CVE-2013-7108

Priority
Low
Description
Multiple off-by-one errors in Nagios Core 3.5.1, 4.0.2, and earlier, and
Icinga before 1.8.5, 1.9 before 1.9.4, and 1.10 before 1.10.2 allow remote
authenticated users to obtain sensitive information from process memory or
cause a denial of service (crash) via a long string in the last key value
in the variable list to the process_cgivars function in (1) avail.c, (2)
cmd.c, (3) config.c, (4) extinfo.c, (5) histogram.c, (6) notifications.c,
(7) outages.c, (8) status.c, (9) statusmap.c, (10) summary.c, and (11)
trends.c in cgi/, which triggers a heap-based buffer over-read.
References
Bugs
Package
Upstream:released (1.10.2-1)
Ubuntu 12.04 LTS (Precise Pangolin):needed
Ubuntu 14.04 LTS (Trusty Tahr):not-affected (1.10.2-1)
Ubuntu Touch 15.04:DNE
Ubuntu Core 15.04:DNE
Ubuntu 16.04 LTS (Xenial Xerus):not-affected (1.10.2-1)
Ubuntu 16.10 (Yakkety Yak):not-affected (1.10.2-1)
Ubuntu 17.04 (Zesty Zapus):not-affected (1.10.2-1)
Package
Upstream:needs-triage
Ubuntu 12.04 LTS (Precise Pangolin):needed
Ubuntu 14.04 LTS (Trusty Tahr):released (3.5.1-1ubuntu1.1)
Ubuntu Touch 15.04:DNE
Ubuntu Core 15.04:DNE
Ubuntu 16.04 LTS (Xenial Xerus):released (3.5.1.dfsg-2.1ubuntu1.1)
Ubuntu 16.10 (Yakkety Yak):released (3.5.1.dfsg-2.1ubuntu3.1)
Ubuntu 17.04 (Zesty Zapus):released (3.5.1.dfsg-2.1ubuntu5)
Patches:
Upstream:http://sourceforge.net/p/nagios/nagioscore/ci/d97e03f32741a7d851826b03ed73ff4c9612a866/
Upstream:https://sourceforge.net/p/nagios/nagioscore/ci/0e733d40f8abf09bd0c0e51c2102964fc2331e97/ (3.5)
More Information

Updated: 2017-04-14 08:19:56 UTC (commit 12390)