Bug 1121497 (CVE-2008-7313, CVE-2014-5008, CVE-2014-5009) - CVE-2008-7313 CVE-2014-5008 CVE-2014-5009 snoopy: incomplete fixes for command execution flaws
Summary: CVE-2008-7313 CVE-2014-5008 CVE-2014-5009 snoopy: incomplete fixes for comman...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2008-7313, CVE-2014-5008, CVE-2014-5009
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1121499 1121500 1121501 1121502 1121503 1413480 1413481 1413482 1413483
Blocks: 1121504
TreeView+ depends on / blocked
 
Reported: 2014-07-21 06:11 UTC by Murray McAllister
Modified: 2021-02-17 06:21 UTC (History)
34 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Various command-execution flaws were found in the Snoopy library included with Nagios. These flaws allowed remote attackers to execute arbitrary commands by manipulating Nagios HTTP headers.
Clone Of:
Environment:
Last Closed: 2017-01-31 22:35:14 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:0211 0 normal SHIPPED_LIVE Important: nagios security update 2017-01-31 10:53:01 UTC
Red Hat Product Errata RHSA-2017:0212 0 normal SHIPPED_LIVE Important: nagios security update 2017-01-31 10:52:41 UTC
Red Hat Product Errata RHSA-2017:0213 0 normal SHIPPED_LIVE Important: nagios security update 2017-01-31 10:52:24 UTC
Red Hat Product Errata RHSA-2017:0214 0 normal SHIPPED_LIVE Important: nagios security update 2017-01-31 10:52:08 UTC

Description Murray McAllister 2014-07-21 06:11:00 UTC
CVE-2008-4796 describes a command execution flaw in the Snoopy library. A similar fix exists for headers:

http://snoopy.cvs.sourceforge.net/viewvc/snoopy/Snoopy/Snoopy.class.php?view=log#rev1.27

The header fix has been assigned CVE-2008-7313 (as an incomplete fix for CVE-2008-4796).

It was later reported that the CVE-2008-4796 fix was incomplete and command execution was still possible:

http://mstrokin.com/sec/feed2js-magpierss-0day-vulnerability-not-really-it-is-actually-cve-2005-3330-cve-2008-4796/

And fixed with the following:

http://snoopy.cvs.sourceforge.net/viewvc/snoopy/Snoopy/Snoopy.class.php?view=log#rev1.28

This has been assigned CVE-2014-5008 (as an incomplete fix for CVE-2008-4796).

However, the CVE-2014-5008 fix was also incomplete:

https://github.com/cogdog/feed2js/pull/12#issuecomment-48283706

This was fixed with the following:

http://snoopy.cvs.sourceforge.net/viewvc/snoopy/Snoopy/Snoopy.class.php?view=log#rev1.29

And assigned CVE-2014-5009 (as an incomplete fix for CVE-2014-5008).

References:

http://www.openwall.com/lists/oss-security/2014/07/09/11

Comment 1 Murray McAllister 2014-07-21 06:12:01 UTC
> This was fixed with the following:
> 
> http://snoopy.cvs.sourceforge.net/viewvc/snoopy/Snoopy/Snoopy.class.
> php?view=log#rev1.29

and further corrected in the subsequent commits

> 
> And assigned CVE-2014-5009 (as an incomplete fix for CVE-2014-5008).

Comment 2 Murray McAllister 2014-07-21 06:14:34 UTC
Created sahana tracking bugs for this issue:

Affects: fedora-all [bug 1121501]
Affects: epel-5 [bug 1121502]

Comment 3 Murray McAllister 2014-07-21 06:14:40 UTC
Created wordpress-mu tracking bugs for this issue:

Affects: epel-5 [bug 1121503]

Comment 4 Murray McAllister 2014-07-21 06:14:46 UTC
Created nagios tracking bugs for this issue:

Affects: fedora-all [bug 1121499]
Affects: epel-all [bug 1121500]

Comment 5 Garth Mollett 2014-08-04 06:29:46 UTC
Nagios as included in storage and openstack does not appear to expose the vulnerable code.

There is example code in the nagios src package that is vulnerable but it is not included in the built packages.

There is only 2 places that the vulnerable code is reached in nagios:

1. rss-corefeed.php:

18 function do_corefeed_html() {
19 
20         $url="http://www.nagios.org/backend/feeds/corepromo";
21         $rss=fetch_rss($url);


2. rss-newsfeed.php:

16 function do_newsfeed_html() {
17 
18         $url="http://www.nagios.org/backend/feeds/frontpage/";
19         $rss=fetch_rss($url);

Neither of these accept anything but static input.

Comment 7 Summer Long 2017-01-30 23:56:53 UTC
This is now being fixed; reopening.

Comment 9 errata-xmlrpc 2017-01-31 05:53:23 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7

Via RHSA-2017:0214 https://rhn.redhat.com/errata/RHSA-2017-0214.html

Comment 10 errata-xmlrpc 2017-01-31 05:54:47 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7

Via RHSA-2017:0213 https://rhn.redhat.com/errata/RHSA-2017-0213.html

Comment 11 errata-xmlrpc 2017-01-31 05:56:05 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6

Via RHSA-2017:0212 https://rhn.redhat.com/errata/RHSA-2017-0212.html

Comment 12 errata-xmlrpc 2017-01-31 05:57:36 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7

Via RHSA-2017:0211 https://rhn.redhat.com/errata/RHSA-2017-0211.html


Note You need to log in before you can comment on or make changes to this bug.