-extended/nagios/nagios-plugins_2.2.1.bb
> >> > > +++ b/recipes-extended/nagios/nagios-plugins_2.2.1.bb
> >> > > @@ -9,6 +9,7 @@ LICENSE = "GPL-3.0-only"
> >> > >  LIC_FILES_CHKSUM =
> "file://COPYING;md5=d32239bcb673463ab874e80d47fae504"
> >> > >
> >> > >  SRC_URI = "
> https://www.nagios-plugins.org/download/${BPN}-${PV}.tar.gz \
> >> > > +           file://CVE-2023-37154.patch \
> >> > >  "
> >> > >
> >> > >  SRC_URI[md5sum] = "fb521d5c05897f165b0b1862c1e5cb27"
> >> > > --
> >> > > 2.25.1
> >> > >
> >> >
> >> > >
> >> > >
> >> > >
> >> >
> >> >
> >> > 
> >> >
> >
> >
> >
> > --
> > - Thou shalt not follow the NULL pointer, for chaos and madness await
> thee at its end
> > - "Use the force Harry" - Gandalf, Star Trek II
> >
>


-- 
- Thou shalt not follow the NULL pointer, for chaos and madness await thee
at its end
- "Use the force Harry" - Gandalf, Star Trek II

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#9057): 
https://lists.yoctoproject.org/g/meta-virtualization/message/9057
Mute This Topic: https://lists.yoctoproject.org/mt/109817333/21656
Group Owner: [email protected]
Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to