Bug 571069

Summary: Buffer overflow exists in check_ntp/check_ntp_peer plugins
Product: [Fedora] Fedora EPEL Reporter: Sean E. Millichamp <sean>
Component: nagios-pluginsAssignee: Peter Lemenkov <lemenkov>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: el5CC: lemenkov, pbrobinson, redhat, tmclaugh, xavier
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: nagios-plugins-1.4.14-1.el5 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-04-01 21:02:54 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Sean E. Millichamp 2010-03-06 20:05:34 UTC 
Description of problem:

In the version of check_ntp/check_ntp_peer plugins that exist in the current nagios-plugins RPM, nagios-plugins-1.4.13-11.el5, a buffer overflow exists in the check_ntp/check_ntp_peer plugins.

This buffer overflow was reported http://sourceforge.net/tracker/?func=detail&atid=397597&aid=1999319&group_id=29880 and fixed in November of 2008.  The current version of nagios-plugins, 1.4.14, contains this fix.

Version-Release number of selected component (if applicable):

nagios-plugins-1.4.13-11.el5

How reproducible:

Every time

Steps to Reproduce:
1. Run the check against any NTP server: check_ntp_peer -H yourntpserver
  
Actual results:

# /usr/lib64/nagios/plugins/check_ntp_peer -H localhost
*** buffer overflow detected ***: /usr/lib64/nagios/plugins/check_ntp_peer terminated
======= Backtrace: =========
/lib64/libc.so.6(__chk_fail+0x2f)[0x34ffee77af]
/lib64/libc.so.6(__read_chk+0x28)[0x34ffee7c78]
/usr/lib64/nagios/plugins/check_ntp_peer[0x40247f]
/usr/lib64/nagios/plugins/check_ntp_peer[0x402e2e]
/lib64/libc.so.6(__libc_start_main+0xf4)[0x34ffe1d994]
/usr/lib64/nagios/plugins/check_ntp_peer[0x4015b9]
======= Memory map: ========
00400000-00409000 r-xp 00000000 08:03 14223292                           /usr/lib64/nagios/plugins/check_ntp_peer
00608000-00609000 rw-p 00008000 08:03 14223292                           /usr/lib64/nagios/plugins/check_ntp_peer
14f04000-14f25000 rw-p 14f04000 00:00 0                                  [heap]
34ffa00000-34ffa1c000 r-xp 00000000 08:03 6717442                        /lib64/ld-2.5.so
34ffc1b000-34ffc1c000 r--p 0001b000 08:03 6717442                        /lib64/ld-2.5.so
34ffc1c000-34ffc1d000 rw-p 0001c000 08:03 6717442                        /lib64/ld-2.5.so
34ffe00000-34fff4d000 r-xp 00000000 08:03 6717449                        /lib64/libc-2.5.so
34fff4d000-350014d000 ---p 0014d000 08:03 6717449                        /lib64/libc-2.5.so
350014d000-3500151000 r--p 0014d000 08:03 6717449                        /lib64/libc-2.5.so
3500151000-3500152000 rw-p 00151000 08:03 6717449                        /lib64/libc-2.5.so
3500152000-3500157000 rw-p 3500152000 00:00 0 
3500200000-3500202000 r-xp 00000000 08:03 6717453                        /lib64/libdl-2.5.so
3500202000-3500402000 ---p 00002000 08:03 6717453                        /lib64/libdl-2.5.so
3500402000-3500403000 r--p 00002000 08:03 6717453                        /lib64/libdl-2.5.so
3500403000-3500404000 rw-p 00003000 08:03 6717453                        /lib64/libdl-2.5.so
3500a00000-3500a82000 r-xp 00000000 08:03 6717475                        /lib64/libm-2.5.so
3500a82000-3500c81000 ---p 00082000 08:03 6717475                        /lib64/libm-2.5.so
3500c81000-3500c82000 r--p 00081000 08:03 6717475                        /lib64/libm-2.5.so
3500c82000-3500c83000 rw-p 00082000 08:03 6717475                        /lib64/libm-2.5.so
3502200000-350220d000 r-xp 00000000 08:03 6717498                        /lib64/libgcc_s-4.1.2-20080825.so.1
350220d000-350240d000 ---p 0000d000 08:03 6717498                        /lib64/libgcc_s-4.1.2-20080825.so.1
350240d000-350240e000 rw-p 0000d000 08:03 6717498                        /lib64/libgcc_s-4.1.2-20080825.so.1
3502a00000-3502a15000 r-xp 00000000 08:03 6717610                        /lib64/libnsl-2.5.so
3502a15000-3502c14000 ---p 00015000 08:03 6717610                        /lib64/libnsl-2.5.so
3502c14000-3502c15000 r--p 00014000 08:03 6717610                        /lib64/libnsl-2.5.so
3502c15000-3502c16000 rw-p 00015000 08:03 6717610                        /lib64/libnsl-2.5.so
3502c16000-3502c18000 rw-p 3502c16000 00:00 0 
3502e00000-3502e11000 r-xp 00000000 08:03 6717623                        /lib64/libresolv-2.5.so
3502e11000-3503011000 ---p 00011000 08:03 6717623                        /lib64/libresolv-2.5.so
3503011000-3503012000 r--p 00011000 08:03 6717623                        /lib64/libresolv-2.5.so
3503012000-3503013000 rw-p 00012000 08:03 6717623                        /lib64/libresolv-2.5.so
3503013000-3503015000 rw-p 3503013000 00:00 0 
2ac3a7183000-2ac3a7184000 rw-p 2ac3a7183000 00:00 0 
2ac3a718b000-2ac3a718f000 rw-p 2ac3a718b000 00:00 0 
2ac3a718f000-2ac3aa767000 r--p 00000000 08:03 13904224                   /usr/lib/locale/locale-archive
2ac3aa76e000-2ac3aa778000 r-xp 00000000 08:03 6717464                    /lib64/libnss_files-2.5.so
2ac3aa778000-2ac3aa977000 ---p 0000a000 08:03 6717464                    /lib64/libnss_files-2.5.so
2ac3aa977000-2ac3aa978000 r--p 00009000 08:03 6717464                    /lib64/libnss_files-2.5.so
2ac3aa978000-2ac3aa979000 rw-p 0000a000 08:03 6717464                    /lib64/libnss_files-2.5.so
7fff14d00000-7fff14d15000 rw-p 7ffffffea000 00:00 0                      [stack]
ffffffffff600000-ffffffffffe00000 ---p 00000000 00:00 0                  [vdso]
Aborted

