[Pkg-nagios-devel] [firstname.lastname@example.org: Buffer Overflow in nrpe.c]
Tue, 21 Dec 2004 15:04:21 -0500
Content-Type: text/plain; charset=us-ascii
On Tue, Dec 21, 2004 at 12:59:02PM +0100, Mischa Diehm wrote:
> > also, if you could answer a couple questions about this bug:
> > - is this in the nrpe client, or server?
> It's in the server:
> If you specify a command_name with length(cmd_name) >32+1024 the nrpe
> server segfaults on statup ...
aha, thanks for clarifying. this bug should then be reported against
nagios-nrpe-server, maintained by another developer.
> > - is this locally (non-root) or remotely exploitable?
> it is a local bug which makes the server segfault while reading its
> config file.
okay, that's good :) means the security team doesn't need to get
> > both the client and server for nrpe are seperately maintained
> > packages from the main nagios packages, so when we do find this
> > out i'll re-assign it, and contact the security team if necessary.
> Don't know if this is too important but just wanted to let you guys
i'd say this qualified as either normal or important severity level,
depending on how much of a headache this causes for you (i don't
use nrpe myself).
in any case, i'm cc'ing the maintainer for nagios-nrpe-server, you and
he should continue correspondance on this.
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
-----END PGP SIGNATURE-----