Due to Nagios (core) 3.4.3 history.cgi crash (fulldisclosure/2012/Dec/107 post)

[Jan Lieskovsky <jlieskov () redhat com>]

Hello Kurt, Steve, vendors,

  based on:
  [1] http://seclists.org/fulldisclosure/2012/Dec/107

we have investigated the situation for potential security
implications and it looks on distributions, with FORTIFY_SOURCE
protection enabled, this problem would not be a security flaw
(the history.cgi plug-in truly crashes, but main Nagios daemon
stays alive and the overflow is detected / in httpd error log:

*** buffer overflow detected ***: /usr/lib64/nagios/cgi-bin/history.cgi terminated
)

So on distributions with F_S enabled the only impact would be
'nagios' executable crash, but since it's just 'history.cgi' plug-in
which crashes, DoS can't be reached here either.

Based on the above, we would not consider this to be a security flaw,
but mentioning here for case nagios is shipped without F_S protection
somewhere (in that case it might be more interesting from security point
of view and might qualify for a CVE id).

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team