Expected results:

That it works.

Additional info:
Comment 1 Peter Robinson 2010-03-07 17:31:20 UTC 
AFAICT this fix was back ported to the -el5 release as per the changelogs here

* Sun Sep 28 2008 Mike McGrath <mmcgrath> 1.4.13-4
- Upstream released new version #464419 
- Added patch fix for check_linux_raid #253898 
- Upstream releases fix for #451015 
- check_ntp_peers - Upstream released fix for #459309 
- check_ntp - Added Provides Nagios::Plugins for #457404 
- Fixed configure line for #458985 check_procs 

As per this bug report https://bugzilla.redhat.com/show_bug.cgi?id=451015
Comment 2 Peter Robinson 2010-03-08 19:39:18 UTC 
*** Bug 571372 has been marked as a duplicate of this bug. ***
Comment 3 Xavier Bachelot 2010-03-08 20:24:47 UTC 
First, sorry about the duplicate bug report.

This seems to be fixed in 1.4.13-15.el5 but it was nor released nor built, and anyway the cvs is in an inconsistent state :

[xavierb@bilbon EL-5]$ make srpm
rpmbuild --define "_sourcedir /home/xavierb/fedora/nagios-plugins/EL-5" --define "_specdir /home/xavierb/fedora/nagios-plugins/EL-5" --define "_builddir /home/xavierb/fedora/nagios-plugins/EL-5" --define "_srcrpmdir /home/xavierb/fedora/nagios-plugins/EL-5" --define "_rpmdir /home/xavierb/fedora/nagios-plugins/EL-5" --define "dist .el5" --define "rhel 5" --define "el5 1" --define "_source_filedigest_algorithm 1" --define "_binary_filedigest_algorithm 1" --nodeps -bs nagios-plugins.spec
error: Bad source: /home/xavierb/fedora/nagios-plugins/EL-5/nagios-plugins-1.4.13-ntp.patch: No such file or directory

The patch for this bug is missing from the EL-5 branch.
Comment 4 Peter Robinson 2010-03-09 18:43:59 UTC 
*** Bug 571870 has been marked as a duplicate of this bug. ***
Comment 5 Sean E. Millichamp 2010-03-09 19:31:37 UTC 
Peter,

