[Pkg-nagios-devel] [md@mailq.de: Buffer Overflow in nrpe.c]
sean finney
seanius@debian.org
Tue, 21 Dec 2004 15:04:21 -0500
--WIyZ46R2i8wDzkSu
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Tue, Dec 21, 2004 at 12:59:02PM +0100, Mischa Diehm wrote:
> > also, if you could answer a couple questions about this bug:
> >=20
> > - is this in the nrpe client, or server?
>=20
> It's in the server:
>=20
> If you specify a command_name with length(cmd_name) >32+1024 the nrpe
> server segfaults on statup ...
> ^^^^^^
aha, thanks for clarifying. this bug should then be reported against
nagios-nrpe-server, maintained by another developer.
> > - is this locally (non-root) or remotely exploitable?
>=20
> it is a local bug which makes the server segfault while reading its
> config file.
okay, that's good :) means the security team doesn't need to get
involved, phew.
> > both the client and server for nrpe are seperately maintained
> > packages from the main nagios packages, so when we do find this
> > out i'll re-assign it, and contact the security team if necessary.
>=20
> Don't know if this is too important but just wanted to let you guys
> know.
i'd say this qualified as either normal or important severity level,
depending on how much of a headache this causes for you (i don't
use nrpe myself).
in any case, i'm cc'ing the maintainer for nagios-nrpe-server, you and
he should continue correspondance on this.
thanks,
sean
--=20
--WIyZ46R2i8wDzkSu
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFByIHFynjLPm522B0RAvJMAJ48lp7q172BH61jWcxHc9ZVGDSnuwCffqBm
4d9bjSrb1FfGBA7m55nbn1E=
=VJn3
-----END PGP SIGNATURE-----
--WIyZ46R2i8wDzkSu--