[Pkg-nagios-devel] Bug#366682: CVE-2006-2162: Buffer overflow in nagios

sean finney seanius at debian.org
Thu May 11 23:17:23 UTC 2006

On Thu, May 11, 2006 at 11:46:21PM +0200, Stefan Fritsch wrote:
> severity 366682 important
> severity 366683 important
> thanks
> Hi,
> the Ubuntu guys already found out that Apache 2 doesn't accept 
> requests with negative content length and I just checked that Apache 
> 1.3 doesn't either. I guess this makes this a quite low impact 
> vulnerability.

what if:

On Thu, May 11, 2006 at 05:46:16PM +0200, Martin Schulze wrote:
> Please note that upstream doesn't check for content length == INT_MAX

i don't have a nagios install online right now (can tomorrow  morning)
so i can't run the PoC mentioned in the BTS (thanks stefan), i'd
be interested to see how it handles 2147483647 (or your arch's
equivalent of INT_MAX).  if the code actually increments the size
by one AFTER receiving the data...  then we should probably readjust
the severities.

and by the way, i'm a bit annoyed that ubuntu managed to send off a
USN on this 4 days ago, and not even bother to think "hey, maybe
we should mention this to the debian guys". 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-nagios-devel/attachments/20060511/2f0d19bf/attachment-0002.pgp

More information about the Pkg-nagios-devel mailing list