2 files changed, 70 insertions, 0 deletions
diff --git a/recipes-extended/nagios/nagios-plugins/CVE-2023-37154.patch b/recipes-extended/nagios/nagios-plugins/CVE-2023-37154.patch
new file mode 100644
index 00000000..436bba42
--- /dev/null
+++ b/recipes-extended/nagios/nagios-plugins/CVE-2023-37154.patch
@@ -0,0 +1,69 @@
+From 7f07a9e89373d5906c2b6a9eee0e74cf69f302c1 Mon Sep 17 00:00:00 2001
+From: Sebastian Wolf <swolf@nagios.com>
+Date: Wed, 31 May 2023 16:43:54 -0400
+Subject: [PATCH] check_by_ssh: Prevent users from using several SSH options
+ which run local commands.
+CVE: CVE-2023-37154
+Upstream-Status: Backport [https://github.com/nagios-plugins/nagios-plugins/commit/e8810de21be80148562b7e0168b0a62aeedffde6]
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ configure.ac           | 10 ++++++++++
+ plugins/check_by_ssh.c | 12 +++++++++++-
+ 2 files changed, 21 insertions(+), 1 deletion(-)
+diff --git a/configure.ac b/configure.ac
+index 963514a..236d233 100644
+--- a/configure.ac
+++ b/configure.ac
+@@ -418,6 +418,16 @@ then
+                [path and arguments for invoking 'who'])
+ fi
+ 
+AC_ARG_WITH(unrestricted_ssh_options,
+       [AS_HELP_STRING([--with-unrestricted-ssh-options],
+               [allow any SSH options to be used with check_by_ssh])],
+       [],
+       [unrestricted_ssh_options=no])
+
+if test "x$with_unrestricted_ssh_options" = xyes ; then
+       AC_DEFINE(HAVE_UNRESTRICTED_SSH_OPTIONS,[1],[Allow SSH to use options that run local commands.])
+fi
+
+ AC_ARG_WITH([ipv6],
+        [AS_HELP_STRING([--with-ipv6], [support IPv6 @<:@default=check@:>@])],
+        [], [with_ipv6=check])
+diff --git a/plugins/check_by_ssh.c b/plugins/check_by_ssh.c
+index b6f3130..6cc6c7a 100644
+--- a/plugins/check_by_ssh.c
+++ b/plugins/check_by_ssh.c
+@@ -27,7 +27,7 @@
+ *****************************************************************************/
+ 
+ const char *progname = "check_by_ssh";
+-const char *copyright = "2000-2014";
+const char *copyright = "2000-";
+ const char *email = "devel@nagios-plugins.org";
+ 
+ #include "common.h"
+@@ -299,6 +299,16 @@ process_arguments (int argc, char **argv)
+                                skip_stderr = atoi (optarg);
+                        break;
+                case 'o':                                                                       /* Extra options for the ssh command */
+
+                       /* Don't allow the user to run commands local to the nagios server, unless they decide otherwise at compile time. */
+#ifndef HAVE_UNRESTRICTED_SSH_OPTIONS
+                       if (   strcasestr(optarg, "ProxyCommand") != NULL
+                               || strcasestr(optarg, "PermitLocalCommand") != NULL
+                               || strcasestr(optarg, "LocalCommand") != NULL) {
+                               break;
+                       }
+#endif
+
+                        comm_append("-o");
+                        comm_append(optarg);
+                        break;
+-- 
+2.23.0
diff --git a/recipes-extended/nagios/nagios-plugins_2.2.1.bb b/recipes-extended/nagios/nagios-plugins_2.2.1.bb
index 471d4b42..cd89b329 100644
--- a/recipes-extended/nagios/nagios-plugins_2.2.1.bb
+++ b/recipes-extended/nagios/nagios-plugins_2.2.1.bb
@@ -9,6 +9,7 @@ LICENSE = "GPL-3.0-only"
 LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504"
 SRC_URI = "https://www.nagios-plugins.org/download/${BPN}-${PV}.tar.gz \
+           file://CVE-2023-37154.patch \
 "
 SRC_URI[md5sum] = "fb521d5c05897f165b0b1862c1e5cb27"

diff --git a/recipes-extended/nagios/nagios-plugins/CVE-2023-37154.patch b/recipes-extended/nagios/nagios-plugins/CVE-2023-37154.patch new file mode 100644 index 00000000..436bba42 --- /dev/null +++ b/recipes-extended/nagios/nagios-plugins/CVE-2023-37154.patch
@@ -0,0 +1,69 @@
		1	From 7f07a9e89373d5906c2b6a9eee0e74cf69f302c1 Mon Sep 17 00:00:00 2001
		2	From: Sebastian Wolf <swolf@nagios.com>
		3	Date: Wed, 31 May 2023 16:43:54 -0400
		4	Subject: [PATCH] check_by_ssh: Prevent users from using several SSH options
		5	which run local commands.
