oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CVE request for check_diskio nagios/icinga plugin

From: Pierre Schweitzer <pierre () reactos org>
Date: Mon, 01 Dec 2014 09:43:41 +0100
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thanks.

The author reported the vulnerability got fixed and a new version,
3.2.7, including the fix has been released.

Cheers,
Pierre

On 11/20/2014 07:58 AM, cve-assign () mitre org wrote:

The check_diskio plugin for nagios/icinga from Matteo Corti 
(https://svn.id.ethz.ch/nagios_plugins/check_diskio/) is subject
to a /tmp symlink race attack in its latest version (and versions
before as well).



This plugin is used to monitor the I/Os on device on Linux
systems. To be able to make a diff between two calls, it keeps
the latest readings into a fixed pattern file name:
/tmp/check_diskio_status-$user-$device



It does not check for the file being a symlink


Use CVE-2014-8994.




- -- 
Pierre Schweitzer <pierre () reactos org>
System & Network Administrator
Senior Kernel Developer
ReactOS Deutschland e.V.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJUfCo9AAoJEHVFVWw9WFsLheQP/1k5OgIIU0wzn4t4RdKjTXWn
XCBDofGUWL5Xt1Oa/hUEPMr0YYydlAR7Tf68bCK4L1xn0nA4uj36fWFAugxoONBd
LjX075KP4sm3RIucRi2dwJH30zSb6SSqwF3jAAuFLugC3nnNCHjmKnyOH5ZZmncn
IRHAR2Ztn8OaH9HRNzGzn2L30Qv1YmaMgdRHupxrMB6ohlNo0yCsdgGaXv701NxC
mZkLuflxZKReDVS5IEAD/ZSa3i0BsJe965VypAVKQ3INZ0SDOghy3gmt9ybagmYI
PZa6L3gudCtsnLe1JP4By+tQzJYfJtHIszvpy6qIf4ystosftVoVgpZDFp3gNSKa
kSclXrqQLnCu1I8unl9KiwY1Za4PaJOq13Z+0Rb/gw0UsS4jBTSksQyN3uTTG8Rt
Q+LKznvhe7AyJWU10vAMYhy6BT1PSDk1MXE3vnHz2B/d18ypNK8Hk2nN9U36V67o
pNHSiEamE1nSy9oFBXNRtv9E3O4x5fiX1aqSzepluAC7mHzF5i2xuKzF2y7viNeM
/RfCrcLExMAvwPMN2Qd4rJejg5zMuJJfq6KTPM/TySWn1Y7g/9LUjEn4B3ERttwf
QWWHkp/DgFtfwGnKlP+jVfupyeUcXKa9VJskhDfb2dbnoJrts/A7eEMoCFMNEBxW
jhzH4ozueUHbmCOyHm2Z
=0fWY
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: