* [kirkstone][PATCH] nagios-plugins: fix CVE-2023-37154
@ 2024-11-28 3:07 changqing.li
2024-12-10 3:39 ` [meta-virtualization] " Bruce Ashfield
0 siblings, 1 reply; 6+ messages in thread
From: changqing.li @ 2024-11-28 3:07 UTC (permalink / raw)
To: meta-virtualization
From: Changqing Li <changqing.li@windriver.com>
CVE-2023-37154:
check_by_ssh in Nagios nagios-plugins 2.4.5 allows arbitrary command execution
via ProxyCommand, LocalCommand, and PermitLocalCommand with \${IFS}. This has
been categorized both as fixed in e8810de, and as intended behavior.
Refer:
https://nvd.nist.gov/vuln/detail/CVE-2023-37154
Signed-off-by: Changqing Li <changqing.li@windriver.com>
---
.../nagios-plugins/CVE-2023-37154.patch | 69 +++++++++++++++++++
.../nagios/nagios-plugins_2.2.1.bb | 1 +
2 files changed, 70 insertions(+)
create mode 100644 recipes-extended/nagios/nagios-plugins/CVE-2023-37154.patch
diff --git a/recipes-extended/nagios/nagios-plugins/CVE-2023-37154.patch b/recipes-extended/nagios/nagios-plugins/CVE-2023-37154.patch
new file mode 100644
index 00000000..436bba42
--- /dev/null
+++ b/recipes-extended/nagios/nagios-plugins/CVE-2023-37154.patch
@@ -0,0 +1,69 @@
+From 7f07a9e89373d5906c2b6a9eee0e74cf69f302c1 Mon Sep 17 00:00:00 2001
+From: Sebastian Wolf <swolf@nagios.com>
+Date: Wed, 31 May 2023 16:43:54 -0400
+Subject: [PATCH] check_by_ssh: Prevent users from using several SSH options
+ which run local commands.
+
+CVE: CVE-2023-37154
+Upstream-Status: Backport [https://github.com/nagios-plugins/nagios-plugins/commit/e8810de21be80148562b7e0168b0a62aeedffde6]
+
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ configure.ac | 10 ++++++++++
+ plugins/check_by_ssh.c | 12 +++++++++++-
+ 2 files changed, 21 insertions(+), 1 deletion(-)
+
+diff --git a/configure.ac b/configure.ac
+index 963514a..236d233 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -418,6 +418,16 @@ then
+ [path and arguments for invoking 'who'])
+ fi
+
++AC_ARG_WITH(unrestricted_ssh_options,
++ [AS_HELP_STRING([--with-unrestricted-ssh-options],
++ [allow any SSH options to be used with check_by_ssh])],
++ [],
++ [unrestricted_ssh_options=no])
++
++if test "x$with_unrestricted_ssh_options" = xyes ; then
++ AC_DEFINE(HAVE_UNRESTRICTED_SSH_OPTIONS,[1],[Allow SSH to use options that run local commands.])
++fi
++
+ AC_ARG_WITH([ipv6],
+ [AS_HELP_STRING([--with-ipv6], [support IPv6 @<:@default=check@:>@])],
+ [], [with_ipv6=check])
+diff --git a/plugins/check_by_ssh.c b/plugins/check_by_ssh.c
+index b6f3130..6cc6c7a 100644
+--- a/plugins/check_by_ssh.c
++++ b/plugins/check_by_ssh.c
+@@ -27,7 +27,7 @@
+ *****************************************************************************/
+
+ const char *progname = "check_by_ssh";
+-const char *copyright = "2000-2014";
++const char *copyright = "2000-";
+ const char *email = "devel@nagios-plugins.org";
+
+ #include "common.h"
+@@ -299,6 +299,16 @@ process_arguments (int argc, char **argv)
+ skip_stderr = atoi (optarg);
+ break;
+ case 'o': /* Extra options for the ssh command */
++
++ /* Don't allow the user to run commands local to the nagios server, unless they decide otherwise at compile time. */
++#ifndef HAVE_UNRESTRICTED_SSH_OPTIONS
++ if ( strcasestr(optarg, "ProxyCommand") != NULL
++ || strcasestr(optarg, "PermitLocalCommand") != NULL
++ || strcasestr(optarg, "LocalCommand") != NULL) {
++ break;
++ }
++#endif
++
+ comm_append("-o");
+ comm_append(optarg);
+ break;
+--
+2.23.0
+
diff --git a/recipes-extended/nagios/nagios-plugins_2.2.1.bb b/recipes-extended/nagios/nagios-plugins_2.2.1.bb
index 471d4b42..cd89b329 100644
--- a/recipes-extended/nagios/nagios-plugins_2.2.1.bb
+++ b/recipes-extended/nagios/nagios-plugins_2.2.1.bb
@@ -9,6 +9,7 @@ LICENSE = "GPL-3.0-only"
LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504"
SRC_URI = "https://www.nagios-plugins.org/download/${BPN}-${PV}.tar.gz \
+ file://CVE-2023-37154.patch \
"
SRC_URI[md5sum] = "fb521d5c05897f165b0b1862c1e5cb27"
--
2.25.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [meta-virtualization] [kirkstone][PATCH] nagios-plugins: fix CVE-2023-37154
2024-11-28 3:07 [kirkstone][PATCH] nagios-plugins: fix CVE-2023-37154 changqing.li
@ 2024-12-10 3:39 ` Bruce Ashfield
2024-12-10 8:21 ` Martin Jansa
0 siblings, 1 reply; 6+ messages in thread
From: Bruce Ashfield @ 2024-12-10 3:39 UTC (permalink / raw)
To: changqing.li; +Cc: meta-virtualization
merged.
