Package: xymon-client
Severity: critical
Tags: patch security
Justification: root security hole
X-Debbugs-Cc: zech...@vrvis.at, Debian Security Team
<t...@security.debian.org>
The default for logfetch's options (found in /etc/xymon/xymonclient.cfg) is:
LOGFETCHOPTS=""
which enables it to execute arbitrary code [1]. This can and should be
prevented by default by using
LOGFETCHOPTS="--noexec"
instead.
Best regards
Christoph Zechner
patch:
--- xymonclient.cfg.DISt
+++ xymonclient.cfg.PATCHED
@@ -18,7 +18,7 @@
include /var/run/xymon/xymonclient-include.cfg
# Options to logfetch, the xymon binary which examines log files for
recent changes.
-LOGFETCHOPTS=""
+LOGFETCHOPTS="--noexec"
# Local Mode (Only) Options
[1] https://manpages.debian.org/bullseye/xymon-client/logfetch.1.en.html
-- System Information:
Debian Release: 11.1
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500,
'stable'), (500, 'oldstable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.10.0-9-amd64 (SMP w/8 CPU threads)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=locale: Cannot
set LC_ALL to default locale: No such file or directory
UTF-8), LANGUAGE=en_US:en
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages xymon-client depends on:
ii adduser 3.118
ii debconf [debconf-2.0] 1.5.77
ii init-system-helpers 1.60
ii libc6 2.31-13+deb11u2
ii libssl1.1 1.1.1k-1+deb11u1
ii lsb-base 11.1.0
ii net-tools 1.60+git20181103.0eebece-1
ii procps 2:3.3.17-5
xymon-client recommends no packages.
Versions of packages xymon-client suggests:
pn xymon-plugins | hobbit-plugins <none>
--- xymonclient.cfg.DISt
+++ xymonclient.cfg.PATCHED
@@ -18,7 +18,7 @@
include /var/run/xymon/xymonclient-include.cfg
# Options to logfetch, the xymon binary which examines log files for recent changes.
-LOGFETCHOPTS=""
+LOGFETCHOPTS="--noexec"
# Local Mode (Only) Options
