Your submission was sent successfully! Close

You have successfully unsubscribed! Close

CVE-2013-7205

Published: 15 January 2014

Off-by-one error in the process_cgivars function in contrib/daemonchk.c in Nagios Core 3.5.1, 4.0.2, and earlier allows remote authenticated users to obtain sensitive information from process memory or cause a denial of service (crash) via a long string in the last key value in the variable list, which triggers a heap-based buffer over-read.

Notes

AuthorNote
mdeslaur
nagios fix had an additional source file, so this CVE was
split out from CVE-2013-7108. (contrib/daemonchk.c)
Priority

Low

Status

Package Release Status
nagios3
Launchpad, Ubuntu, Debian
lucid Ignored
(reached end-of-life)
precise Does not exist
(precise was needed)
quantal Ignored
(reached end-of-life)
raring Ignored
(reached end-of-life)
saucy Ignored
(reached end-of-life)
trusty Does not exist
(trusty was released [3.5.1-1ubuntu1.1])
upstream Needs triage

utopic Ignored
(reached end-of-life)
vivid Ignored
(reached end-of-life)
wily Ignored
(reached end-of-life)
xenial
Released (3.5.1.dfsg-2.1ubuntu1.1)
yakkety
Released (3.5.1.dfsg-2.1ubuntu3.1)
zesty
Released (3.5.1.dfsg-2.1ubuntu5)
Patches:
upstream: http://sourceforge.net/p/nagios/nagioscore/ci/d97e03f32741a7d851826b03ed73ff4c9612a866/
upstream: https://sourceforge.net/p/nagios/nagioscore/ci/0e733d40f8abf09bd0c0e51c2102964fc2331e97/ (3.5)