Bruce
In message: [meta-virtualization] [kirkstone][PATCH] nagios-plugins: fix CVE-2023-37154
on 28/11/2024 Changqing Li via lists.yoctoproject.org wrote:
> From: Changqing Li <changqing.li@windriver.com>
>
> CVE-2023-37154:
> check_by_ssh in Nagios nagios-plugins 2.4.5 allows arbitrary command execution
> via ProxyCommand, LocalCommand, and PermitLocalCommand with \${IFS}. This has
> been categorized both as fixed in e8810de, and as intended behavior.
>
> Refer:
> https://nvd.nist.gov/vuln/detail/CVE-2023-37154
>
> Signed-off-by: Changqing Li <changqing.li@windriver.com>
> ---
> .../nagios-plugins/CVE-2023-37154.patch | 69 +++++++++++++++++++
> .../nagios/nagios-plugins_2.2.1.bb | 1 +
> 2 files changed, 70 insertions(+)
> create mode 100644 recipes-extended/nagios/nagios-plugins/CVE-2023-37154.patch
>
> diff --git a/recipes-extended/nagios/nagios-plugins/CVE-2023-37154.patch b/recipes-extended/nagios/nagios-plugins/CVE-2023-37154.patch
> new file mode 100644
> index 00000000..436bba42
> --- /dev/null
> +++ b/recipes-extended/nagios/nagios-plugins/CVE-2023-37154.patch
> @@ -0,0 +1,69 @@
> +From 7f07a9e89373d5906c2b6a9eee0e74cf69f302c1 Mon Sep 17 00:00:00 2001
> +From: Sebastian Wolf <swolf@nagios.com>
> +Date: Wed, 31 May 2023 16:43:54 -0400
> +Subject: [PATCH] check_by_ssh: Prevent users from using several SSH options
> + which run local commands.
> +
> +CVE: CVE-2023-37154
> +Upstream-Status: Backport [https://github.com/nagios-plugins/nagios-plugins/commit/e8810de21be80148562b7e0168b0a62aeedffde6]
> +
> +Signed-off-by: Changqing Li <changqing.li@windriver.com>
> +---
> + configure.ac | 10 ++++++++++
> + plugins/check_by_ssh.c | 12 +++++++++++-
> + 2 files changed, 21 insertions(+), 1 deletion(-)
> +
> +diff --git a/configure.ac b/configure.ac
> +index 963514a..236d233 100644
> +--- a/configure.ac
> ++++ b/configure.ac
> +@@ -418,6 +418,16 @@ then
> + [path and arguments for invoking 'who'])
> + fi
> +
> ++AC_ARG_WITH(unrestricted_ssh_options,
> ++ [AS_HELP_STRING([--with-unrestricted-ssh-options],
> ++ [allow any SSH options to be used with check_by_ssh])],
> ++ [],
> ++ [unrestricted_ssh_options=no])
> ++
> ++if test "x$with_unrestricted_ssh_options" = xyes ; then
> ++ AC_DEFINE(HAVE_UNRESTRICTED_SSH_OPTIONS,[1],[Allow SSH to use options that run local commands.])
> ++fi
> ++
> + AC_ARG_WITH([ipv6],
> + [AS_HELP_STRING([--with-ipv6], [support IPv6 @<:@default=check@:>@])],
> + [], [with_ipv6=check])
> +diff --git a/plugins/check_by_ssh.c b/plugins/check_by_ssh.c
> +index b6f3130..6cc6c7a 100644
> +--- a/plugins/check_by_ssh.c
> ++++ b/plugins/check_by_ssh.c
> +@@ -27,7 +27,7 @@
> + *****************************************************************************/
> +
> + const char *progname = "check_by_ssh";
> +-const char *copyright = "2000-2014";
> ++const char *copyright = "2000-";
> + const char *email = "devel@nagios-plugins.org";
> +
> + #include "common.h"
> +@@ -299,6 +299,16 @@ process_arguments (int argc, char **argv)
> + skip_stderr = atoi (optarg);
> + break;
> + case 'o': /* Extra options for the ssh command */
> ++
> ++ /* Don't allow the user to run commands local to the nagios server, unless they decide otherwise at compile time. */
> ++#ifndef HAVE_UNRESTRICTED_SSH_OPTIONS
> ++ if ( strcasestr(optarg, "ProxyCommand") != NULL
> ++ || strcasestr(optarg, "PermitLocalCommand") != NULL
> ++ || strcasestr(optarg, "LocalCommand") != NULL) {
> ++ break;
> ++ }
> ++#endif
> ++
> + comm_append("-o");
> + comm_append(optarg);
> + break;
> +--
> +2.23.0
> +
> diff --git a/recipes-extended/nagios/nagios-plugins_2.2.1.bb b/recipes-extended/nagios/nagios-plugins_2.2.1.bb
> index 471d4b42..cd89b329 100644
> --- a/recipes-extended/nagios/nagios-plugins_2.2.1.bb
> +++ b/recipes-extended/nagios/nagios-plugins_2.2.1.bb
> @@ -9,6 +9,7 @@ LICENSE = "GPL-3.0-only"
> LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504"
>
> SRC_URI = "https://www.nagios-plugins.org/download/${BPN}-${PV}.tar.gz \
> + file://CVE-2023-37154.patch \
> "
>
> SRC_URI[md5sum] = "fb521d5c05897f165b0b1862c1e5cb27"
> --
> 2.25.1
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#9015): https://lists.yoctoproject.org/g/meta-virtualization/message/9015
> Mute This Topic: https://lists.yoctoproject.org/mt/109817333/1050810
> Group Owner: meta-virtualization+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/unsub [bruce.ashfield@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [meta-virtualization] [kirkstone][PATCH] nagios-plugins: fix CVE-2023-37154
2024-12-10 3:39 ` [meta-virtualization] " Bruce Ashfield
@ 2024-12-10 8:21 ` Martin Jansa
2024-12-10 14:01 ` Bruce Ashfield
0 siblings, 1 reply; 6+ messages in thread
From: Martin Jansa @ 2024-12-10 8:21 UTC (permalink / raw)
To: bruce.ashfield; +Cc: changqing.li, meta-virtualization
Something went wrong when applying this in kirkstone and
recipes-extended/nagios/nagios-plugins/CVE-2023-37154.patch doesn't
exist.
