oss-sec mailing list archives
CVE request for check_diskio nagios/icinga plugin
From: Pierre Schweitzer <pierre () reactos org>
Date: Wed, 19 Nov 2014 08:35:44 +0100
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dear all, The check_diskio plugin for nagios/icinga from Matteo Corti (https://svn.id.ethz.ch/nagios_plugins/check_diskio/) is subject to a /tmp symlink race attack in its latest version (and versions before as well). This plugin is used to monitor the I/Os on device on Linux systems. To be able to make a diff between two calls, it keeps the latest readings into a fixed pattern file name: /tmp/check_diskio_status-$user-$device It does not check for the file being a symlink (à la PEAR) or whatever when opening it. Could a CVE be assigned to this? The author has been contacted. I'll make him know the ID. Cheers, - -- Pierre Schweitzer <pierre () reactos org> System & Network Administrator Senior Kernel Developer ReactOS Deutschland e.V. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJUbEhQAAoJEHVFVWw9WFsLbKsQAINUKwP3oPVMs+126LhWsHsC 6ln86rxgRzRi/zQwreIrmH2DNSY7qaMUKH461Q5Z1FXeREo87hALwRqgFUk3fMXW c9aRPUO1QKQWeeaaa3LQfQoJHSxSaLPDt/v+ieWRuoiP6urZLoGaEP32DtRjUXLG bIRFfORmMqh5PgdnsbVwcQb8ydjreFEEOzxghwzxwbPCczo97JCtXmtCxkMewVH/ OtHUugknvTMIxpddpokUs6O68WBnvG5jNKXqRl/dYLQKgpRwkpecQEZbtdzH4xP7 7JyNCh/9UacuMYpWWiApeULJsvQe9Uqu9ofll2DERuYASVadsLsEzvGi3IqEyrRV Oi79NsyxWVINV7bLh1pbwYlFJwp2ZARLyoF8HYPW9s3ZOx0tSXTLjc0NLLhHFAAH La7rl3asWBptjcrpOJMjGQbMhV1KwTBv3HS26YTWzYRHRiDiywTSQoOFvEiUFMYy 1chTOOnKzKQRRXjMquhCkX86zP2JkY54N5QcLKiE83f8Q3I/3e/rh8N7WmtJd5Oq XCxn0CRCe+nyI+Iel0FVkHZhi5UKFmYrBnXw5njdtwX/hQLrZaF+JllFOpxtvuot BnwQYF10yKsLl3W4nX6euY4WFRayQxbHKG5WKZOsw2iPMjaYxuNp/XhMRaTVgRpU rPJO//rlwEHJK1KhIg6f =aF5C -----END PGP SIGNATURE-----
Current thread:
- CVE request for check_diskio nagios/icinga plugin Pierre Schweitzer (Nov 18)
- Re: CVE request for check_diskio nagios/icinga plugin cve-assign (Nov 19)
- Re: CVE request for check_diskio nagios/icinga plugin Pierre Schweitzer (Dec 01)
- Re: CVE request for check_diskio nagios/icinga plugin cve-assign (Nov 19)