+++ This bug was initially created as a clone of Bug #957481 +++ Some potential issues discovered whilst auditing openstack & dependencies for tempfile vulnerabilities. Warning: nagios-3.4.4-1.el6ost/nagios/html/rss-newsfeed.php define('MAGPIE_CACHE_DIR', '/tmp/magpie_cache'); Magpie RSS cache dir is set to a fixed location in /tmp. The cached RSS content is then used to build html content that could be served to an end user.
This has been reported upstream: http://tracker.nagios.org/view.php?id=450
Created nagios tracking bugs for this issue: Affects: fedora-all [bug 994779] Affects: epel-6 [bug 994780]
This is not fixed by nagios 3.5.1.
define('MAGPIE_DIR', './includes/rss/'); define('MAGPIE_CACHE_ON', 0); define('MAGPIE_CACHE_AGE', 0); define('MAGPIE_CACHE_DIR', '/tmp/magpie_cache'); Defining MAGPIE_CACHE_ON to 1 is required in order for MAGPIE_CACHE_DIR to be used. rss_newsfeed.php disables the cache, so this directory is not used without editing the PHP code (note: *not* a configuration file). As it is unused without editing the rss-newsfeed.php file, I will simply comment the line out *and* replace it with a usage comment.
Acknowledgements: This issue was discovered by Grant Murphy of the Red Hat Product Security Team.
This issue has been addressed in following products: OpenStack 3 for RHEL 6 Via RHSA-2013:1526 https://rhn.redhat.com/errata/RHSA-2013-1526.html
nagios-4.0.8-1.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.