On Tue, Dec 10, 2024 at 4:39 AM Bruce Ashfield via
lists.yoctoproject.org
<bruce.ashfield=gmail.com@lists.yoctoproject.org> wrote:
>
> merged.
>
> Bruce
>
> In message: [meta-virtualization] [kirkstone][PATCH] nagios-plugins: fix CVE-2023-37154
> on 28/11/2024 Changqing Li via lists.yoctoproject.org wrote:
>
> > From: Changqing Li <changqing.li@windriver.com>
> >
> > CVE-2023-37154:
> > check_by_ssh in Nagios nagios-plugins 2.4.5 allows arbitrary command execution
> > via ProxyCommand, LocalCommand, and PermitLocalCommand with \${IFS}. This has
> > been categorized both as fixed in e8810de, and as intended behavior.
> >
> > Refer:
> > https://nvd.nist.gov/vuln/detail/CVE-2023-37154
> >
> > Signed-off-by: Changqing Li <changqing.li@windriver.com>
> > ---
> > .../nagios-plugins/CVE-2023-37154.patch | 69 +++++++++++++++++++
> > .../nagios/nagios-plugins_2.2.1.bb | 1 +
> > 2 files changed, 70 insertions(+)
> > create mode 100644 recipes-extended/nagios/nagios-plugins/CVE-2023-37154.patch
> >
> > diff --git a/recipes-extended/nagios/nagios-plugins/CVE-2023-37154.patch b/recipes-extended/nagios/nagios-plugins/CVE-2023-37154.patch
> > new file mode 100644
> > index 00000000..436bba42
> > --- /dev/null
> > +++ b/recipes-extended/nagios/nagios-plugins/CVE-2023-37154.patch
> > @@ -0,0 +1,69 @@
> > +From 7f07a9e89373d5906c2b6a9eee0e74cf69f302c1 Mon Sep 17 00:00:00 2001
> > +From: Sebastian Wolf <swolf@nagios.com>
> > +Date: Wed, 31 May 2023 16:43:54 -0400
> > +Subject: [PATCH] check_by_ssh: Prevent users from using several SSH options
> > + which run local commands.
> > +
> > +CVE: CVE-2023-37154
> > +Upstream-Status: Backport [https://github.com/nagios-plugins/nagios-plugins/commit/e8810de21be80148562b7e0168b0a62aeedffde6]
> > +
> > +Signed-off-by: Changqing Li <changqing.li@windriver.com>
> > +---
> > + configure.ac | 10 ++++++++++
> > + plugins/check_by_ssh.c | 12 +++++++++++-
> > + 2 files changed, 21 insertions(+), 1 deletion(-)
> > +
> > +diff --git a/configure.ac b/configure.ac
> > +index 963514a..236d233 100644
> > +--- a/configure.ac
> > ++++ b/configure.ac
> > +@@ -418,6 +418,16 @@ then
> > + [path and arguments for invoking 'who'])
> > + fi
> > +
> > ++AC_ARG_WITH(unrestricted_ssh_options,
> > ++ [AS_HELP_STRING([--with-unrestricted-ssh-options],
> > ++ [allow any SSH options to be used with check_by_ssh])],
> > ++ [],
> > ++ [unrestricted_ssh_options=no])
> > ++
> > ++if test "x$with_unrestricted_ssh_options" = xyes ; then
> > ++ AC_DEFINE(HAVE_UNRESTRICTED_SSH_OPTIONS,[1],[Allow SSH to use options that run local commands.])
