oss-security - CVE request: denial of service in Nagios (process

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [thread-next>] [day] [month] [year] [list]

Date: Mon, 23 Dec 2013 10:55:35 -0700
From: Vincent Danen <vdanen@...hat.com>
To: OSS Security List <oss-security@...ts.openwall.com>
Subject: CVE request: denial of service in Nagios (process_cgivars())

Could a CVE be assigned to the following flaw?

A flaw was reported and fixed in Nagios, which can be exploited to cause a denial of service.  This vulnerability is caused due to an off-by-one error within the process_cgivars() function, which can be exploited to cause an out-of-bounds read by sending a specially-crafted key value to the Nagios web UI.

References:
https://secunia.com/advisories/55976/
http://sourceforge.net/p/nagios/nagioscore/ci/d97e03f32741a7d851826b03ed73ff4c9612a866/
https://bugs.gentoo.org/show_bug.cgi?id=495132
https://bugzilla.redhat.com/show_bug.cgi?id=1046113

Thanks.

-- 
Vincent Danen / Red Hat Security Response Team

Download attachment "signature.asc" of type "application/pgp-signature" (671 bytes)

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.