Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20131223181925.GA11815@eldamar.local>
Date: Mon, 23 Dec 2013 19:19:25 +0100
From: Salvatore Bonaccorso <carnil@...ian.org>
To: oss-security@...ts.openwall.com
Subject: Re: CVE request: denial of service in Nagios
 (process_cgivars())

Hi Vincent,

On Mon, Dec 23, 2013 at 10:55:35AM -0700, Vincent Danen wrote:
> Could a CVE be assigned to the following flaw?
> 
> A flaw was reported and fixed in Nagios, which can be exploited to cause a denial of service.  This vulnerability is caused due to an off-by-one error within the process_cgivars() function, which can be exploited to cause an out-of-bounds read by sending a specially-crafted key value to the Nagios web UI.
> 
> References:
> https://secunia.com/advisories/55976/
> http://sourceforge.net/p/nagios/nagioscore/ci/d97e03f32741a7d851826b03ed73ff4c9612a866/
> https://bugs.gentoo.org/show_bug.cgi?id=495132
> https://bugzilla.redhat.com/show_bug.cgi?id=1046113

Only a cross reference (not saying it should get the same CVE): This
seems to be the equivalent to the icinga issue [1], which got
CVE-2013-7108.

 [1] https://dev.icinga.org/issues/5251

Regards,
Salvatore

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.