> > ++fi
> > ++
> > + AC_ARG_WITH([ipv6],
> > + [AS_HELP_STRING([--with-ipv6], [support IPv6 @<:@default=check@:>@])],
> > + [], [with_ipv6=check])
> > +diff --git a/plugins/check_by_ssh.c b/plugins/check_by_ssh.c
> > +index b6f3130..6cc6c7a 100644
> > +--- a/plugins/check_by_ssh.c
> > ++++ b/plugins/check_by_ssh.c
> > +@@ -27,7 +27,7 @@
> > + *****************************************************************************/
> > +
> > + const char *progname = "check_by_ssh";
> > +-const char *copyright = "2000-2014";
> > ++const char *copyright = "2000-";
> > + const char *email = "devel@nagios-plugins.org";
> > +
> > + #include "common.h"
> > +@@ -299,6 +299,16 @@ process_arguments (int argc, char **argv)
> > + skip_stderr = atoi (optarg);
> > + break;
> > + case 'o': /* Extra options for the ssh command */
> > ++
> > ++ /* Don't allow the user to run commands local to the nagios server, unless they decide otherwise at compile time. */
> > ++#ifndef HAVE_UNRESTRICTED_SSH_OPTIONS
> > ++ if ( strcasestr(optarg, "ProxyCommand") != NULL
> > ++ || strcasestr(optarg, "PermitLocalCommand") != NULL
> > ++ || strcasestr(optarg, "LocalCommand") != NULL) {
> > ++ break;
> > ++ }
> > ++#endif
> > ++
> > + comm_append("-o");
> > + comm_append(optarg);
> > + break;
> > +--
> > +2.23.0
> > +
> > diff --git a/recipes-extended/nagios/nagios-plugins_2.2.1.bb b/recipes-extended/nagios/nagios-plugins_2.2.1.bb
> > index 471d4b42..cd89b329 100644
> > --- a/recipes-extended/nagios/nagios-plugins_2.2.1.bb
> > +++ b/recipes-extended/nagios/nagios-plugins_2.2.1.bb
> > @@ -9,6 +9,7 @@ LICENSE = "GPL-3.0-only"
> > LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504"
> >
> > SRC_URI = "https://www.nagios-plugins.org/download/${BPN}-${PV}.tar.gz \
> > + file://CVE-2023-37154.patch \
> > "
> >
> > SRC_URI[md5sum] = "fb521d5c05897f165b0b1862c1e5cb27"
> > --
> > 2.25.1
> >
>
> >
> >
> >
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#9049): https://lists.yoctoproject.org/g/meta-virtualization/message/9049
> Mute This Topic: https://lists.yoctoproject.org/mt/109817333/3617156
> Group Owner: meta-virtualization+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/unsub [martin.jansa@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [meta-virtualization] [kirkstone][PATCH] nagios-plugins: fix CVE-2023-37154
2024-12-10 8:21 ` Martin Jansa
@ 2024-12-10 14:01 ` Bruce Ashfield
2024-12-10 14:19 ` Martin Jansa
0 siblings, 1 reply; 6+ messages in thread
From: Bruce Ashfield @ 2024-12-10 14:01 UTC (permalink / raw)
To: Martin Jansa; +Cc: changqing.li, meta-virtualization
[-- Attachment #1: Type: text/plain, Size: 6242 bytes --]
odd. I don't even have any refuse sitting around in my merge directory.
I'll revert and re-apply.
Bruce
On Tue, Dec 10, 2024 at 3:21 AM Martin Jansa <martin.jansa@gmail.com> wrote:
> Something went wrong when applying this in kirkstone and
> recipes-extended/nagios/nagios-plugins/CVE-2023-37154.patch doesn't
> exist.
>
> On Tue, Dec 10, 2024 at 4:39 AM Bruce Ashfield via
> lists.yoctoproject.org
> <bruce.ashfield=gmail.com@lists.yoctoproject.org> wrote:
> >
> > merged.
> >
> > Bruce
> >
> > In message: [meta-virtualization] [kirkstone][PATCH] nagios-plugins: fix
> CVE-2023-37154
> > on 28/11/2024 Changqing Li via lists.yoctoproject.org wrote:
> >
> > > From: Changqing Li <changqing.li@windriver.com>
> > >
> > > CVE-2023-37154:
> > > check_by_ssh in Nagios nagios-plugins 2.4.5 allows arbitrary command
> execution
> > > via ProxyCommand, LocalCommand, and PermitLocalCommand with \${IFS}.
> This has
> > > been categorized both as fixed in e8810de, and as intended behavior.
> > >
> > > Refer:
> > > https://nvd.nist.gov/vuln/detail/CVE-2023-37154
> > >
> > > Signed-off-by: Changqing Li <changqing.li@windriver.com>
> > > ---
> > > .../nagios-plugins/CVE-2023-37154.patch | 69 +++++++++++++++++++
> > > .../nagios/nagios-plugins_2.2.1.bb | 1 +
> > > 2 files changed, 70 insertions(+)
> > > create mode 100644
> recipes-extended/nagios/nagios-plugins/CVE-2023-37154.patch
> > >
> > > diff --git
> a/recipes-extended/nagios/nagios-plugins/CVE-2023-37154.patch
> b/recipes-extended/nagios/nagios-plugins/CVE-2023-37154.patch
> > > new file mode 100644
> > > index 00000000..436bba42
> > > --- /dev/null
> > > +++ b/recipes-extended/nagios/nagios-plugins/CVE-2023-37154.patch
> > > @@ -0,0 +1,69 @@
> > > +From 7f07a9e89373d5906c2b6a9eee0e74cf69f302c1 Mon Sep 17 00:00:00 2001
> > > +From: Sebastian Wolf <swolf@nagios.com>
> > > +Date: Wed, 31 May 2023 16:43:54 -0400
> > > +Subject: [PATCH] check_by_ssh: Prevent users from using several SSH
> options
> > > + which run local commands.
> > > +
> > > +CVE: CVE-2023-37154
> > > +Upstream-Status: Backport [
> https://github.com/nagios-plugins/nagios-plugins/commit/e8810de21be80148562b7e0168b0a62aeedffde6
> ]
> > > +
> > > +Signed-off-by: Changqing Li <changqing.li@windriver.com>
> > > +---
> > > + configure.ac | 10 ++++++++++
> > > + plugins/check_by_ssh.c | 12 +++++++++++-
> > > + 2 files changed, 21 insertions(+), 1 deletion(-)
> > > +
> > > +diff --git a/configure.ac b/configure.ac
> > > +index 963514a..236d233 100644
> > > +--- a/configure.ac
> > > ++++ b/configure.ac
> > > +@@ -418,6 +418,16 @@ then
> > > + [path and arguments for invoking 'who'])
> > > + fi
> > > +
> > > ++AC_ARG_WITH(unrestricted_ssh_options,
> > > ++ [AS_HELP_STRING([--with-unrestricted-ssh-options],
> > > ++ [allow any SSH options to be used with check_by_ssh])],
> > > ++ [],
> > > ++ [unrestricted_ssh_options=no])
> > > ++
> > > ++if test "x$with_unrestricted_ssh_options" = xyes ; then
> > > ++ AC_DEFINE(HAVE_UNRESTRICTED_SSH_OPTIONS,[1],[Allow SSH to use
> options that run local commands.])
