oss-sec mailing list archives
Due to Nagios (core) 3.4.3 history.cgi crash (fulldisclosure/2012/Dec/107 post)
From: Jan Lieskovsky <jlieskov () redhat com>
Date: Wed, 12 Dec 2012 11:19:02 -0500 (EST)
Hello Kurt, Steve, vendors, based on: [1] http://seclists.org/fulldisclosure/2012/Dec/107 we have investigated the situation for potential security implications and it looks on distributions, with FORTIFY_SOURCE protection enabled, this problem would not be a security flaw (the history.cgi plug-in truly crashes, but main Nagios daemon stays alive and the overflow is detected / in httpd error log: *** buffer overflow detected ***: /usr/lib64/nagios/cgi-bin/history.cgi terminated ) So on distributions with F_S enabled the only impact would be 'nagios' executable crash, but since it's just 'history.cgi' plug-in which crashes, DoS can't be reached here either. Based on the above, we would not consider this to be a security flaw, but mentioning here for case nagios is shipped without F_S protection somewhere (in that case it might be more interesting from security point of view and might qualify for a CVE id). Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team
Current thread:
- Due to Nagios (core) 3.4.3 history.cgi crash (fulldisclosure/2012/Dec/107 post) Jan Lieskovsky (Dec 12)