[sf at sfritsch.de: [Pkg-nagios-devel] Bug#366683: CVE-2006-2162: Buffer overflow in nagios]

Ethan Galstad nagios at nagios.org
Wed May 10 18:11:26 CEST 2006

Previous message: [sf at sfritsch.de: [Pkg-nagios-devel] Bug#366683: CVE-2006-2162: Buffer overflow in nagios]
Next message: [sf at sfritsch.de: [Pkg-nagios-devel] Bug#366683: CVE-2006-2162: Buffer overflow in nagios]
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

If the CONTENT_LENGTH header is set to a negative number, the CGIs may 
not allocate memory in a suitable manner.  If the value is -1, the CGIs 
will try a malloc(0).  If this returns a NULL pointer there would not be 
any problems.  If it returns a non-NULL pointer, there would be a buffer 
overflow.  I'm not sure if you'll get a NULL pointer if you call 
malloc() with a negative number - that behavior is not clear from the 
man pages.

Apparently, this problem will most like only affect non-Apache web 
servers, although I haven't verified that.  The newest Nagios branch 
releases (1.4 and 2.3) already have the fix applied.  I have attached a 
patch showing the diff between 1.4 and 1.3.

sean finney wrote:
> hi ethan,
> 
> any care to comment on this?  i'm really swamped right now and just
> spent all of last weekend fixing 4 CVE's for mysql, so i would really
> appreciate it if you (or someone else on the list) could forward
> my the relevant patch from the 1.x branch if/when it exists so we
> can prepare an update for the debian sarge and woody packages.
> 
> 	sean
> 
> ----- Forwarded message from Stefan Fritsch <sf at sfritsch.de> -----
> 
> Date: Wed, 10 May 2006 13:23:59 +0200 (CEST)
> From: Stefan Fritsch <sf at sfritsch.de>
> To: submit at bugs.debian.org
> Subject: [Pkg-nagios-devel] Bug#366683: CVE-2006-2162: Buffer overflow in
> 	nagios
> 
> Package: nagios2
> Severity: grave
> Justification: user security hole
> Tags: security
> 
> CVE-2006-2162:
> Buffer overflow in CGI scripts in Nagios 1.x before 1.4 and 2.x before
> 2.3 allows remote attackers to execute arbitrary code via a negative
> content length (Content-Length) HTTP header.
> 
> See http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2162
> 

Ethan Galstad,
Nagios Developer
---
Email: nagios at nagios.org
Website: http://www.nagios.org
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: getcgi.patch
URL: <https://www.monitoring-lists.org/archive/developers/attachments/20060510/de28ef7f/attachment.ksh>

Previous message: [sf at sfritsch.de: [Pkg-nagios-devel] Bug#366683: CVE-2006-2162: Buffer overflow in nagios]
Next message: [sf at sfritsch.de: [Pkg-nagios-devel] Bug#366683: CVE-2006-2162: Buffer overflow in nagios]
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Developers mailing list