> > > ++fi
> > > ++
> > > + AC_ARG_WITH([ipv6],
> > > + [AS_HELP_STRING([--with-ipv6], [support IPv6 @<:@default=check@
> :>@])],
> > > + [], [with_ipv6=check])
> > > +diff --git a/plugins/check_by_ssh.c b/plugins/check_by_ssh.c
> > > +index b6f3130..6cc6c7a 100644
> > > +--- a/plugins/check_by_ssh.c
> > > ++++ b/plugins/check_by_ssh.c
> > > +@@ -27,7 +27,7 @@
> > > +
> *****************************************************************************/
> > > +
> > > + const char *progname = "check_by_ssh";
> > > +-const char *copyright = "2000-2014";
> > > ++const char *copyright = "2000-";
> > > + const char *email = "devel@nagios-plugins.org";
> > > +
> > > + #include "common.h"
> > > +@@ -299,6 +299,16 @@ process_arguments (int argc, char **argv)
> > > + skip_stderr = atoi (optarg);
> > > + break;
> > > + case 'o':
> /* Extra options for the ssh command */
> > > ++
> > > ++ /* Don't allow the user to run commands local to
> the nagios server, unless they decide otherwise at compile time. */
> > > ++#ifndef HAVE_UNRESTRICTED_SSH_OPTIONS
> > > ++ if ( strcasestr(optarg, "ProxyCommand") != NULL
> > > ++ || strcasestr(optarg,
> "PermitLocalCommand") != NULL
> > > ++ || strcasestr(optarg, "LocalCommand") !=
> NULL) {
> > > ++ break;
> > > ++ }
> > > ++#endif
> > > ++
> > > + comm_append("-o");
> > > + comm_append(optarg);
> > > + break;
> > > +--
> > > +2.23.0
> > > +
> > > diff --git a/recipes-extended/nagios/nagios-plugins_2.2.1.bb
> b/recipes-extended/nagios/nagios-plugins_2.2.1.bb
> > > index 471d4b42..cd89b329 100644
> > > --- a/recipes-extended/nagios/nagios-plugins_2.2.1.bb
> > > +++ b/recipes-extended/nagios/nagios-plugins_2.2.1.bb
> > > @@ -9,6 +9,7 @@ LICENSE = "GPL-3.0-only"
> > > LIC_FILES_CHKSUM =
> "file://COPYING;md5=d32239bcb673463ab874e80d47fae504"
> > >
> > > SRC_URI = "
> https://www.nagios-plugins.org/download/${BPN}-${PV}.tar.gz \
> > > + file://CVE-2023-37154.patch \
> > > "
> > >
> > > SRC_URI[md5sum] = "fb521d5c05897f165b0b1862c1e5cb27"
> > > --
> > > 2.25.1
> > >
> >
> > >
> > >
> > >
> >
> >
> > -=-=-=-=-=-=-=-=-=-=-=-
> > Links: You receive all messages sent to this group.
> > View/Reply Online (#9049):
> https://lists.yoctoproject.org/g/meta-virtualization/message/9049
> > Mute This Topic: https://lists.yoctoproject.org/mt/109817333/3617156
> > Group Owner: meta-virtualization+owner@lists.yoctoproject.org
> > Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/unsub
> [martin.jansa@gmail.com]
> > -=-=-=-=-=-=-=-=-=-=-=-
> >
>
--
- Thou shalt not follow the NULL pointer, for chaos and madness await thee
at its end
- "Use the force Harry" - Gandalf, Star Trek II
[-- Attachment #2: Type: text/html, Size: 10480 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [meta-virtualization] [kirkstone][PATCH] nagios-plugins: fix CVE-2023-37154
2024-12-10 14:01 ` Bruce Ashfield
@ 2024-12-10 14:19 ` Martin Jansa
2024-12-10 15:08 ` Bruce Ashfield
0 siblings, 1 reply; 6+ messages in thread
From: Martin Jansa @ 2024-12-10 14:19 UTC (permalink / raw)
To: Bruce Ashfield; +Cc: changqing.li, meta-virtualization
Looks like most of that .patch file ended in the commit message, but
the patch looks ok to me, so not sure what happened.
On Tue, Dec 10, 2024 at 3:01 PM Bruce Ashfield <bruce.ashfield@gmail.com> wrote:
>
> odd. I don't even have any refuse sitting around in my merge directory.
>
> I'll revert and re-apply.
>
> Bruce
>
> On Tue, Dec 10, 2024 at 3:21 AM Martin Jansa <martin.jansa@gmail.com> wrote:
>>
>> Something went wrong when applying this in kirkstone and
>> recipes-extended/nagios/nagios-plugins/CVE-2023-37154.patch doesn't
>> exist.
>>
>> On Tue, Dec 10, 2024 at 4:39 AM Bruce Ashfield via
>> lists.yoctoproject.org
>> <bruce.ashfield=gmail.com@lists.yoctoproject.org> wrote:
>> >
>> > merged.
>> >
>> > Bruce
>> >
>> > In message: [meta-virtualization] [kirkstone][PATCH] nagios-plugins: fix CVE-2023-37154
>> > on 28/11/2024 Changqing Li via lists.yoctoproject.org wrote:
>> >
>> > > From: Changqing Li <changqing.li@windriver.com>
>> > >
>> > > CVE-2023-37154:
>> > > check_by_ssh in Nagios nagios-plugins 2.4.5 allows arbitrary command execution
>> > > via ProxyCommand, LocalCommand, and PermitLocalCommand with \${IFS}. This has
>> > > been categorized both as fixed in e8810de, and as intended behavior.
