Bug 571069 - Buffer overflow exists in check_ntp/check_ntp_peer plugins
Summary: Buffer overflow exists in check_ntp/check_ntp_peer plugins
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: nagios-plugins
Version: el5
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Peter Lemenkov
QA Contact: Fedora Extras Quality Assurance
: 571372 571870 (view as bug list)
Depends On:
TreeView+ depends on / blocked
Reported: 2010-03-06 20:05 UTC by Sean E. Millichamp
Modified: 2010-04-01 21:02 UTC (History)
5 users (show)

Fixed In Version: nagios-plugins-1.4.14-1.el5
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2010-04-01 21:02:54 UTC
Type: ---

Attachments (Terms of Use)

Description Sean E. Millichamp 2010-03-06 20:05:34 UTC
Description of problem:

In the version of check_ntp/check_ntp_peer plugins that exist in the current nagios-plugins RPM, nagios-plugins-1.4.13-11.el5, a buffer overflow exists in the check_ntp/check_ntp_peer plugins.

This buffer overflow was reported http://sourceforge.net/tracker/?func=detail&atid=397597&aid=1999319&group_id=29880 and fixed in November of 2008.  The current version of nagios-plugins, 1.4.14, contains this fix.

Version-Release number of selected component (if applicable):


How reproducible:

Every time

Steps to Reproduce:
1. Run the check against any NTP server: check_ntp_peer -H yourntpserver
Actual results:

# /usr/lib64/nagios/plugins/check_ntp_peer -H localhost
*** buffer overflow detected ***: /usr/lib64/nagios/plugins/check_ntp_peer terminated
======= Backtrace: =========
======= Memory map: ========
00400000-00409000 r-xp 00000000 08:03 14223292                           /usr/lib64/nagios/plugins/check_ntp_peer
00608000-00609000 rw-p 00008000 08:03 14223292                           /usr/lib64/nagios/plugins/check_ntp_peer
14f04000-14f25000 rw-p 14f04000 00:00 0                                  [heap]
34ffa00000-34ffa1c000 r-xp 00000000 08:03 6717442                        /lib64/ld-2.5.so
34ffc1b000-34ffc1c000 r--p 0001b000 08:03 6717442                        /lib64/ld-2.5.so
34ffc1c000-34ffc1d000 rw-p 0001c000 08:03 6717442                        /lib64/ld-2.5.so
34ffe00000-34fff4d000 r-xp 00000000 08:03 6717449                        /lib64/libc-2.5.so
34fff4d000-350014d000 ---p 0014d000 08:03 6717449                        /lib64/libc-2.5.so
350014d000-3500151000 r--p 0014d000 08:03 6717449                        /lib64/libc-2.5.so
3500151000-3500152000 rw-p 00151000 08:03 6717449                        /lib64/libc-2.5.so
3500152000-3500157000 rw-p 3500152000 00:00 0 
3500200000-3500202000 r-xp 00000000 08:03 6717453                        /lib64/libdl-2.5.so
3500202000-3500402000 ---p 00002000 08:03 6717453                        /lib64/libdl-2.5.so
3500402000-3500403000 r--p 00002000 08:03 6717453                        /lib64/libdl-2.5.so
3500403000-3500404000 rw-p 00003000 08:03 6717453                        /lib64/libdl-2.5.so
3500a00000-3500a82000 r-xp 00000000 08:03 6717475                        /lib64/libm-2.5.so
3500a82000-3500c81000 ---p 00082000 08:03 6717475                        /lib64/libm-2.5.so
3500c81000-3500c82000 r--p 00081000 08:03 6717475                        /lib64/libm-2.5.so
3500c82000-3500c83000 rw-p 00082000 08:03 6717475                        /lib64/libm-2.5.so
3502200000-350220d000 r-xp 00000000 08:03 6717498                        /lib64/libgcc_s-4.1.2-20080825.so.1
350220d000-350240d000 ---p 0000d000 08:03 6717498                        /lib64/libgcc_s-4.1.2-20080825.so.1
350240d000-350240e000 rw-p 0000d000 08:03 6717498                        /lib64/libgcc_s-4.1.2-20080825.so.1
3502a00000-3502a15000 r-xp 00000000 08:03 6717610                        /lib64/libnsl-2.5.so
3502a15000-3502c14000 ---p 00015000 08:03 6717610                        /lib64/libnsl-2.5.so
3502c14000-3502c15000 r--p 00014000 08:03 6717610                        /lib64/libnsl-2.5.so
3502c15000-3502c16000 rw-p 00015000 08:03 6717610                        /lib64/libnsl-2.5.so
3502c16000-3502c18000 rw-p 3502c16000 00:00 0 
3502e00000-3502e11000 r-xp 00000000 08:03 6717623                        /lib64/libresolv-2.5.so
3502e11000-3503011000 ---p 00011000 08:03 6717623                        /lib64/libresolv-2.5.so
3503011000-3503012000 r--p 00011000 08:03 6717623                        /lib64/libresolv-2.5.so
3503012000-3503013000 rw-p 00012000 08:03 6717623                        /lib64/libresolv-2.5.so
3503013000-3503015000 rw-p 3503013000 00:00 0 
2ac3a7183000-2ac3a7184000 rw-p 2ac3a7183000 00:00 0 
2ac3a718b000-2ac3a718f000 rw-p 2ac3a718b000 00:00 0 
2ac3a718f000-2ac3aa767000 r--p 00000000 08:03 13904224                   /usr/lib/locale/locale-archive
2ac3aa76e000-2ac3aa778000 r-xp 00000000 08:03 6717464                    /lib64/libnss_files-2.5.so
2ac3aa778000-2ac3aa977000 ---p 0000a000 08:03 6717464                    /lib64/libnss_files-2.5.so
2ac3aa977000-2ac3aa978000 r--p 00009000 08:03 6717464                    /lib64/libnss_files-2.5.so
2ac3aa978000-2ac3aa979000 rw-p 0000a000 08:03 6717464                    /lib64/libnss_files-2.5.so
7fff14d00000-7fff14d15000 rw-p 7ffffffea000 00:00 0                      [stack]
ffffffffff600000-ffffffffffe00000 ---p 00000000 00:00 0                  [vdso]

