Re: [Nfsen-discuss] nfsen-1.3.8 released - SECURITY FIX
Netflow visualisation and investigation tool
Brought to you by:
phaag
Menu
▾
▴
Re: [Nfsen-discuss] nfsen-1.3.8 released - SECURITY FIX
|
From: James S. <st...@ma...> - 2017-01-25 20:16:09
|
On 01/25/2017 4:55 AM, Alexei Pastuchov wrote:
> quick&& insecure solution:
> rm -t in NfProfile.pm line 3026.
>
That didn't work for me, but I did this crude hack for addressing the
taint issues with the vairables returned by ProfilePath. Use at your
own risk until a permanent fix has been released as it does *not*
sanitize the input as it really should.
[foo@bar libexec]# diff -c NfProfile.pm.ORIG NfProfile.pm
*** NfProfile.pm.ORIG 2017-01-25 13:18:48.443703130 -0600
--- NfProfile.pm 2017-01-25 13:10:26.418745710 -0600
***************
*** 142,147 ****
--- 142,149 ----
sub ProfilePath {
my $profile = shift;
my $profilegroup = shift;
+ $profile =~ /(.*)/ && ($profile = $1);
+ $profilegroup =~ /(.*)/ && ($profilegroup = $1);
if ( !defined $profilegroup || $profilegroup eq '.' ) {
return "$profile";
-James
> 3026: $args .= "-t $_t " if defined $profileinfo{'expire'};
>
>
>> On 25 January 2017 at 10:17 Giles Coochey<gi...@co...> wrote:
>> I ran the upgrade and receive the following error when trying to restart
>> NFsen:
>>
>> Insecure dependency in sysopen while running with -T switch at
>> /opt/nfsen/libexec/NfProfile.pm line 836
>>
>> Any ideas?
>>
>> --
>> Regards,
>>
>> Giles Coochey
>> +44 (0) 7584 634 135
>> +44 (0) 1803 529 451
>> gi...@co...
>>
>>
>> ------------------------------------------------------------------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, SlashDot.org! http://sdm.link/slashdot_______________________________________________
>> Nfsen-discuss mailing list
>> Nfs...@li...
>> https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
>>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> Nfsen-discuss mailing list
> Nfs...@li...
> https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
>
>
>
|
