Your submission was sent successfully! Close

CVE-2012-6096

Published: 22 January 2013

Multiple stack-based buffer overflows in the get_history function in history.cgi in Nagios Core before 3.4.4, and Icinga 1.6.x before 1.6.2, 1.7.x before 1.7.4, and 1.8.x before 1.8.4, might allow remote attackers to execute arbitrary code via a long (1) host_name variable (host parameter) or (2) svc_description variable.

Notes

AuthorNote
mdeslaur
debian bug says nagios patch is possibly incomplete
downgrading to "negligible" because of FORTIFY_SOURCE
Priority

Negligible

Status

Package Release Status
icinga
Launchpad, Ubuntu, Debian
hardy Does not exist

lucid Does not exist

oneiric Ignored
(reached end-of-life)
precise Does not exist
(precise was needed)
quantal Ignored
(reached end-of-life)
raring Not vulnerable
(1.7.1-5)
saucy Not vulnerable
(1.7.1-5)
trusty Does not exist
(trusty was not-affected [1.7.1-5])
upstream
Released (1.7.1-5)
utopic Not vulnerable
(1.7.1-5)
vivid Not vulnerable
(1.7.1-5)
wily Not vulnerable
(1.7.1-5)
xenial Not vulnerable
(1.7.1-5)
yakkety Not vulnerable
(1.7.1-5)
zesty Not vulnerable
(1.7.1-5)
Patches:
upstream: https://git.icinga.org/?p=icinga-core.git;a=commit;h=46f55574afa934f9e0bce5e9aac7f45530ff0058
vendor: http://www.debian.org/security/2013/dsa-2653


This vulnerability is mitigated in part by the use of -D_FORTIFY_SOURCE=2 in Ubuntu.
nagios3
Launchpad, Ubuntu, Debian
hardy Does not exist

lucid Ignored
(reached end-of-life)
oneiric Ignored
(reached end-of-life)
precise Does not exist
(precise was needed)
quantal Ignored
(reached end-of-life)
raring Not vulnerable
(3.4.1-3)
saucy Not vulnerable
(3.4.1-3)
trusty Does not exist
(trusty was not-affected [3.4.1-3])
upstream
Released (3.4.1-3)
utopic Not vulnerable
(3.4.1-3)
vivid Not vulnerable
(3.4.1-3)
wily Not vulnerable
(3.4.1-3)
xenial Not vulnerable
(3.4.1-3)
yakkety Not vulnerable
(3.4.1-3)
zesty Not vulnerable
(3.4.1-3)
Patches:


upstream: http://nagios.svn.sourceforge.net/viewvc/nagios?view=revision&revision=2547
vendor: http://www.debian.org/security/2013/dsa-2616
This vulnerability is mitigated in part by the use of -D_FORTIFY_SOURCE=2 in Ubuntu.