oss-sec mailing list archives
Re: CVE request: denial of service in Nagios (process_cgivars())
From: Salvatore Bonaccorso <carnil () debian org>
Date: Mon, 23 Dec 2013 19:19:25 +0100
Hi Vincent, On Mon, Dec 23, 2013 at 10:55:35AM -0700, Vincent Danen wrote:
Could a CVE be assigned to the following flaw? A flaw was reported and fixed in Nagios, which can be exploited to cause a denial of service. This vulnerability is caused due to an off-by-one error within the process_cgivars() function, which can be exploited to cause an out-of-bounds read by sending a specially-crafted key value to the Nagios web UI. References: https://secunia.com/advisories/55976/ http://sourceforge.net/p/nagios/nagioscore/ci/d97e03f32741a7d851826b03ed73ff4c9612a866/ https://bugs.gentoo.org/show_bug.cgi?id=495132 https://bugzilla.redhat.com/show_bug.cgi?id=1046113
Only a cross reference (not saying it should get the same CVE): This seems to be the equivalent to the icinga issue [1], which got CVE-2013-7108. [1] https://dev.icinga.org/issues/5251 Regards, Salvatore
Current thread:
- CVE request: denial of service in Nagios (process_cgivars()) Vincent Danen (Dec 23)
- Re: CVE request: denial of service in Nagios (process_cgivars()) Salvatore Bonaccorso (Dec 23)
- Re: CVE request: denial of service in Nagios (process_cgivars()) cve-assign (Dec 23)
- Re: CVE request: denial of service in Nagios (process_cgivars()) Vincent Danen (Dec 23)
- Re: CVE request: denial of service in Nagios (process_cgivars()) cve-assign (Dec 24)