FS#57120 : [nrpe] [Security] arbitrary command execution (CVE-2014-2913 CVE-2013-1362)

FS#57120 - [nrpe] [Security] arbitrary command execution (CVE-2014-2913 CVE-2013-1362)

Attached to Project: Community Packages
Opened by Christian Rebischke (Shibumi) - Tuesday, 16 January 2018, 18:49 GMT
Last edited by Jonathan Steel (jsteel) - Wednesday, 17 January 2018, 11:59 GMT

Task Type	Bug Report
Category	Packages
Status	Closed
Assigned To	Jonathan Steel (jsteel) Levente Polyak (anthraxx)
Architecture	All
Severity	Critical
Priority	Normal
Reported Version
Due in Version	Undecided
Due Date	Undecided
Percent Complete
Votes	1 Christian Rebischke (Shibumi) (2018-01-16)
Private	No

Details

Summary
=======

The package nrpe is vulnerable to arbitrary command execution via CVE-2014-2913 and CVE-2013-1362 due to the use of `-enable-command-args` in the `./configure` statement in the PKGBUILD. The CVEs haven't been fixed in a satisfying way upstream. Therefore I would propose we disable the feature completely and stop supporting it.

Guidance
========

Please apply the patch for disabling this dangerous feature.

References
==========

https://security.archlinux.org/AVG-587

0001-disabled-dangerous-featu... (0.7 KiB)

This task depends upon

Closed by Jonathan Steel (jsteel)
Wednesday, 17 January 2018, 11:59 GMT
Reason for closing: Implemented
Additional comments about closing: nrpe-3.2.1-3

	Tasks related to this task (0)

Duplicate tasks of this task (0)

Arch Linux

FS#57120 - [nrpe] [Security] arbitrary command execution (CVE-2014-2913 CVE-2013-1362)

Details

Loading...