From a055d7dcafc58855081a5eac9a46b93b9b51012b Mon Sep 17 00:00:00 2001 From: Changqing Li Date: Tue, 10 Dec 2024 15:07:13 +0000 Subject: [PATCH] CVE-2023-37154: check_by_ssh in Nagios nagios-plugins 2.4.5 allows arbitrary command execution via ProxyCommand, LocalCommand, and PermitLocalCommand with \${IFS}. This has been categorized both as fixed in e8810de, and as intended behavior. Refer: https://nvd.nist.gov/vuln/detail/CVE-2023-37154 Signed-off-by: Changqing Li Signed-off-by: Bruce Ashfield --- .../nagios-plugins/CVE-2023-37154.patch | 69 +++++++++++++++++++ .../nagios/nagios-plugins_2.2.1.bb | 1 + 2 files changed, 70 insertions(+) create mode 100644 recipes-extended/nagios/nagios-plugins/CVE-2023-37154.patch diff --git a/recipes-extended/nagios/nagios-plugins/CVE-2023-37154.patch b/recipes-extended/nagios/nagios-plugins/CVE-2023-37154.patch new file mode 100644 index 00000000..436bba42 --- /dev/null +++ b/recipes-extended/nagios/nagios-plugins/CVE-2023-37154.patch @@ -0,0 +1,69 @@ +From 7f07a9e89373d5906c2b6a9eee0e74cf69f302c1 Mon Sep 17 00:00:00 2001 +From: Sebastian Wolf +Date: Wed, 31 May 2023 16:43:54 -0400 +Subject: [PATCH] check_by_ssh: Prevent users from using several SSH options + which run local commands. + +CVE: CVE-2023-37154 +Upstream-Status: Backport [https://github.com/nagios-plugins/nagios-plugins/commit/e8810de21be80148562b7e0168b0a62aeedffde6] + +Signed-off-by: Changqing Li +--- + configure.ac | 10 ++++++++++ + plugins/check_by_ssh.c | 12 +++++++++++- + 2 files changed, 21 insertions(+), 1 deletion(-) + +diff --git a/configure.ac b/configure.ac +index 963514a..236d233 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -418,6 +418,16 @@ then + [path and arguments for invoking 'who']) + fi + ++AC_ARG_WITH(unrestricted_ssh_options, ++ [AS_HELP_STRING([--with-unrestricted-ssh-options], ++ [allow any SSH options to be used with check_by_ssh])], ++ [], ++ [unrestricted_ssh_options=no]) ++ ++if test "x$with_unrestricted_ssh_options" = xyes ; then ++ AC_DEFINE(HAVE_UNRESTRICTED_SSH_OPTIONS,[1],[Allow SSH to use options that run local commands.]) ++fi ++ + AC_ARG_WITH([ipv6], + [AS_HELP_STRING([--with-ipv6], [support IPv6 @<:@default=check@:>@])], + [], [with_ipv6=check]) +diff --git a/plugins/check_by_ssh.c b/plugins/check_by_ssh.c +index b6f3130..6cc6c7a 100644 +--- a/plugins/check_by_ssh.c ++++ b/plugins/check_by_ssh.c +@@ -27,7 +27,7 @@ + *****************************************************************************/ + + const char *progname = "check_by_ssh"; +-const char *copyright = "2000-2014"; ++const char *copyright = "2000-"; + const char *email = "devel@nagios-plugins.org"; + + #include "common.h" +@@ -299,6 +299,16 @@ process_arguments (int argc, char **argv) + skip_stderr = atoi (optarg); + break; + case 'o': /* Extra options for the ssh command */ ++ ++ /* Don't allow the user to run commands local to the nagios server, unless they decide otherwise at compile time. */ ++#ifndef HAVE_UNRESTRICTED_SSH_OPTIONS ++ if ( strcasestr(optarg, "ProxyCommand") != NULL ++ || strcasestr(optarg, "PermitLocalCommand") != NULL ++ || strcasestr(optarg, "LocalCommand") != NULL) { ++ break; ++ } ++#endif ++ + comm_append("-o"); + comm_append(optarg); + break; +-- +2.23.0 + diff --git a/recipes-extended/nagios/nagios-plugins_2.2.1.bb b/recipes-extended/nagios/nagios-plugins_2.2.1.bb index 471d4b42..cd89b329 100644 --- a/recipes-extended/nagios/nagios-plugins_2.2.1.bb +++ b/recipes-extended/nagios/nagios-plugins_2.2.1.bb @@ -9,6 +9,7 @@ LICENSE = "GPL-3.0-only" LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504" SRC_URI = "https://www.nagios-plugins.org/download/${BPN}-${PV}.tar.gz \ + file://CVE-2023-37154.patch \ " SRC_URI[md5sum] = "fb521d5c05897f165b0b1862c1e5cb27"