Re: [meta-virtualization] [kirkstone][PATCH] nagios-plugins: fix CVE-2023-37154

[Bruce Ashfield <bruce.ashfield@gmail.com>]

merged.

Bruce

In message: [meta-virtualization] [kirkstone][PATCH] nagios-plugins: fix CVE-2023-37154
on 28/11/2024 Changqing Li via lists.yoctoproject.org wrote:

> From: Changqing Li <changqing.li@windriver.com>
> 
> CVE-2023-37154:
> check_by_ssh in Nagios nagios-plugins 2.4.5 allows arbitrary command execution
> via ProxyCommand, LocalCommand, and PermitLocalCommand with \${IFS}. This has
> been categorized both as fixed in e8810de, and as intended behavior.
> 
> Refer:
> https://nvd.nist.gov/vuln/detail/CVE-2023-37154
> 
> Signed-off-by: Changqing Li <changqing.li@windriver.com>
> ---
>  .../nagios-plugins/CVE-2023-37154.patch       | 69 +++++++++++++++++++
>  .../nagios/nagios-plugins_2.2.1.bb            |  1 +
>  2 files changed, 70 insertions(+)
>  create mode 100644 recipes-extended/nagios/nagios-plugins/CVE-2023-37154.patch
> 
> diff --git a/recipes-extended/nagios/nagios-plugins/CVE-2023-37154.patch b/recipes-extended/nagios/nagios-plugins/CVE-2023-37154.patch
> new file mode 100644
> index 00000000..436bba42
> --- /dev/null
> +++ b/recipes-extended/nagios/nagios-plugins/CVE-2023-37154.patch
> @@ -0,0 +1,69 @@
> +From 7f07a9e89373d5906c2b6a9eee0e74cf69f302c1 Mon Sep 17 00:00:00 2001
> +From: Sebastian Wolf <swolf@nagios.com>
> +Date: Wed, 31 May 2023 16:43:54 -0400
> +Subject: [PATCH] check_by_ssh: Prevent users from using several SSH options
> + which run local commands.
> +
> +CVE: CVE-2023-37154
> +Upstream-Status: Backport [https://github.com/nagios-plugins/nagios-plugins/commit/e8810de21be80148562b7e0168b0a62aeedffde6]
> +
> +Signed-off-by: Changqing Li <changqing.li@windriver.com>
> +---
> + configure.ac           | 10 ++++++++++
> + plugins/check_by_ssh.c | 12 +++++++++++-
> + 2 files changed, 21 insertions(+), 1 deletion(-)
> +
> +diff --git a/configure.ac b/configure.ac
> +index 963514a..236d233 100644
> +--- a/configure.ac
> ++++ b/configure.ac
> +@@ -418,6 +418,16 @@ then
> + 		[path and arguments for invoking 'who'])
> + fi
> + 
> ++AC_ARG_WITH(unrestricted_ssh_options,
> ++	[AS_HELP_STRING([--with-unrestricted-ssh-options],
> ++		[allow any SSH options to be used with check_by_ssh])],
> ++	[],
> ++	[unrestricted_ssh_options=no])
> ++
> ++if test "x$with_unrestricted_ssh_options" = xyes ; then
> ++	AC_DEFINE(HAVE_UNRESTRICTED_SSH_OPTIONS,[1],[Allow SSH to use options that run local commands.])
> ++fi
> ++
> + AC_ARG_WITH([ipv6],
> + 	[AS_HELP_STRING([--with-ipv6], [support IPv6 @<:@default=check@:>@])],
> + 	[], [with_ipv6=check])
> +diff --git a/plugins/check_by_ssh.c b/plugins/check_by_ssh.c
> +index b6f3130..6cc6c7a 100644
> +--- a/plugins/check_by_ssh.c
> ++++ b/plugins/check_by_ssh.c
> +@@ -27,7 +27,7 @@
> + *****************************************************************************/
> + 
> + const char *progname = "check_by_ssh";
> +-const char *copyright = "2000-2014";
> ++const char *copyright = "2000-";
> + const char *email = "devel@nagios-plugins.org";
> + 
> + #include "common.h"
> +@@ -299,6 +299,16 @@ process_arguments (int argc, char **argv)
> + 				skip_stderr = atoi (optarg);
> + 			break;
> + 		case 'o':									/* Extra options for the ssh command */
> ++
> ++			/* Don't allow the user to run commands local to the nagios server, unless they decide otherwise at compile time. */
> ++#ifndef HAVE_UNRESTRICTED_SSH_OPTIONS
> ++			if (   strcasestr(optarg, "ProxyCommand") != NULL
> ++				|| strcasestr(optarg, "PermitLocalCommand") != NULL
> ++				|| strcasestr(optarg, "LocalCommand") != NULL) {
> ++				break;
> ++			}
> ++#endif
> ++
> + 			comm_append("-o");
> + 			comm_append(optarg);
> + 			break;
> +-- 
> +2.23.0
> +
> diff --git a/recipes-extended/nagios/nagios-plugins_2.2.1.bb b/recipes-extended/nagios/nagios-plugins_2.2.1.bb
> index 471d4b42..cd89b329 100644
> --- a/recipes-extended/nagios/nagios-plugins_2.2.1.bb
> +++ b/recipes-extended/nagios/nagios-plugins_2.2.1.bb
> @@ -9,6 +9,7 @@ LICENSE = "GPL-3.0-only"
>  LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504"
>  
>  SRC_URI = "https://www.nagios-plugins.org/download/${BPN}-${PV}.tar.gz \
> +           file://CVE-2023-37154.patch \
>  "
>  
>  SRC_URI[md5sum] = "fb521d5c05897f165b0b1862c1e5cb27"
> -- 
> 2.25.1
> 

> 
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#9015): https://lists.yoctoproject.org/g/meta-virtualization/message/9015
> Mute This Topic: https://lists.yoctoproject.org/mt/109817333/1050810
> Group Owner: meta-virtualization+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/unsub [bruce.ashfield@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>