>> > >
>> > > Refer:
>> > > https://nvd.nist.gov/vuln/detail/CVE-2023-37154
>> > >
>> > > Signed-off-by: Changqing Li <changqing.li@windriver.com>
>> > > ---
>> > > .../nagios-plugins/CVE-2023-37154.patch | 69 +++++++++++++++++++
>> > > .../nagios/nagios-plugins_2.2.1.bb | 1 +
>> > > 2 files changed, 70 insertions(+)
>> > > create mode 100644 recipes-extended/nagios/nagios-plugins/CVE-2023-37154.patch
>> > >
>> > > diff --git a/recipes-extended/nagios/nagios-plugins/CVE-2023-37154.patch b/recipes-extended/nagios/nagios-plugins/CVE-2023-37154.patch
>> > > new file mode 100644
>> > > index 00000000..436bba42
>> > > --- /dev/null
>> > > +++ b/recipes-extended/nagios/nagios-plugins/CVE-2023-37154.patch
>> > > @@ -0,0 +1,69 @@
>> > > +From 7f07a9e89373d5906c2b6a9eee0e74cf69f302c1 Mon Sep 17 00:00:00 2001
>> > > +From: Sebastian Wolf <swolf@nagios.com>
>> > > +Date: Wed, 31 May 2023 16:43:54 -0400
>> > > +Subject: [PATCH] check_by_ssh: Prevent users from using several SSH options
>> > > + which run local commands.
>> > > +
>> > > +CVE: CVE-2023-37154
>> > > +Upstream-Status: Backport [https://github.com/nagios-plugins/nagios-plugins/commit/e8810de21be80148562b7e0168b0a62aeedffde6]
>> > > +
>> > > +Signed-off-by: Changqing Li <changqing.li@windriver.com>
>> > > +---
>> > > + configure.ac | 10 ++++++++++
>> > > + plugins/check_by_ssh.c | 12 +++++++++++-
>> > > + 2 files changed, 21 insertions(+), 1 deletion(-)
>> > > +
>> > > +diff --git a/configure.ac b/configure.ac
>> > > +index 963514a..236d233 100644
>> > > +--- a/configure.ac
>> > > ++++ b/configure.ac
>> > > +@@ -418,6 +418,16 @@ then
>> > > + [path and arguments for invoking 'who'])
>> > > + fi
>> > > +
>> > > ++AC_ARG_WITH(unrestricted_ssh_options,
>> > > ++ [AS_HELP_STRING([--with-unrestricted-ssh-options],
>> > > ++ [allow any SSH options to be used with check_by_ssh])],
>> > > ++ [],
>> > > ++ [unrestricted_ssh_options=no])
>> > > ++
>> > > ++if test "x$with_unrestricted_ssh_options" = xyes ; then
>> > > ++ AC_DEFINE(HAVE_UNRESTRICTED_SSH_OPTIONS,[1],[Allow SSH to use options that run local commands.])
>> > > ++fi
>> > > ++
>> > > + AC_ARG_WITH([ipv6],
>> > > + [AS_HELP_STRING([--with-ipv6], [support IPv6 @<:@default=check@:>@])],
>> > > + [], [with_ipv6=check])
>> > > +diff --git a/plugins/check_by_ssh.c b/plugins/check_by_ssh.c
>> > > +index b6f3130..6cc6c7a 100644
>> > > +--- a/plugins/check_by_ssh.c
>> > > ++++ b/plugins/check_by_ssh.c
>> > > +@@ -27,7 +27,7 @@
>> > > + *****************************************************************************/
>> > > +
>> > > + const char *progname = "check_by_ssh";
>> > > +-const char *copyright = "2000-2014";
>> > > ++const char *copyright = "2000-";
>> > > + const char *email = "devel@nagios-plugins.org";
>> > > +
>> > > + #include "common.h"
>> > > +@@ -299,6 +299,16 @@ process_arguments (int argc, char **argv)
>> > > + skip_stderr = atoi (optarg);
>> > > + break;
>> > > + case 'o': /* Extra options for the ssh command */
>> > > ++
>> > > ++ /* Don't allow the user to run commands local to the nagios server, unless they decide otherwise at compile time. */
>> > > ++#ifndef HAVE_UNRESTRICTED_SSH_OPTIONS
>> > > ++ if ( strcasestr(optarg, "ProxyCommand") != NULL
>> > > ++ || strcasestr(optarg, "PermitLocalCommand") != NULL
>> > > ++ || strcasestr(optarg, "LocalCommand") != NULL) {
>> > > ++ break;
>> > > ++ }
>> > > ++#endif
>> > > ++
>> > > + comm_append("-o");
>> > > + comm_append(optarg);
>> > > + break;
>> > > +--
>> > > +2.23.0
>> > > +
>> > > diff --git a/recipes-extended/nagios/nagios-plugins_2.2.1.bb b/recipes-extended/nagios/nagios-plugins_2.2.1.bb
>> > > index 471d4b42..cd89b329 100644
>> > > --- a/recipes-extended/nagios/nagios-plugins_2.2.1.bb
>> > > +++ b/recipes-extended/nagios/nagios-plugins_2.2.1.bb
>> > > @@ -9,6 +9,7 @@ LICENSE = "GPL-3.0-only"
>> > > LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504"
>> > >
>> > > SRC_URI = "https://www.nagios-plugins.org/download/${BPN}-${PV}.tar.gz \
>> > > + file://CVE-2023-37154.patch \
>> > > "
>> > >
>> > > SRC_URI[md5sum] = "fb521d5c05897f165b0b1862c1e5cb27"
>> > > --
>> > > 2.25.1
>> > >
>> >
>> > >
>> > >
>> > >
>> >
>> >
>> > -=-=-=-=-=-=-=-=-=-=-=-
>> > Links: You receive all messages sent to this group.