		6
		7	CVE: CVE-2023-37154
		8	Upstream-Status: Backport [https://github.com/nagios-plugins/nagios-plugins/commit/e8810de21be80148562b7e0168b0a62aeedffde6]
		9
		10	Signed-off-by: Changqing Li <changqing.li@windriver.com>
		11	---
		12	configure.ac \| 10 ++++++++++
		13	plugins/check_by_ssh.c \| 12 +++++++++++-
		14	2 files changed, 21 insertions(+), 1 deletion(-)
		15
		16	diff --git a/configure.ac b/configure.ac
		17	index 963514a..236d233 100644
		18	--- a/configure.ac
		19	+++ b/configure.ac
		20	@@ -418,6 +418,16 @@ then
		21	[path and arguments for invoking 'who'])
		22	fi
		23
		24	+AC_ARG_WITH(unrestricted_ssh_options,
		25	+ [AS_HELP_STRING([--with-unrestricted-ssh-options],
		26	+ [allow any SSH options to be used with check_by_ssh])],
		27	+ [],
		28	+ [unrestricted_ssh_options=no])
		29	+
		30	+if test "x$with_unrestricted_ssh_options" = xyes ; then
		31	+ AC_DEFINE(HAVE_UNRESTRICTED_SSH_OPTIONS,[1],[Allow SSH to use options that run local commands.])
		32	+fi
		33	+
		34	AC_ARG_WITH([ipv6],
		35	[AS_HELP_STRING([--with-ipv6], [support IPv6 @<:@default=check@:>@])],
		36	[], [with_ipv6=check])
		37	diff --git a/plugins/check_by_ssh.c b/plugins/check_by_ssh.c
		38	index b6f3130..6cc6c7a 100644
		39	--- a/plugins/check_by_ssh.c
		40	+++ b/plugins/check_by_ssh.c
		41	@@ -27,7 +27,7 @@
		42	*****************************************************************************/
		43
		44	const char *progname = "check_by_ssh";
		45	-const char *copyright = "2000-2014";
		46	+const char *copyright = "2000-";
		47	const char *email = "devel@nagios-plugins.org";
		48
		49	#include "common.h"
		50	@@ -299,6 +299,16 @@ process_arguments (int argc, char **argv)
		51	skip_stderr = atoi (optarg);
		52	break;
		53	case 'o': /* Extra options for the ssh command */
		54	+
		55	+ /* Don't allow the user to run commands local to the nagios server, unless they decide otherwise at compile time. */
		56	+#ifndef HAVE_UNRESTRICTED_SSH_OPTIONS
		57	+ if ( strcasestr(optarg, "ProxyCommand") != NULL
		58	+ \|\| strcasestr(optarg, "PermitLocalCommand") != NULL
		59	+ \|\| strcasestr(optarg, "LocalCommand") != NULL) {
		60	+ break;
		61	+ }
		62	+#endif
		63	+
		64	comm_append("-o");
		65	comm_append(optarg);
		66	break;
		67	--
		68	2.23.0
		69


diff --git a/recipes-extended/nagios/nagios-plugins_2.2.1.bb b/recipes-extended/nagios/nagios-plugins_2.2.1.bb index 471d4b42..cd89b329 100644 --- a/recipes-extended/nagios/nagios-plugins_2.2.1.bb +++ b/recipes-extended/nagios/nagios-plugins_2.2.1.bb
@@ -9,6 +9,7 @@ LICENSE = "GPL-3.0-only"
9	LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504"	9	LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504"
10		10
11	SRC_URI = "https://www.nagios-plugins.org/download/${BPN}-${PV}.tar.gz \	11	SRC_URI = "https://www.nagios-plugins.org/download/${BPN}-${PV}.tar.gz \
		12	file://CVE-2023-37154.patch \
12	"	13	"
13		14
14	SRC_URI[md5sum] = "fb521d5c05897f165b0b1862c1e5cb27"	15	SRC_URI[md5sum] = "fb521d5c05897f165b0b1862c1e5cb27"