oss-sec mailing list archives

CVE Request: Nagios Remote Plugin Executor <= 2.15 Remote Command Execution

From: Eduardo Tongson <propolice () gmail com>
Date: Fri, 18 Apr 2014 10:14:16 +0800

Details: http://seclists.org/fulldisclosure/2014/Apr/240
This is similar to CVE-2013-1362

Is there a CVE already assigned for this issue?

Fix:

--- nrpe/src/nrpe.c
+++ nrpe/src/nrpe.c
@@ -42,7 +42,7 @@ int use_ssl=FALSE;

 #define DEFAULT_COMMAND_TIMEOUT    60            /* default timeout
for execution of plugins */
 #define MAXFD                   64
-#define NASTY_METACHARS         "|`&><'\"\\[]{};"
+#define NASTY_METACHARS         "|`&><'\"\\[]{};\n"

 char    *command_name=NULL;
 char    *macro_argv[MAX_COMMAND_ARGUMENTS];

Current thread:

CVE Request: Nagios Remote Plugin Executor <= 2.15 Remote Command Execution Eduardo Tongson (Apr 17)
- Re: CVE Request: Nagios Remote Plugin Executor <= 2.15 Remote Command Execution gremlin (Apr 17)
  - Re: CVE Request: Nagios Remote Plugin Executor <= 2.15 Remote Command Execution John Haxby (Apr 18)
    - Re: CVE Request: Nagios Remote Plugin Executor <= 2.15 Remote Command Execution Reed Loden (Apr 18)
- Re: CVE Request: Nagios Remote Plugin Executor <= 2.15 Remote Command Execution cve-assign (Apr 21)
  - Re: CVE Request: Nagios Remote Plugin Executor <= 2.15 Remote Command Execution Eduardo Tongson (Apr 22)
- Re: CVE Request: Nagios Remote Plugin Executor <= 2.15 Remote Command Execution Martin Carpenter (Apr 21)