[Pkg-nagios-devel] [md@mailq.de: Buffer Overflow in nrpe.c]

sean finney seanius@debian.org
Tue, 21 Dec 2004 15:04:21 -0500

Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tue, Dec 21, 2004 at 12:59:02PM +0100, Mischa Diehm wrote:
> > also, if you could answer a couple questions about this bug:
> >=20
> > - is this in the nrpe client, or server?
> It's in the server:
> If you specify a command_name with length(cmd_name) >32+1024  the nrpe
> server segfaults on statup ...
> ^^^^^^

aha, thanks for clarifying.  this bug should then be reported against
nagios-nrpe-server, maintained by another developer.

> > - is this locally (non-root) or remotely exploitable?
> it is a local bug which makes the server segfault while reading its
> config file.

okay, that's good :)  means the security team doesn't need to get
involved, phew.

> > both the client and server for nrpe are seperately maintained
> > packages from the main nagios packages, so when we do find this
> > out i'll re-assign it, and contact the security team if necessary.
> Don't know if this is too important but just wanted to let you guys
> know.

i'd say this qualified as either normal or important severity level,
depending on how much of a headache this causes for you (i don't
use nrpe myself).

in any case, i'm cc'ing the maintainer for nagios-nrpe-server, you and
he should continue correspondance on this.



Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

Version: GnuPG v1.2.4 (GNU/Linux)