oss-sec mailing list archives

CVE request: denial of service in Nagios (process_cgivars())

From: Vincent Danen <vdanen () redhat com>
Date: Mon, 23 Dec 2013 10:55:35 -0700

Could a CVE be assigned to the following flaw?

A flaw was reported and fixed in Nagios, which can be exploited to cause a denial of service.  This vulnerability is 
caused due to an off-by-one error within the process_cgivars() function, which can be exploited to cause an 
out-of-bounds read by sending a specially-crafted key value to the Nagios web UI.

References:
https://secunia.com/advisories/55976/
http://sourceforge.net/p/nagios/nagioscore/ci/d97e03f32741a7d851826b03ed73ff4c9612a866/
https://bugs.gentoo.org/show_bug.cgi?id=495132
https://bugzilla.redhat.com/show_bug.cgi?id=1046113

Thanks.

-- 
Vincent Danen / Red Hat Security Response Team

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

Current thread:

CVE request: denial of service in Nagios (process_cgivars()) Vincent Danen (Dec 23)
- Re: CVE request: denial of service in Nagios (process_cgivars()) Salvatore Bonaccorso (Dec 23)
- Re: CVE request: denial of service in Nagios (process_cgivars()) cve-assign (Dec 23)
  - Re: CVE request: denial of service in Nagios (process_cgivars()) Vincent Danen (Dec 23)
- Re: CVE request: denial of service in Nagios (process_cgivars()) cve-assign (Dec 24)