oss-sec mailing list archives
Re: CVE request for check_diskio nagios/icinga plugin
From: Pierre Schweitzer <pierre () reactos org>
Date: Mon, 01 Dec 2014 09:43:41 +0100
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Thanks. The author reported the vulnerability got fixed and a new version, 3.2.7, including the fix has been released. Cheers, Pierre On 11/20/2014 07:58 AM, cve-assign () mitre org wrote:
The check_diskio plugin for nagios/icinga from Matteo Corti (https://svn.id.ethz.ch/nagios_plugins/check_diskio/) is subject to a /tmp symlink race attack in its latest version (and versions before as well).This plugin is used to monitor the I/Os on device on Linux systems. To be able to make a diff between two calls, it keeps the latest readings into a fixed pattern file name: /tmp/check_diskio_status-$user-$deviceIt does not check for the file being a symlinkUse CVE-2014-8994.
- -- Pierre Schweitzer <pierre () reactos org> System & Network Administrator Senior Kernel Developer ReactOS Deutschland e.V. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJUfCo9AAoJEHVFVWw9WFsLheQP/1k5OgIIU0wzn4t4RdKjTXWn XCBDofGUWL5Xt1Oa/hUEPMr0YYydlAR7Tf68bCK4L1xn0nA4uj36fWFAugxoONBd LjX075KP4sm3RIucRi2dwJH30zSb6SSqwF3jAAuFLugC3nnNCHjmKnyOH5ZZmncn IRHAR2Ztn8OaH9HRNzGzn2L30Qv1YmaMgdRHupxrMB6ohlNo0yCsdgGaXv701NxC mZkLuflxZKReDVS5IEAD/ZSa3i0BsJe965VypAVKQ3INZ0SDOghy3gmt9ybagmYI PZa6L3gudCtsnLe1JP4By+tQzJYfJtHIszvpy6qIf4ystosftVoVgpZDFp3gNSKa kSclXrqQLnCu1I8unl9KiwY1Za4PaJOq13Z+0Rb/gw0UsS4jBTSksQyN3uTTG8Rt Q+LKznvhe7AyJWU10vAMYhy6BT1PSDk1MXE3vnHz2B/d18ypNK8Hk2nN9U36V67o pNHSiEamE1nSy9oFBXNRtv9E3O4x5fiX1aqSzepluAC7mHzF5i2xuKzF2y7viNeM /RfCrcLExMAvwPMN2Qd4rJejg5zMuJJfq6KTPM/TySWn1Y7g/9LUjEn4B3ERttwf QWWHkp/DgFtfwGnKlP+jVfupyeUcXKa9VJskhDfb2dbnoJrts/A7eEMoCFMNEBxW jhzH4ozueUHbmCOyHm2Z =0fWY -----END PGP SIGNATURE-----
Current thread:
- CVE request for check_diskio nagios/icinga plugin Pierre Schweitzer (Nov 18)
- Re: CVE request for check_diskio nagios/icinga plugin cve-assign (Nov 19)
- Re: CVE request for check_diskio nagios/icinga plugin Pierre Schweitzer (Dec 01)
- Re: CVE request for check_diskio nagios/icinga plugin cve-assign (Nov 19)