[nrpe] [Security] arbitrary command execution (CVE-2014-2913 CVE-2013-1362)

Community Packages

Please read this before reporting a bug:
http://wiki.archlinux.org/index.php/Reporting_Bug_Guidelines

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!

Tasklist

Attached to Project: Community Packages
Opened by Christian Rebischke (Shibumi) - Tuesday, 16 January 2018, 18:49 GMT
Last edited by Jonathan Steel (jsteel) - Wednesday, 17 January 2018, 11:59 GMT

Task Type	Bug Report
Category	Packages
Status	Closed
Assigned To	Jonathan Steel (jsteel) Levente Polyak (anthraxx)
Architecture	All
Severity	Critical
Priority	Normal
Reported Version
Due in Version	Undecided
Due Date	Undecided
Percent Complete
Votes	1 Christian Rebischke (Shibumi) (2018-01-16)
Private	No

Details

Summary
=======

The package nrpe is vulnerable to arbitrary command execution via CVE-2014-2913 and CVE-2013-1362 due to the use of `-enable-command-args` in the `./configure` statement in the PKGBUILD. The CVEs haven't been fixed in a satisfying way upstream. Therefore I would propose we disable the feature completely and stop supporting it.

Guidance
========

Please apply the patch for disabling this dangerous feature.

References
==========

https://security.archlinux.org/AVG-587

0001-disabled-dangerous-featu... (0.7 KiB)

This task depends upon

Closed by Jonathan Steel (jsteel)
Wednesday, 17 January 2018, 11:59 GMT
Reason for closing: Implemented
Additional comments about closing: nrpe-3.2.1-3

	Tasks related to this task (0)

Duplicate tasks of this task (0)

Community Packages

Details

Loading...