mailing list archives
Due to Nagios (core) 3.4.3 history.cgi crash (fulldisclosure/2012/Dec/107 post)
From: Jan Lieskovsky <jlieskov () redhat com>
Date: Wed, 12 Dec 2012 11:19:02 -0500 (EST)
Hello Kurt, Steve, vendors,
we have investigated the situation for potential security
implications and it looks on distributions, with FORTIFY_SOURCE
protection enabled, this problem would not be a security flaw
(the history.cgi plug-in truly crashes, but main Nagios daemon
stays alive and the overflow is detected / in httpd error log:
*** buffer overflow detected ***: /usr/lib64/nagios/cgi-bin/history.cgi terminated
So on distributions with F_S enabled the only impact would be
'nagios' executable crash, but since it's just 'history.cgi' plug-in
which crashes, DoS can't be reached here either.
Based on the above, we would not consider this to be a security flaw,
but mentioning here for case nagios is shipped without F_S protection
somewhere (in that case it might be more interesting from security point
of view and might qualify for a CVE id).
Thank you && Regards, Jan.
Jan iankko Lieskovsky / Red Hat Security Response Team
- Due to Nagios (core) 3.4.3 history.cgi crash (fulldisclosure/2012/Dec/107 post) Jan Lieskovsky (Dec 12)