CVE-2013-7205

Published: 15 January 2014

Off-by-one error in the process_cgivars function in contrib/daemonchk.c in Nagios Core 3.5.1, 4.0.2, and earlier allows remote authenticated users to obtain sensitive information from process memory or cause a denial of service (crash) via a long string in the last key value in the variable list, which triggers a heap-based buffer over-read.

Priority

Low

Status

Package Release Status
nagios3
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 16.04 ESM (Xenial Xerus)
Released (3.5.1.dfsg-2.1ubuntu1.1)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was released [3.5.1-1ubuntu1.1])
Patches:
Upstream: http://sourceforge.net/p/nagios/nagioscore/ci/d97e03f32741a7d851826b03ed73ff4c9612a866/
Upstream: https://sourceforge.net/p/nagios/nagioscore/ci/0e733d40f8abf09bd0c0e51c2102964fc2331e97/ (3.5)

Notes

AuthorNote
mdeslaur
nagios fix had an additional source file, so this CVE was
split out from CVE-2013-7108. (contrib/daemonchk.c)

References

Bugs