Off-by-one error in the process_cgivars function in contrib/daemonchk.c in
Nagios Core 3.5.1, 4.0.2, and earlier allows remote authenticated users to
obtain sensitive information from process memory or cause a denial of
service (crash) via a long string in the last key value in the variable
list, which triggers a heap-based buffer over-read.
Multiple off-by-one errors in Nagios Core 3.5.1, 4.0.2, and earlier, and
Icinga before 1.8.5, 1.9 before 1.9.4, and 1.10 before 1.10.2 allow remote
authenticated users to obtain sensitive information from process memory or
cause a denial of service (crash) via a long string in the last key value in
the variable list to the process_cgivars function in (1) avail.c, (2) cmd.c,
(3) config.c, (4) extinfo.c, (5) histogram.c, (6) notifications.c, (7)
outages.c, (8) status.c, (9) statusmap.c, (10) summary.c, and (11) trends.c
in cgi/, which triggers a heap-based buffer over-read.
Bumped. Arches, please test and mark stable:
Target arches: alpha amd64 arm hppa ppc ppc64 sparc x86
My mistake, should have added nagios, and arm wasn't stable before. New stable targets:
Target arches: alpha amd64 hppa ppc ppc64 sparc x86
Stable for HPPA.
Maintainer(s), please cleanup.
Security, please vote.
Arches, Thank you for your work
Maintainer(s), please drop the vulnerable version(s).
GLSA Vote: No
@Alexander, creffett: do either of you mind if I drop nagios and nagios core before 3.5.1?
GLSA Vote: Yes due to existing GLSA request for bug 447802
(In reply to Kristian Fiskerstrand from comment #12)
> GLSA Vote: Yes due to existing GLSA request for bug 447802
I meant "Andrew" in my last comment, not "Alexander," sorry. I blame the Hamilton. Also: ping!
We've got at least three security bugs open for <nagios-3.5.1 so I'd like to get rid of them. If I don't hear an objection for a while, I'll do the easier-to-ask-forgiveness thing =)
This issue was resolved and addressed in
GLSA 201412-23 at http://security.gentoo.org/glsa/glsa-201412-23.xml
by GLSA coordinator Sean Amoss (ackle).
(In reply to Agostino Sarubbo from comment #9)
> sparc stable.
Only nagios-core-3.5.1 is stable for sparc, but not nagios-3.5.1. Is this intentional?
KEYWORDS="~alpha amd64 ~arm ~arm64 hppa ~ppc ~ppc64 ~sparc x86"
KEYWORDS="alpha amd64 ~arm ~arm64 hppa ppc ppc64 sparc x86"
It looks like we need alpha, ppc, ppc64, and sparc stabilizations for =net-analyzer/nagios-3.5.1.
Reopening for stabilization as per comment #17.
Looks like with a bit of confusion some arches stabilizations were missed. Please stabilize:
Target missed arches: alpha ppc ppc64 sparc
GLSA for this is already out c.f comment #15. Cleanup done, closing.