Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 501200 (CVE-2013-7108)

Summary: <net-analyzer/nagios-core-3.5.1: Information leak (CVE-2013-{7108,7205})
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: andrew, creffett, mjo, sysadmin
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B4 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 531954    

Description GLSAMaker/CVETool Bot gentoo-dev 2014-02-13 15:29:28 UTC 
CVE-2013-7205 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-7205):
  Off-by-one error in the process_cgivars function in contrib/daemonchk.c in
  Nagios Core 3.5.1, 4.0.2, and earlier allows remote authenticated users to
  obtain sensitive information from process memory or cause a denial of
  service (crash) via a long string in the last key value in the variable
  list, which triggers a heap-based buffer over-read.

CVE-2013-7108 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-7108):
  Multiple off-by-one errors in Nagios Core 3.5.1, 4.0.2, and earlier, and
  Icinga before 1.8.5, 1.9 before 1.9.4, and 1.10 before 1.10.2 allow remote
  authenticated users to obtain sensitive information from process memory or
  cause a denial of service (crash) via a long string in the last key value in
  the variable list to the process_cgivars function in (1) avail.c, (2) cmd.c,
  (3) config.c, (4) extinfo.c, (5) histogram.c, (6) notifications.c, (7)
  outages.c, (8) status.c, (9) statusmap.c, (10) summary.c, and (11) trends.c
  in cgi/, which triggers a heap-based buffer over-read.
Comment 1 Chris Reffett (RETIRED) gentoo-dev Security 2014-09-02 14:29:52 UTC 
Bumped. Arches, please test and mark stable:
=net-analyzer/nagios-core-3.5.1
Target arches: alpha amd64 arm hppa ppc ppc64 sparc x86
Comment 2 Chris Reffett (RETIRED) gentoo-dev Security 2014-09-02 14:38:43 UTC 
My mistake, should have added nagios, and arm wasn't stable before. New stable targets:
=net-analyzer/nagios-3.5.1
=net-analyzer/nagios-core-3.5.1
Target arches: alpha amd64 hppa ppc ppc64 sparc x86
Comment 3 Jeroen Roovers (RETIRED) gentoo-dev 2014-09-04 18:40:46 UTC 
Stable for HPPA.
Comment 4 Agostino Sarubbo gentoo-dev 2014-09-06 15:36:03 UTC 
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2014-09-06 15:36:35 UTC 
x86 stable
Comment 6 Agostino Sarubbo gentoo-dev 2014-09-13 17:35:11 UTC 
alpha stable
Comment 7 Agostino Sarubbo gentoo-dev 2014-09-14 07:47:59 UTC 
ppc64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2014-09-14 07:51:35 UTC 
ppc stable
Comment 9 Agostino Sarubbo gentoo-dev 2014-09-19 10:31:42 UTC 
sparc stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 10 Yury German Gentoo Infrastructure gentoo-dev 2014-10-05 01:45:54 UTC 
Arches, Thank you for your work
Maintainer(s), please drop the vulnerable version(s).

GLSA Vote: No
Comment 11 Michael Orlitzky gentoo-dev 2014-12-08 00:28:07 UTC 
@Alexander, creffett: do either of you mind if I drop nagios and nagios core before 3.5.1?
Comment 12 Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-12-08 11:34:50 UTC 
GLSA Vote: Yes due to existing GLSA request for bug 447802
Comment 13 Sean Amoss (RETIRED) gentoo-dev Security 2014-12-08 22:09:21 UTC 
(In reply to Kristian Fiskerstrand from comment #12)
> GLSA Vote: Yes due to existing GLSA request for bug 447802

Agreed.
Comment 14 Michael Orlitzky gentoo-dev 2014-12-13 00:59:14 UTC 
I meant "Andrew" in my last comment, not "Alexander," sorry. I blame the Hamilton. Also: ping!

We've got at least three security bugs open for <nagios-3.5.1 so I'd like to get rid of them. If I don't hear an objection for a while, I'll do the easier-to-ask-forgiveness thing =)
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2014-12-13 19:11:53 UTC 
This issue was resolved and addressed in
 GLSA 201412-23 at http://security.gentoo.org/glsa/glsa-201412-23.xml
by GLSA coordinator Sean Amoss (ackle).
Comment 16 Rolf Eike Beer archtester 2014-12-14 18:23:17 UTC 
(In reply to Agostino Sarubbo from comment #9)
> sparc stable.

Only nagios-core-3.5.1 is stable for sparc, but not nagios-3.5.1. Is this intentional?
Comment 17 Michael Orlitzky gentoo-dev 2014-12-15 14:12:48 UTC 
For net-analyzer/nagios-3.5.1:

  KEYWORDS="~alpha amd64 ~arm ~arm64 hppa ~ppc ~ppc64 ~sparc x86"

and net-analyzer/nagios-core-3.5.1:

  KEYWORDS="alpha amd64 ~arm ~arm64 hppa ppc ppc64 sparc x86"

It looks like we need alpha, ppc, ppc64, and sparc stabilizations for =net-analyzer/nagios-3.5.1.
Comment 18 Tobias Heinlein (RETIRED) gentoo-dev 2014-12-18 11:20:31 UTC 
Reopening for stabilization as per comment #17.
Comment 19 Yury German Gentoo Infrastructure gentoo-dev 2014-12-18 22:00:39 UTC 
Looks like with a bit of confusion some arches stabilizations were missed. Please stabilize:

=net-analyzer/nagios-3.5.1

Target missed arches: alpha ppc ppc64 sparc
Comment 20 Agostino Sarubbo gentoo-dev 2014-12-23 09:31:31 UTC 
alpha stable
Comment 21 Agostino Sarubbo gentoo-dev 2014-12-24 14:37:24 UTC 
ppc stable
Comment 22 Agostino Sarubbo gentoo-dev 2014-12-24 14:47:30 UTC 
ppc64 stable
Comment 23 Agostino Sarubbo gentoo-dev 2014-12-26 09:19:03 UTC 
sparc stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 24 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-05-11 20:44:47 UTC 
GLSA for this is already out c.f comment #15. Cleanup done, closing.