>> > View/Reply Online (#9049): https://lists.yoctoproject.org/g/meta-virtualization/message/9049
>> > Mute This Topic: https://lists.yoctoproject.org/mt/109817333/3617156
>> > Group Owner: meta-virtualization+owner@lists.yoctoproject.org
>> > Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/unsub [martin.jansa@gmail.com]
>> > -=-=-=-=-=-=-=-=-=-=-=-
>> >
>
>
>
> --
> - Thou shalt not follow the NULL pointer, for chaos and madness await thee at its end
> - "Use the force Harry" - Gandalf, Star Trek II
>
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [meta-virtualization] [kirkstone][PATCH] nagios-plugins: fix CVE-2023-37154
2024-12-10 14:19 ` Martin Jansa
@ 2024-12-10 15:08 ` Bruce Ashfield
0 siblings, 0 replies; 6+ messages in thread
From: Bruce Ashfield @ 2024-12-10 15:08 UTC (permalink / raw)
To: Martin Jansa; +Cc: changqing.li, meta-virtualization
[-- Attachment #1: Type: text/plain, Size: 7500 bytes --]
On Tue, Dec 10, 2024 at 9:20 AM Martin Jansa <martin.jansa@gmail.com> wrote:
> Looks like most of that .patch file ended in the commit message, but
> the patch looks ok to me, so not sure what happened.
>
My scripts/utilities that save patches to mbox just can't deal with that
message.
I tried a new save. Same result. Hopefully this is a one-off formatting
issue, or
I'm going to need to modify my scripts.
I manually saved the patch, and it looks ok now. So the branch should now
build again.
Bruce
> On Tue, Dec 10, 2024 at 3:01 PM Bruce Ashfield <bruce.ashfield@gmail.com>
> wrote:
> >
> > odd. I don't even have any refuse sitting around in my merge directory.
> >
> > I'll revert and re-apply.
> >
> > Bruce
> >
> > On Tue, Dec 10, 2024 at 3:21 AM Martin Jansa <martin.jansa@gmail.com>
> wrote:
> >>
> >> Something went wrong when applying this in kirkstone and
> >> recipes-extended/nagios/nagios-plugins/CVE-2023-37154.patch doesn't
> >> exist.
> >>
> >> On Tue, Dec 10, 2024 at 4:39 AM Bruce Ashfield via
> >> lists.yoctoproject.org
> >> <bruce.ashfield=gmail.com@lists.yoctoproject.org> wrote:
> >> >
> >> > merged.
> >> >
> >> > Bruce
> >> >
> >> > In message: [meta-virtualization] [kirkstone][PATCH] nagios-plugins:
> fix CVE-2023-37154
> >> > on 28/11/2024 Changqing Li via lists.yoctoproject.org wrote:
> >> >
> >> > > From: Changqing Li <changqing.li@windriver.com>
> >> > >
> >> > > CVE-2023-37154:
> >> > > check_by_ssh in Nagios nagios-plugins 2.4.5 allows arbitrary
> command execution
> >> > > via ProxyCommand, LocalCommand, and PermitLocalCommand with
> \${IFS}. This has
> >> > > been categorized both as fixed in e8810de, and as intended behavior.
> >> > >
> >> > > Refer:
> >> > > https://nvd.nist.gov/vuln/detail/CVE-2023-37154
> >> > >
> >> > > Signed-off-by: Changqing Li <changqing.li@windriver.com>
> >> > > ---
> >> > > .../nagios-plugins/CVE-2023-37154.patch | 69
> +++++++++++++++++++
> >> > > .../nagios/nagios-plugins_2.2.1.bb | 1 +
> >> > > 2 files changed, 70 insertions(+)
> >> > > create mode 100644
> recipes-extended/nagios/nagios-plugins/CVE-2023-37154.patch
> >> > >
> >> > > diff --git
> a/recipes-extended/nagios/nagios-plugins/CVE-2023-37154.patch
> b/recipes-extended/nagios/nagios-plugins/CVE-2023-37154.patch
> >> > > new file mode 100644
> >> > > index 00000000..436bba42
> >> > > --- /dev/null
> >> > > +++ b/recipes-extended/nagios/nagios-plugins/CVE-2023-37154.patch
> >> > > @@ -0,0 +1,69 @@
> >> > > +From 7f07a9e89373d5906c2b6a9eee0e74cf69f302c1 Mon Sep 17 00:00:00
> 2001
> >> > > +From: Sebastian Wolf <swolf@nagios.com>
> >> > > +Date: Wed, 31 May 2023 16:43:54 -0400
> >> > > +Subject: [PATCH] check_by_ssh: Prevent users from using several
> SSH options
> >> > > + which run local commands.
