Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 194178 - net-analyzer/nagios-plugins <1.4.10-r1 Buffer overflow vulnerability in check_http plugin (CVE-2007-5198)
Summary: net-analyzer/nagios-plugins <1.4.10-r1 Buffer overflow vulnerability in check...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL: http://sourceforge.net/forum/forum.ph...
Whiteboard: C1 [glsa]
Keywords:
Depends on: 196308
Blocks:
  Show dependency tree
 
Reported: 2007-09-29 09:13 UTC by Tobias Scherbaum (RETIRED)
Modified: 2007-11-08 19:33 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Tobias Scherbaum (RETIRED) gentoo-dev 2007-09-29 09:13:59 UTC
According to the ChangeLog from the just released 1.4.10 version of nagios-plugins there was a buffer overflow in the included check_http plugin.

"The major changes in this release include:

    Fix check_http buffer overflow vulnerability when following HTTP  
redirects"

I added nagios-plugins-1.4.10 to the tree a few minutes ago, arch teams please stable this version.
Comment 1 Markus Meier gentoo-dev 2007-09-30 13:42:08 UTC
x86 stable, please note:
dodoc: CHANGES does not exist
dodoc: Changelog does not exist
Comment 2 Ferris McCormick (RETIRED) gentoo-dev 2007-09-30 23:47:23 UTC
Builds and installs without incident, and all of 'emerge nagios' installs fine.  Testing will take some time, however, because nagios must be up and running and these plugins must get used.  This will take some time.  Other sparc people feel free to jump in if you happen to be running nagios already.
Comment 3 Ferris McCormick (RETIRED) gentoo-dev 2007-09-30 23:48:09 UTC
(In reply to comment #2)
> Builds and installs without incident, and all of 'emerge nagios' installs fine.
>  Testing will take some time, however, because nagios must be up and running
> and these plugins must get used.  This will take some time.  Other sparc people
> feel free to jump in if you happen to be running nagios already.
> 

That is, "Builds and installs on sparc."
Comment 4 Tobias Scherbaum (RETIRED) gentoo-dev 2007-10-01 05:22:30 UTC
(In reply to comment #2)
> Builds and installs without incident, and all of 'emerge nagios' installs fine.
>  Testing will take some time, however, because nagios must be up and running
> and these plugins must get used.  This will take some time.  Other sparc people
> feel free to jump in if you happen to be running nagios already.
> 

You can test the plugins without setting up a full nagios environment, i.e.:
/usr/nagios/libexec/check_http  -H www.gentoo.de    
HTTP OK HTTP/1.1 200 OK - 17458 bytes in 0.205 seconds |time=0.205061s;;;0.000000 size=17458B;;;0
Comment 5 Ferris McCormick (RETIRED) gentoo-dev 2007-10-01 11:25:48 UTC
Sparc stable; thanks, Tobias.
Comment 6 Markus Rothe (RETIRED) gentoo-dev 2007-10-01 16:09:39 UTC
ppc64 stable
Comment 7 Steve Dibb (RETIRED) gentoo-dev 2007-10-04 14:34:32 UTC
(In reply to comment #1)
> x86 stable, please note:
> dodoc: CHANGES does not exist
> dodoc: Changelog does not exist
> 

fixed dodoc, amd64 stable too
Comment 8 Tobias Heinlein (RETIRED) gentoo-dev 2007-10-04 23:03:31 UTC
All arches done, please file a GLSA request.
Comment 9 Tobias Scherbaum (RETIRED) gentoo-dev 2007-10-05 05:56:48 UTC
(In reply to comment #8)
> All arches done, please file a GLSA request.
> 

11:41 < dertobi123> rbu: dunno if this one's a B2, haven't looked at the code - but the actual impact of this vulnerability should be very small, as this plugins is usually only used within nagios to monitor defined sites
Comment 10 Robert Buchholz (RETIRED) gentoo-dev 2007-10-10 01:00:36 UTC
(In reply to comment #9)
> 11:41 < dertobi123> rbu: dunno if this one's a B2, haven't looked at the code -
> but the actual impact of this vulnerability should be very small, as this
> plugins is usually only used within nagios to monitor defined sites

It still might allow code execution if a user is enticed to monitor a malicious system. Making a nagios admin do that might be harder than getting someone to open a crafted PDF file, but the impact is the same. Thanks for clarifying.
Comment 11 Sune Kloppenborg Jeppesen gentoo-dev 2007-10-17 18:44:39 UTC
Personally I'd rate this as C2 and vote NO GLSA since this is quite hard to exploit.
Comment 12 Tobias Scherbaum (RETIRED) gentoo-dev 2007-10-29 19:53:44 UTC
The fix included in 1.4.10 was incomplete as per http://sourceforge.net/tracker/index.php?func=detail&aid=1813346&group_id=29880&atid=397597

I've added the patch to 1.4.10-r1, I'd suggest to utilize #196308 for stabilization.
Comment 13 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-10-29 21:42:57 UTC
reverting to [stable] status as per comment #12.
Stabilization is handled on bug #196308
Comment 14 Eduardo Tongson 2007-10-30 02:34:00 UTC
This should be B2. Nagios is widely used and some consulting outfits use it to monitor client websites.
Comment 15 Sune Kloppenborg Jeppesen gentoo-dev 2007-10-30 13:58:42 UTC
I would rate both as C1 as the default configuration is not vulnerable.
Comment 16 Robert Buchholz (RETIRED) gentoo-dev 2007-11-03 12:12:58 UTC
C1 it is, and GLSA request filed.
Comment 17 Robert Buchholz (RETIRED) gentoo-dev 2007-11-03 12:16:03 UTC
(In reply to comment #16)
> C1 it is, and GLSA request filed.

(before someone else says so: I know it's not yet bug ready)
Comment 18 Sune Kloppenborg Jeppesen gentoo-dev 2007-11-07 19:12:01 UTC
Adding back amd64 as they don't seem to have marked stable.
Comment 19 Chris Gianelloni (RETIRED) gentoo-dev 2007-11-08 00:49:23 UTC
stable on amd64
Comment 20 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-11-08 19:33:36 UTC
GLSA 200711-11.