Home page logo
/

oss-sec logo oss-sec mailing list archives

Due to Nagios (core) 3.4.3 history.cgi crash (fulldisclosure/2012/Dec/107 post)
From: Jan Lieskovsky <jlieskov () redhat com>
Date: Wed, 12 Dec 2012 11:19:02 -0500 (EST)

Hello Kurt, Steve, vendors,

  based on:
  [1] http://seclists.org/fulldisclosure/2012/Dec/107

we have investigated the situation for potential security
implications and it looks on distributions, with FORTIFY_SOURCE
protection enabled, this problem would not be a security flaw
(the history.cgi plug-in truly crashes, but main Nagios daemon
stays alive and the overflow is detected / in httpd error log:

*** buffer overflow detected ***: /usr/lib64/nagios/cgi-bin/history.cgi terminated
)

So on distributions with F_S enabled the only impact would be
'nagios' executable crash, but since it's just 'history.cgi' plug-in
which crashes, DoS can't be reached here either.

Based on the above, we would not consider this to be a security flaw,
but mentioning here for case nagios is shipped without F_S protection
somewhere (in that case it might be more interesting from security point
of view and might qualify for a CVE id).

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team


  By Date           By Thread  

Current thread:
  • Due to Nagios (core) 3.4.3 history.cgi crash (fulldisclosure/2012/Dec/107 post) Jan Lieskovsky (Dec 12)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]