Bug 958002 (CVE-2013-4214)

Summary: CVE-2013-4214 Nagios core: html/rss-newsfeed.php insecure temporary file usage
Product: [Other] Security Response Reporter: Kurt Seifried <kseifried>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: avibelli, coneill, gmollett, gmurphy, gsterlin, jbalunas, jkt, jrusnack, jshepherd, kseifried, rrajasek, security-response-team, tjay, tkirby
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 957481
: CVE-2013-2029 (view as bug list) Environment:
Last Closed: 2014-03-07 02:15:48 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 994762, 994764, 994779, 994780    
Bug Blocks: 958515    

Description Kurt Seifried 2013-04-30 05:41:43 UTC 
+++ This bug was initially created as a clone of Bug #957481 +++

Some potential issues discovered whilst auditing openstack & dependencies for tempfile vulnerabilities.

Warning: nagios-3.4.4-1.el6ost/nagios/html/rss-newsfeed.php

    define('MAGPIE_CACHE_DIR', '/tmp/magpie_cache');

    Magpie RSS cache dir is set to a fixed location in /tmp. The cached RSS 
    content is then used to build html content that could be served to
    an end user.
Comment 3 Kurt Seifried 2013-04-30 18:35:03 UTC 
This has been reported upstream: http://tracker.nagios.org/view.php?id=450
Comment 4 Kurt Seifried 2013-08-08 01:48:17 UTC 
Created nagios tracking bugs for this issue:

Affects: fedora-all [bug 994779]
Affects: epel-6 [bug 994780]
Comment 5 Lon Hohberger 2013-10-23 19:59:38 UTC 
This is not fixed by nagios 3.5.1.
Comment 6 Lon Hohberger 2013-10-23 21:49:21 UTC 
define('MAGPIE_DIR', './includes/rss/');
define('MAGPIE_CACHE_ON', 0);
define('MAGPIE_CACHE_AGE', 0);
define('MAGPIE_CACHE_DIR', '/tmp/magpie_cache');

Defining MAGPIE_CACHE_ON to 1 is required in order for MAGPIE_CACHE_DIR to be used.

rss_newsfeed.php disables the cache, so this directory is not used without editing the PHP code (note: *not* a configuration file).

As it is unused without editing the rss-newsfeed.php file, I will simply comment the line out *and* replace it with a usage comment.
Comment 7 Martin Prpič 2013-11-14 17:02:58 UTC 
Acknowledgements:

This issue was discovered by Grant Murphy of the Red Hat Product Security Team.
Comment 8 errata-xmlrpc 2013-11-18 19:25:43 UTC 
This issue has been addressed in following products:

  OpenStack 3 for RHEL 6

Via RHSA-2013:1526 https://rhn.redhat.com/errata/RHSA-2013-1526.html
Comment 9 Fedora Update System 2015-12-05 20:30:26 UTC 
nagios-4.0.8-1.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.