Re: CVE Request (nagios)

[Eygene Ryabinkin <rea-sec () codelabs ru>]

Jan, good day.

Mon, Dec 08, 2008 at 01:21:45PM +0100, Jan Lieskovsky wrote:
>   diffing your version (3.0.5p1) and the latest upstream one (3.0.6)
> returns the following (this commit was posted on 2008-11-30):
>
> diff
> -r /tmp/3.0.5p1/nagios-3.0.5p1/base/commands.c /tmp/nagios_latest/nagios-3.0.6/base/commands.c
[...]
> 2893a2896,2908
> >       /* SECURITY PATCH - disable these for the time being */
> >       switch(cmd){
> >       case CMD_CHANGE_GLOBAL_HOST_EVENT_HANDLER:
> >       case CMD_CHANGE_GLOBAL_SVC_EVENT_HANDLER:
> >       case CMD_CHANGE_HOST_EVENT_HANDLER:
> >       case CMD_CHANGE_SVC_EVENT_HANDLER:
> >       case CMD_CHANGE_HOST_CHECK_COMMAND:
> >       case CMD_CHANGE_SVC_CHECK_COMMAND:
> >               return ERROR;
> >               }
>
> And other vulnerability reports:
> http://www.nagios.org/news/#88
> http://secunia.com/Advisories/32909/
>
> Andreas, could you please confirm/disprove this patch was part of recent
> CVE-2008-{5027, 5028}? 
>
> Seems it wasn't, but can be wrong.

Hmm, this seems to be unrelated to CVE-2008-5027, but it may be the
upstream fix for CSRF: judging by the contents of
  http://git.op5.org/git/?p=nagios.git;a=commitdiff;h=9c2a418ab4f6e4ef3a53ddcde402fe4781caa764
the original patch from Tim Starling should introduce at least 'csrf' word
into cgi/cmd.c.  And I am failing to find one in the latest version,
  http://nagios.cvs.sourceforge.net/viewvc/nagios/nagios/cgi/cmd.c?revision=1.47&view=markup

So either it was fixed in the completely different way or it is the
quick fix to prevent CSRFs for the eventhandler mangling commands.  It
is a bit strange that it was done after 3.0.5 (CSRF was documented in
3.0.5 release notes), but...  By the way, entry for CVE-2008-5028 speaks
about 3.0.5 as about the vulnerable to the CSRF and it is inconsistent
with the release notes at
  http://www.nagios.org/development/history/nagios-3x.php.

Clarifications are desperately needed ;))
-- 
Eygene