CVE-2013-7108

Priority
Description
Multiple off-by-one errors in Nagios Core 3.5.1, 4.0.2, and earlier, and
Icinga before 1.8.5, 1.9 before 1.9.4, and 1.10 before 1.10.2 allow remote
authenticated users to obtain sensitive information from process memory or
cause a denial of service (crash) via a long string in the last key value
in the variable list to the process_cgivars function in (1) avail.c, (2)
cmd.c, (3) config.c, (4) extinfo.c, (5) histogram.c, (6) notifications.c,
(7) outages.c, (8) status.c, (9) statusmap.c, (10) summary.c, and (11)
trends.c in cgi/, which triggers a heap-based buffer over-read.
Notes
Package
Upstream:released (1.10.2-1)
Ubuntu 12.04 ESM (Precise Pangolin):DNE (precise was needed)
Ubuntu 14.04 ESM (Trusty Tahr):DNE (trusty was not-affected [1.10.2-1])
Ubuntu 16.04 LTS (Xenial Xerus):not-affected (1.10.2-1)
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE (precise was needed)
Ubuntu 14.04 ESM (Trusty Tahr):DNE (trusty was released [3.5.1-1ubuntu1.1])
Ubuntu 16.04 LTS (Xenial Xerus):released (3.5.1.dfsg-2.1ubuntu1.1)
Patches:
Upstream:http://sourceforge.net/p/nagios/nagioscore/ci/d97e03f32741a7d851826b03ed73ff4c9612a866/
Upstream:https://sourceforge.net/p/nagios/nagioscore/ci/0e733d40f8abf09bd0c0e51c2102964fc2331e97/ (3.5)
More Information

Updated: 2020-01-29 19:48:32 UTC (commit 768ceb2fdee6790d707d0f681e1b54916744af1e)