nagios-plugins: fix CVE-2023-37154

CVE-2023-37154:
check_by_ssh in Nagios nagios-plugins 2.4.5 allows arbitrary command execution"x$with_unrestricted_ssh_options" = xyes ; then
++	AC_DEFINE(HAVE_UNRESTRICTED_SSH_OPTIONS,[1],[Allow SSH to use options that run local commands.])
++fi
++
+ AC_ARG_WITH([ipv6],
+ 	[AS_HELP_STRING([--with-ipv6], [support IPv6 @<:@default@check>@])],
+ 	[], [with_ipv6=check])
+diff --git a/plugins/check_by_ssh.c b/plugins/check_by_ssh.c
+index b6f3130..6cc6c7a 100644
+--- a/plugins/check_by_ssh.c
++++ b/plugins/check_by_ssh.c
+@@ -27,7 +27,7 @@
+ *****************************************************************************/
+
+ const char *progname = "check_by_ssh";
+-const char *copyright = "2000-2014";
++const char *copyright = "2000-";
+ const char *email = "devel@nagios-plugins.org";
+
+ #include "common.h"
+@@ -299,6 +299,16 @@ process_arguments (int argc, char **argv)
+ 				skip_stderr = atoi (optarg);
+ 			break;
+ 		case 'o':									/* Extra options for the ssh command */
++
++			/* Don't allow the user to run commands local to the nagios server, unless they decide otherwise at compile time. */
++#ifndef HAVE_UNRESTRICTED_SSH_OPTIONS
++			if (   strcasestr(optarg, "ProxyCommand") != NULL
++				|| strcasestr(optarg, "PermitLocalCommand") != NULL
++				|| strcasestr(optarg, "LocalCommand") != NULL) {
++				break;
++			}
++#endif
++
+ 			comm_append("-o");
+ 			comm_append(optarg);
+ 			break;
+--
+2.23.0
+

Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>

recipes-extended/nagios/nagios-plugins_2.2.1.bb

@@ -9,6 +9,7 @@ LICENSE = "GPL-3.0-only"
 LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504"
 
 SRC_URI = "https://www.nagios-plugins.org/download/${BPN}-${PV}.tar.gz \
+           file://CVE-2023-37154.patch \
 "
 
 SRC_URI[md5sum] = "fb521d5c05897f165b0b1862c1e5cb27"