Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 164993 - net-analyzer/zabbix-server SNMP Buffer Overflow Vulnerability
Summary: net-analyzer/zabbix-server SNMP Buffer Overflow Vulnerability
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://secunia.com/advisories/24020/
Whiteboard: B/C2 [noglsa] Falco
Keywords:
Depends on:
Blocks:
 
Reported: 2007-02-02 15:21 UTC by Executioner
Modified: 2007-02-12 12:16 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Executioner 2007-02-02 15:21:27 UTC 
It doesn't specifically mention 1.1 but it probably couldn't hurt pumping up to 1.1.5 imho.

A vulnerability has been reported in ZABBIX, which can be exploited by malicious people to cause a DoS (Denial of Service) or to compromise a vulnerable system.

The vulnerability is caused due to a boundary error when processing SNMP responses. This can be exploited to cause a buffer overflow via a specially crafted SNMP packet containing an invalid IP address and may allow execution of arbitrary code.

Successful exploitation requires knowledge about a monitored SNMP device or SNMP daemon.

The vulnerability is reported in version 1.1.2, 1.1.3, and 1.1.4.

Solution:
Update to version 1.1.5.

Reproducible: Didn't try




http://www.zabbix.com/rn1.1.5.php
Comment 1 Wolfram Schlich (RETIRED) gentoo-dev 2007-02-12 01:01:05 UTC 
Committed =net-analyzer/zabbix-{agent,frontend,server}-1.1.6.
I suppose zabbix-server is the relevant package.
Comment 2 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-02-12 12:16:01 UTC 
Thanks Wolfram, since there is no stable ebuild in any arch for zabbix-server, i close the bug. Feel free to reopen if you disagree.