Skip to content

GitLab

aports
aports
Closed
Opened by Alexander Belous@belousa

[v2.4] nagios: remote DoS and leak (CVE-2013-7108 CVE-2013-7205)

Multiple off-by-one errors in Nagios Core 3.5.1, 4.0.2, and earlier, and Icinga before 1.8.5, 1.9 before 1.9.4, and 1.10 before 1.10.2 allow remote authenticated users to obtain sensitive information from process memory or cause a denial of service (crash) via a long string in the last key value in the variable list to the process_cgivars function in (1) avail.c, (2) cmd.c, (3) config.c, (4) extinfo.c, (5) histogram.c, (6) notifications.c, (7) outages.c, (8) status.c, (9) statusmap.c, (10) summary.c, and (11) trends.c in cgi/, which triggers a heap-based buffer over-read (CVE-2013-7108).

•MLIST:[oss-security] 20131224 Re: CVE request: denial of service in Nagios (process_cgivars())
•URL: http://www.openwall.com/lists/oss-security/2013/12/24/1
•CONFIRM: http://sourceforge.net/p/nagios/nagioscore/ci/d97e03f32741a7d851826b03ed73ff4c9612a866/
•CONFIRM: https://dev.icinga.org/issues/5251
•CONFIRM: https://www.icinga.org/2013/12/17/icinga-security-releases-1-10-2-1-9-4-1-8-5/
•SUSE:openSUSE-SU-2014:0016
•URL: http://lists.opensuse.org/opensuse-updates/2014-01/msg00010.html
•SUSE:openSUSE-SU-2014:0039
•URL: http://lists.opensuse.org/opensuse-updates/2014-01/msg00028.html
•SUSE:openSUSE-SU-2014:0069
•URL: http://lists.opensuse.org/opensuse-updates/2014-01/msg00046.html
•SECUNIA:55976
•URL: http://secunia.com/advisories/55976
•SECUNIA:56316
•URL: http://secunia.com/advisories/56316

Off-by-one error in the process_cgivars function in contrib/daemonchk.c in Nagios Core 3.5.1, 4.0.2, and earlier allows remote authenticated users to obtain sensitive information from process memory or cause a denial of service (crash) via a long string in the last key value in the variable list, which triggers a heap-based buffer over-read (CVE-2013-7205).

•MLIST:[oss-security] 20131224 Re: CVE request: denial of service in Nagios (process_cgivars())
•URL: http://www.openwall.com/lists/oss-security/2013/12/24/1
•CONFIRM: http://sourceforge.net/p/nagios/nagioscore/ci/d97e03f32741a7d851826b03ed73ff4c9612a866/
•SECUNIA:55976
•URL: http://secunia.com/advisories/55976

(from redmine: issue id 2619, created on 2014-02-04, closed on 2014-04-18)

main/nagios: security fix for CVE-2013-7108, CVE-2013-7205

fixes #2619

(cherry picked from commit 0fc285b2ea702c82941928cdfa4e521addba1705)

Conflicts:

	main/nagios/APKBUILD
To upload designs, you'll need to enable LFS and have admin enable hashed storage. More information