Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 501200 (CVE-2013-7108) - <net-analyzer/nagios-core-3.5.1: Information leak (CVE-2013-{7108,7205})
Summary: <net-analyzer/nagios-core-3.5.1: Information leak (CVE-2013-{7108,7205})
Status: RESOLVED FIXED
Alias: CVE-2013-7108
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B4 [glsa]
Keywords:
Depends on:
Blocks: 531954
  Show dependency tree
 
Reported: 2014-02-13 15:29 UTC by GLSAMaker/CVETool Bot
Modified: 2015-05-11 20:44 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2014-02-13 15:29:28 UTC
CVE-2013-7205 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-7205):
  Off-by-one error in the process_cgivars function in contrib/daemonchk.c in
  Nagios Core 3.5.1, 4.0.2, and earlier allows remote authenticated users to
  obtain sensitive information from process memory or cause a denial of
  service (crash) via a long string in the last key value in the variable
  list, which triggers a heap-based buffer over-read.

CVE-2013-7108 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-7108):
  Multiple off-by-one errors in Nagios Core 3.5.1, 4.0.2, and earlier, and
  Icinga before 1.8.5, 1.9 before 1.9.4, and 1.10 before 1.10.2 allow remote
  authenticated users to obtain sensitive information from process memory or
  cause a denial of service (crash) via a long string in the last key value in
  the variable list to the process_cgivars function in (1) avail.c, (2) cmd.c,
  (3) config.c, (4) extinfo.c, (5) histogram.c, (6) notifications.c, (7)
  outages.c, (8) status.c, (9) statusmap.c, (10) summary.c, and (11) trends.c
  in cgi/, which triggers a heap-based buffer over-read.
Comment 1 Chris Reffett (RETIRED) gentoo-dev Security 2014-09-02 14:29:52 UTC
Bumped. Arches, please test and mark stable:
=net-analyzer/nagios-core-3.5.1
Target arches: alpha amd64 arm hppa ppc ppc64 sparc x86
Comment 2 Chris Reffett (RETIRED) gentoo-dev Security 2014-09-02 14:38:43 UTC
My mistake, should have added nagios, and arm wasn't stable before. New stable targets:
=net-analyzer/nagios-3.5.1
=net-analyzer/nagios-core-3.5.1
Target arches: alpha amd64 hppa ppc ppc64 sparc x86
Comment 3 Jeroen Roovers (RETIRED) gentoo-dev 2014-09-04 18:40:46 UTC
Stable for HPPA.
Comment 4 Agostino Sarubbo gentoo-dev 2014-09-06 15:36:03 UTC
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2014-09-06 15:36:35 UTC
x86 stable
Comment 6 Agostino Sarubbo gentoo-dev 2014-09-13 17:35:11 UTC
alpha stable
Comment 7 Agostino Sarubbo gentoo-dev 2014-09-14 07:47:59 UTC
ppc64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2014-09-14 07:51:35 UTC
ppc stable
Comment 9 Agostino Sarubbo gentoo-dev 2014-09-19 10:31:42 UTC
sparc stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 10 Yury German Gentoo Infrastructure gentoo-dev 2014-10-05 01:45:54 UTC
Arches, Thank you for your work
Maintainer(s), please drop the vulnerable version(s).

GLSA Vote: No
Comment 11 Michael Orlitzky gentoo-dev 2014-12-08 00:28:07 UTC
@Alexander, creffett: do either of you mind if I drop nagios and nagios core before 3.5.1?
Comment 12 Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-12-08 11:34:50 UTC
GLSA Vote: Yes due to existing GLSA request for bug 447802
Comment 13 Sean Amoss (RETIRED) gentoo-dev Security 2014-12-08 22:09:21 UTC
(In reply to Kristian Fiskerstrand from comment #12)
> GLSA Vote: Yes due to existing GLSA request for bug 447802

Agreed.
Comment 14 Michael Orlitzky gentoo-dev 2014-12-13 00:59:14 UTC
I meant "Andrew" in my last comment, not "Alexander," sorry. I blame the Hamilton. Also: ping!

We've got at least three security bugs open for <nagios-3.5.1 so I'd like to get rid of them. If I don't hear an objection for a while, I'll do the easier-to-ask-forgiveness thing =)
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2014-12-13 19:11:53 UTC
This issue was resolved and addressed in
 GLSA 201412-23 at http://security.gentoo.org/glsa/glsa-201412-23.xml
by GLSA coordinator Sean Amoss (ackle).
Comment 16 Rolf Eike Beer 2014-12-14 18:23:17 UTC
(In reply to Agostino Sarubbo from comment #9)
> sparc stable.

Only nagios-core-3.5.1 is stable for sparc, but not nagios-3.5.1. Is this intentional?
Comment 17 Michael Orlitzky gentoo-dev 2014-12-15 14:12:48 UTC
For net-analyzer/nagios-3.5.1:

  KEYWORDS="~alpha amd64 ~arm ~arm64 hppa ~ppc ~ppc64 ~sparc x86"

and net-analyzer/nagios-core-3.5.1:

  KEYWORDS="alpha amd64 ~arm ~arm64 hppa ppc ppc64 sparc x86"

It looks like we need alpha, ppc, ppc64, and sparc stabilizations for =net-analyzer/nagios-3.5.1.
Comment 18 Tobias Heinlein (RETIRED) gentoo-dev 2014-12-18 11:20:31 UTC
Reopening for stabilization as per comment #17.
Comment 19 Yury German Gentoo Infrastructure gentoo-dev 2014-12-18 22:00:39 UTC
Looks like with a bit of confusion some arches stabilizations were missed. Please stabilize:

=net-analyzer/nagios-3.5.1

Target missed arches: alpha ppc ppc64 sparc
Comment 20 Agostino Sarubbo gentoo-dev 2014-12-23 09:31:31 UTC
alpha stable
Comment 21 Agostino Sarubbo gentoo-dev 2014-12-24 14:37:24 UTC
ppc stable
Comment 22 Agostino Sarubbo gentoo-dev 2014-12-24 14:47:30 UTC
ppc64 stable
Comment 23 Agostino Sarubbo gentoo-dev 2014-12-26 09:19:03 UTC
sparc stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 24 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-05-11 20:44:47 UTC
GLSA for this is already out c.f comment #15. Cleanup done, closing.