I have to agree with Xavier.  According to the actual nagios-plugin ChangeLogs (not the RPM ones, but from the tarball), this is the entry where the buffer overflow was fixed:

2008-11-19  Thomas Guyot-Sionnest <dermoth.net>

        * NEWS, plugins/check_ntp.c, plugins/check_ntp_peer.c: Fixed buffer
        overflow in check_ntp/check_ntp_peer (#1999319, Ubuntu #291265) git-svn-id:

        https://nagiosplug.svn.sourceforge.net/svnroot/nagiosplug/nagiosplug/trunk@2086 f882894a-f735-0410-b71e-b25c42
3dba1c

The most recent ChangeLog in from the nagios-plugins-1.4.13 SRPM is:

2008-09-25 08:04  tonvoon

        * [r2056] plugins/tests/check_http.t:
          Fix small test failure

Almost two months earlier.  Also, there doesn't seem to be any patch added to the build that addresses anything with the check_ntp_* plugins.

What is the chance that we could either get a rebuild with the relevent check_ntp_* buffer overflow patch applied or (preferred) a rebuild against the 1.4.14 source?
Comment 6 Peter Robinson 2010-03-09 20:08:10 UTC 
> What is the chance that we could either get a rebuild with the relevent
> check_ntp_* buffer overflow patch applied or (preferred) a rebuild against the
> 1.4.14 source?    

Every chance, I've only just taken over co-maintainer ship of the plugins so are basing my information from logs. Looking at the change log here (details quoted above)

http://koji.fedoraproject.org/koji/buildinfo?buildID=109396

and the original mention above here

http://sourceforge.net/tracker/?func=detail&atid=397597&aid=1999319&group_id=29880

which from the horrible change log and no reference to source repo logs I AFAICT had the fix in September (as mentioned in your post quoting change log Sept 25th) it looked to me like we pulled in the fix 3 days later. I will endeavour to investigate further tomorrow and compare the patch with the one in the above fore mentioned or cvs.
Comment 7 Peter Lemenkov 2010-03-10 08:31:17 UTC 
I'll update nagios-plugins to 1.4.14 very soon.
Comment 8 Fedora Update System 2010-03-10 10:15:09 UTC 
nagios-plugins-1.4.14-1.el5 has been submitted as an update for Fedora EPEL 5.
http://admin.fedoraproject.org/updates/nagios-plugins-1.4.14-1.el5
Comment 9 Peter Lemenkov 2010-03-10 10:17:33 UTC 
Folks, I just updated nagios-plugins for EL-5 up to ver. 1.4.14 - please test and provide feedback.

Fortunately, fedora branches already contains fix for this particular issue, so I'll update nagios-plugins here a little later (there are FTBFS issues in F-12 and F-13, which should be fixed first).
Comment 10 Fedora Update System 2010-03-12 03:39:31 UTC 
nagios-plugins-1.4.14-1.el5 has been pushed to the Fedora EPEL 5 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update nagios-plugins'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/nagios-plugins-1.4.14-1.el5
Comment 11 Tom McLaughlin 2010-03-13 23:29:56 UTC 
Installed the new RPMs and check_ntp_peer i now working fine:

[root@centos-5-amd64 tom]# /usr/lib64/nagios/plugins/check_ntp_peer -H time.straycat.dhs.org
NTP OK: Offset -0.000124 secs|offset=-0.000124s;60.000000;120.000000;


I looked at the changelog for 1.4.14 and I'll just note this line from it:

* Extra-opts (C plugins) does not allow trailing comments anymore (like N::P)

There were a bunch of fixes for --extra-opts in this release.  Among the changes is it looks like C plugins can no longer have trailing comments in .ini files which matches the behavior of the perl based plugins.  I know EPEL's requirements wrt config file changes is stricter than Fedora's so I'm pointing this out.  On the plus side, after an update an affected user will get a notification when their checks fail.
Comment 12 Sean E. Millichamp 2010-03-29 17:51:59 UTC 
The new RPMs also fix check_ntp_peer for us and otherwise seem to be working fine.

+1 for promotion from testing to stable (unless there are other pending concerns).
Comment 13 Fedora Update System 2010-04-01 21:02:48 UTC 
nagios-plugins-1.4.14-1.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.