CVE-2013-7108

Priority
Low
Description
Multiple off-by-one errors in Nagios Core 3.5.1, 4.0.2, and earlier, and
Icinga before 1.8.5, 1.9 before 1.9.4, and 1.10 before 1.10.2 allow remote
authenticated users to obtain sensitive information from process memory or
cause a denial of service (crash) via a long string in the last key value
in the variable list to the process_cgivars function in (1) avail.c, (2)
cmd.c, (3) config.c, (4) extinfo.c, (5) histogram.c, (6) notifications.c,
(7) outages.c, (8) status.c, (9) statusmap.c, (10) summary.c, and (11)
trends.c in cgi/, which triggers a heap-based buffer over-read.
References
Bugs
Package
Upstream:released (1.10.2-1)
Ubuntu 17.10 (Artful Aardvark):not-affected (1.10.2-1)
Ubuntu 12.04 ESM (Precise Pangolin):DNE (precise was needed)
Ubuntu 14.04 LTS (Trusty Tahr):not-affected (1.10.2-1)
Ubuntu Core 15.04:DNE
Ubuntu 16.04 LTS (Xenial Xerus):not-affected (1.10.2-1)
Ubuntu 17.04 (Zesty Zapus):not-affected (1.10.2-1)
Package
Upstream:needs-triage
Ubuntu 17.10 (Artful Aardvark):released (3.5.1.dfsg-2.1ubuntu5)
Ubuntu 12.04 ESM (Precise Pangolin):DNE (precise was needed)
Ubuntu 14.04 LTS (Trusty Tahr):released (3.5.1-1ubuntu1.1)
Ubuntu Core 15.04:DNE
Ubuntu 16.04 LTS (Xenial Xerus):released (3.5.1.dfsg-2.1ubuntu1.1)
Ubuntu 17.04 (Zesty Zapus):released (3.5.1.dfsg-2.1ubuntu5)
Patches:
Upstream:http://sourceforge.net/p/nagios/nagioscore/ci/d97e03f32741a7d851826b03ed73ff4c9612a866/
Upstream:https://sourceforge.net/p/nagios/nagioscore/ci/0e733d40f8abf09bd0c0e51c2102964fc2331e97/ (3.5)
More Information

Updated: 2017-08-11 23:51:29 UTC (commit 13081)