Expected results:

That it works.

Additional info:

Comment 1 Peter Robinson 2010-03-07 17:31:20 UTC
AFAICT this fix was back ported to the -el5 release as per the changelogs here

* Sun Sep 28 2008 Mike McGrath <mmcgrath> 1.4.13-4
- Upstream released new version #464419 
- Added patch fix for check_linux_raid #253898 
- Upstream releases fix for #451015 
- check_ntp_peers - Upstream released fix for #459309 
- check_ntp - Added Provides Nagios::Plugins for #457404 
- Fixed configure line for #458985 check_procs 

As per this bug report https://bugzilla.redhat.com/show_bug.cgi?id=451015

Comment 2 Peter Robinson 2010-03-08 19:39:18 UTC
*** Bug 571372 has been marked as a duplicate of this bug. ***

Comment 3 Xavier Bachelot 2010-03-08 20:24:47 UTC
First, sorry about the duplicate bug report.

This seems to be fixed in 1.4.13-15.el5 but it was nor released nor built, and anyway the cvs is in an inconsistent state :

[xavierb@bilbon EL-5]$ make srpm
rpmbuild --define "_sourcedir /home/xavierb/fedora/nagios-plugins/EL-5" --define "_specdir /home/xavierb/fedora/nagios-plugins/EL-5" --define "_builddir /home/xavierb/fedora/nagios-plugins/EL-5" --define "_srcrpmdir /home/xavierb/fedora/nagios-plugins/EL-5" --define "_rpmdir /home/xavierb/fedora/nagios-plugins/EL-5" --define "dist .el5" --define "rhel 5" --define "el5 1" --define "_source_filedigest_algorithm 1" --define "_binary_filedigest_algorithm 1" --nodeps -bs nagios-plugins.spec
error: Bad source: /home/xavierb/fedora/nagios-plugins/EL-5/nagios-plugins-1.4.13-ntp.patch: No such file or directory

The patch for this bug is missing from the EL-5 branch.

