PublicDateAtUSN: 2014-01-15
Candidate: CVE-2013-7205
PublicDate: 2014-01-15 16:08:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7205
 https://ubuntu.com/security/notices/USN-3253-1
Description:
 Off-by-one error in the process_cgivars function in contrib/daemonchk.c in
 Nagios Core 3.5.1, 4.0.2, and earlier allows remote authenticated users to
 obtain sensitive information from process memory or cause a denial of
 service (crash) via a long string in the last key value in the variable
 list, which triggers a heap-based buffer over-read.
Ubuntu-Description:
Notes:
 mdeslaur> nagios fix had an additional source file, so this CVE was
 mdeslaur> split out from CVE-2013-7108. (contrib/daemonchk.c)
Bugs:
 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=771466
Priority: low
Discovered-by:
Assigned-to:
CVSS: 

Patches_nagios3:
 upstream: http://sourceforge.net/p/nagios/nagioscore/ci/d97e03f32741a7d851826b03ed73ff4c9612a866/
 upstream: https://sourceforge.net/p/nagios/nagioscore/ci/0e733d40f8abf09bd0c0e51c2102964fc2331e97/ (3.5)
upstream_nagios3: needs-triage
lucid_nagios3: ignored (reached end-of-life)
precise_nagios3: ignored (reached end-of-life)
precise/esm_nagios3: DNE (precise was needed)
quantal_nagios3: ignored (reached end-of-life)
raring_nagios3: ignored (reached end-of-life)
saucy_nagios3: ignored (reached end-of-life)
trusty_nagios3: released (3.5.1-1ubuntu1.1)
trusty/esm_nagios3: DNE (trusty was released [3.5.1-1ubuntu1.1])
utopic_nagios3: ignored (reached end-of-life)
vivid_nagios3: ignored (reached end-of-life)
vivid/stable-phone-overlay_nagios3: DNE
vivid/ubuntu-core_nagios3: DNE
wily_nagios3: ignored (reached end-of-life)
xenial_nagios3: released (3.5.1.dfsg-2.1ubuntu1.1)
esm-infra/xenial_nagios3: released (3.5.1.dfsg-2.1ubuntu1.1)
yakkety_nagios3: released (3.5.1.dfsg-2.1ubuntu3.1)
zesty_nagios3: released (3.5.1.dfsg-2.1ubuntu5)
devel_nagios3: released (3.5.1.dfsg-2.1ubuntu5)