SB2014121302 - Gentoo update for Nagios

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Stack-based buffer overflow (CVE-ID: CVE-2012-6096)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing a long (1) host_name variable (host parameter) or (2) svc_description variable. A remote unauthenticated attacker can trigger stack-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

2) Input validation error (CVE-ID: CVE-2013-7108)

The vulnerability allows a remote #AU# to #BASIC_IMPACT#.

Multiple off-by-one errors in Nagios Core 3.5.1, 4.0.2, and earlier, and Icinga before 1.8.5, 1.9 before 1.9.4, and 1.10 before 1.10.2 allow remote authenticated users to obtain sensitive information from process memory or cause a denial of service (crash) via a long string in the last key value in the variable list to the process_cgivars function in (1) avail.c, (2) cmd.c, (3) config.c, (4) extinfo.c, (5) histogram.c, (6) notifications.c, (7) outages.c, (8) status.c, (9) statusmap.c, (10) summary.c, and (11) trends.c in cgi/, which triggers a heap-based buffer over-read.

3) Out-of-bounds read (CVE-ID: CVE-2013-7205)

The vulnerability allows a remote attacker to perform denial of service (DoS) attack.

The vulnerability exists due to a boundary condition when processing a long string in the last key value in the variable list, which triggers a heap-based buffer over-read within the Off-by-one error in the process_cgivars function in contrib/daemonchk.c. A remote attacker can create a specially crafted file, pass it to the application, trigger out-of-bounds read error and crash the affected application.

Remediation

Install update from vendor's website.

References

• https://security.gentoo.org/
• https://security.gentoo.org/glsa/201412-23