Comment 4 Peter Robinson 2010-03-09 18:43:59 UTC
*** Bug 571870 has been marked as a duplicate of this bug. ***

Comment 5 Sean E. Millichamp 2010-03-09 19:31:37 UTC

I have to agree with Xavier.  According to the actual nagios-plugin ChangeLogs (not the RPM ones, but from the tarball), this is the entry where the buffer overflow was fixed:

2008-11-19  Thomas Guyot-Sionnest <dermoth.net>

        * NEWS, plugins/check_ntp.c, plugins/check_ntp_peer.c: Fixed buffer
        overflow in check_ntp/check_ntp_peer (#1999319, Ubuntu #291265) git-svn-id:

        https://nagiosplug.svn.sourceforge.net/svnroot/nagiosplug/nagiosplug/trunk@2086 f882894a-f735-0410-b71e-b25c42

The most recent ChangeLog in from the nagios-plugins-1.4.13 SRPM is:

2008-09-25 08:04  tonvoon

        * [r2056] plugins/tests/check_http.t:
          Fix small test failure

Almost two months earlier.  Also, there doesn't seem to be any patch added to the build that addresses anything with the check_ntp_* plugins.

What is the chance that we could either get a rebuild with the relevent check_ntp_* buffer overflow patch applied or (preferred) a rebuild against the 1.4.14 source?

Comment 6 Peter Robinson 2010-03-09 20:08:10 UTC
> What is the chance that we could either get a rebuild with the relevent
> check_ntp_* buffer overflow patch applied or (preferred) a rebuild against the
> 1.4.14 source?    

Every chance, I've only just taken over co-maintainer ship of the plugins so are basing my information from logs. Looking at the change log here (details quoted above)


and the original mention above here


which from the horrible change log and no reference to source repo logs I AFAICT had the fix in September (as mentioned in your post quoting change log Sept 25th) it looked to me like we pulled in the fix 3 days later. I will endeavour to investigate further tomorrow and compare the patch with the one in the above fore mentioned or cvs.

Comment 7 Peter Lemenkov 2010-03-10 08:31:17 UTC
I'll update nagios-plugins to 1.4.14 very soon.

Comment 8 Fedora Update System 2010-03-10 10:15:09 UTC
nagios-plugins-1.4.14-1.el5 has been submitted as an update for Fedora EPEL 5.

Comment 9 Peter Lemenkov 2010-03-10 10:17:33 UTC
Folks, I just updated nagios-plugins for EL-5 up to ver. 1.4.14 - please test and provide feedback.

Fortunately, fedora branches already contains fix for this particular issue, so I'll update nagios-plugins here a little later (there are FTBFS issues in F-12 and F-13, which should be fixed first).

Comment 10 Fedora Update System 2010-03-12 03:39:31 UTC
nagios-plugins-1.4.14-1.el5 has been pushed to the Fedora EPEL 5 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update nagios-plugins'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/nagios-plugins-1.4.14-1.el5

Comment 11 Tom McLaughlin 2010-03-13 23:29:56 UTC
Installed the new RPMs and check_ntp_peer i now working fine:

[root@centos-5-amd64 tom]# /usr/lib64/nagios/plugins/check_ntp_peer -H time.straycat.dhs.org
NTP OK: Offset -0.000124 secs|offset=-0.000124s;60.000000;120.000000;

I looked at the changelog for 1.4.14 and I'll just note this line from it:

* Extra-opts (C plugins) does not allow trailing comments anymore (like N::P)

There were a bunch of fixes for --extra-opts in this release.  Among the changes is it looks like C plugins can no longer have trailing comments in .ini files which matches the behavior of the perl based plugins.  I know EPEL's requirements wrt config file changes is stricter than Fedora's so I'm pointing this out.  On the plus side, after an update an affected user will get a notification when their checks fail.

Comment 12 Sean E. Millichamp 2010-03-29 17:51:59 UTC
The new RPMs also fix check_ntp_peer for us and otherwise seem to be working fine.

+1 for promotion from testing to stable (unless there are other pending concerns).

Comment 13 Fedora Update System 2010-04-01 21:02:48 UTC
nagios-plugins-1.4.14-1.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.