Bug 958002 (CVE-2013-4214)

Summary: CVE-2013-4214 Nagios core: html/rss-newsfeed.php insecure temporary file usage
Product: [Other] Security Response Reporter: Kurt Seifried <kseifried>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: avibelli, coneill, gmollett, gmurphy, gsterlin, jbalunas, jkt, jrusnack, jshepherd, kseifried, rrajasek, security-response-team, tjay, tkirby
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: All   
Whiteboard: impact=moderate,public=20130807,reported=20130428,source=redhat,cvss2=2.1/AV:L/AC:L/Au:N/C:N/I:N/A:P,cwe=CWE-377,fedora-all/nagios=affected,epel-6/nagios=affected,openstack-3/nagios=affected,openstack-4/nagios=affected,rhmap-4/nagios=notaffected
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 957481
: CVE-2013-2029 (view as bug list) Environment:
Last Closed: 2014-03-06 21:15:48 EST Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 994762, 994764, 994779, 994780    
Bug Blocks: 958515    

Description Kurt Seifried 2013-04-30 01:41:43 EDT
+++ This bug was initially created as a clone of Bug #957481 +++

Some potential issues discovered whilst auditing openstack & dependencies for tempfile vulnerabilities.

Warning: nagios-3.4.4-1.el6ost/nagios/html/rss-newsfeed.php

    define('MAGPIE_CACHE_DIR', '/tmp/magpie_cache');

    Magpie RSS cache dir is set to a fixed location in /tmp. The cached RSS 
    content is then used to build html content that could be served to
    an end user.
Comment 3 Kurt Seifried 2013-04-30 14:35:03 EDT
This has been reported upstream: http://tracker.nagios.org/view.php?id=450
Comment 4 Kurt Seifried 2013-08-07 21:48:17 EDT
Created nagios tracking bugs for this issue:

Affects: fedora-all [bug 994779]
Affects: epel-6 [bug 994780]
Comment 5 Lon Hohberger 2013-10-23 15:59:38 EDT
This is not fixed by nagios 3.5.1.
Comment 6 Lon Hohberger 2013-10-23 17:49:21 EDT
define('MAGPIE_DIR', './includes/rss/');
define('MAGPIE_CACHE_ON', 0);
define('MAGPIE_CACHE_AGE', 0);
define('MAGPIE_CACHE_DIR', '/tmp/magpie_cache');

Defining MAGPIE_CACHE_ON to 1 is required in order for MAGPIE_CACHE_DIR to be used.

rss_newsfeed.php disables the cache, so this directory is not used without editing the PHP code (note: *not* a configuration file).

As it is unused without editing the rss-newsfeed.php file, I will simply comment the line out *and* replace it with a usage comment.
Comment 7 Martin Prpič 2013-11-14 12:02:58 EST
Acknowledgements:

This issue was discovered by Grant Murphy of the Red Hat Product Security Team.
Comment 8 errata-xmlrpc 2013-11-18 14:25:43 EST
This issue has been addressed in following products:

  OpenStack 3 for RHEL 6

Via RHSA-2013:1526 https://rhn.redhat.com/errata/RHSA-2013-1526.html
Comment 9 Fedora Update System 2015-12-05 15:30:26 EST
nagios-4.0.8-1.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.