> >> > > +
> >> > > +CVE: CVE-2023-37154
> >> > > +Upstream-Status: Backport [
> https://github.com/nagios-plugins/nagios-plugins/commit/e8810de21be80148562b7e0168b0a62aeedffde6
> ]
> >> > > +
> >> > > +Signed-off-by: Changqing Li <changqing.li@windriver.com>
> >> > > +---
> >> > > + configure.ac | 10 ++++++++++
> >> > > + plugins/check_by_ssh.c | 12 +++++++++++-
> >> > > + 2 files changed, 21 insertions(+), 1 deletion(-)
> >> > > +
> >> > > +diff --git a/configure.ac b/configure.ac
> >> > > +index 963514a..236d233 100644
> >> > > +--- a/configure.ac
> >> > > ++++ b/configure.ac
> >> > > +@@ -418,6 +418,16 @@ then
> >> > > + [path and arguments for invoking 'who'])
> >> > > + fi
> >> > > +
> >> > > ++AC_ARG_WITH(unrestricted_ssh_options,
> >> > > ++ [AS_HELP_STRING([--with-unrestricted-ssh-options],
> >> > > ++ [allow any SSH options to be used with
> check_by_ssh])],
> >> > > ++ [],
> >> > > ++ [unrestricted_ssh_options=no])
> >> > > ++
> >> > > ++if test "x$with_unrestricted_ssh_options" = xyes ; then
> >> > > ++ AC_DEFINE(HAVE_UNRESTRICTED_SSH_OPTIONS,[1],[Allow SSH to use
> options that run local commands.])
> >> > > ++fi
> >> > > ++
> >> > > + AC_ARG_WITH([ipv6],
> >> > > + [AS_HELP_STRING([--with-ipv6], [support IPv6
> @<:@default=check@:>@])],
> >> > > + [], [with_ipv6=check])
> >> > > +diff --git a/plugins/check_by_ssh.c b/plugins/check_by_ssh.c
> >> > > +index b6f3130..6cc6c7a 100644
> >> > > +--- a/plugins/check_by_ssh.c
> >> > > ++++ b/plugins/check_by_ssh.c
> >> > > +@@ -27,7 +27,7 @@
> >> > > +
> *****************************************************************************/
> >> > > +
> >> > > + const char *progname = "check_by_ssh";
> >> > > +-const char *copyright = "2000-2014";
> >> > > ++const char *copyright = "2000-";
> >> > > + const char *email = "devel@nagios-plugins.org";
> >> > > +
> >> > > + #include "common.h"
> >> > > +@@ -299,6 +299,16 @@ process_arguments (int argc, char **argv)
> >> > > + skip_stderr = atoi (optarg);
> >> > > + break;
> >> > > + case 'o':
> /* Extra options for the ssh command */
> >> > > ++
> >> > > ++ /* Don't allow the user to run commands local
> to the nagios server, unless they decide otherwise at compile time. */
> >> > > ++#ifndef HAVE_UNRESTRICTED_SSH_OPTIONS
> >> > > ++ if ( strcasestr(optarg, "ProxyCommand") !=
> NULL
> >> > > ++ || strcasestr(optarg,
> "PermitLocalCommand") != NULL
> >> > > ++ || strcasestr(optarg, "LocalCommand")
> != NULL) {
> >> > > ++ break;
> >> > > ++ }
> >> > > ++#endif
> >> > > ++
> >> > > + comm_append("-o");
> >> > > + comm_append(optarg);
> >> > > + break;
> >> > > +--
> >> > > +2.23.0
> >> > > +
> >> > > diff --git a/recipes-extended/nagios/nagios-plugins_2.2.1.bb
> b/recipes-extended/nagios/nagios-plugins_2.2.1.bb
> >> > > index 471d4b42..cd89b329 100644
> >> > > --- a/recipes-extended/nagios/nagios-plugins_2.2.1.bb
> >> > > +++ b/recipes-extended/nagios/nagios-plugins_2.2.1.bb
> >> > > @@ -9,6 +9,7 @@ LICENSE = "GPL-3.0-only"
> >> > > LIC_FILES_CHKSUM =
> "file://COPYING;md5=d32239bcb673463ab874e80d47fae504"
> >> > >
> >> > > SRC_URI = "
> https://www.nagios-plugins.org/download/${BPN}-${PV}.tar.gz \
> >> > > + file://CVE-2023-37154.patch \
> >> > > "
> >> > >
> >> > > SRC_URI[md5sum] = "fb521d5c05897f165b0b1862c1e5cb27"
> >> > > --
> >> > > 2.25.1
> >> > >
> >> >
> >> > >
> >> > >
> >> > >
> >> >
> >> >
> >> > -=-=-=-=-=-=-=-=-=-=-=-
> >> > Links: You receive all messages sent to this group.
> >> > View/Reply Online (#9049):
> https://lists.yoctoproject.org/g/meta-virtualization/message/9049
> >> > Mute This Topic: https://lists.yoctoproject.org/mt/109817333/3617156
> >> > Group Owner: meta-virtualization+owner@lists.yoctoproject.org
> >> > Unsubscribe:
> https://lists.yoctoproject.org/g/meta-virtualization/unsub [
> martin.jansa@gmail.com]
> >> > -=-=-=-=-=-=-=-=-=-=-=-
> >> >
> >
> >
> >
> > --
> > - Thou shalt not follow the NULL pointer, for chaos and madness await
> thee at its end
> > - "Use the force Harry" - Gandalf, Star Trek II
> >
>
--
- Thou shalt not follow the NULL pointer, for chaos and madness await thee
at its end
- "Use the force Harry" - Gandalf, Star Trek II
[-- Attachment #2: Type: text/html, Size: 13223 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2024-12-10 15:09 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-11-28 3:07 [kirkstone][PATCH] nagios-plugins: fix CVE-2023-37154 changqing.li
2024-12-10 3:39 ` [meta-virtualization] " Bruce Ashfield
2024-12-10 8:21 ` Martin Jansa
2024-12-10 14:01 ` Bruce Ashfield
2024-12-10 14:19 ` Martin Jansa
2024-12-10 15:08 ` Bruce Ashfield
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.