Ubuntu
nagios-plugins package

Buffer overflow in check_http.c (CVE-2007-5198)

Bug #152624 reported by Luca Falavigna
254
Affects Status Importance Assigned to Milestone
nagios-plugins (Ubuntu)
Fix Released
Undecided
Unassigned
Dapper
Fix Released
Undecided
Unassigned
Edgy
Fix Released
Undecided
Jamie Strandboge
Feisty
Fix Released
Undecided
Jamie Strandboge

Bug Description

Binary package hint: nagios-plugins

nagios-plugin is affected by a buffer overflow vulnerability which allows remote web servers to execute arbitrary code via long Location header responses.
See here for further references:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5198
http://sourceforge.net/tracker/index.php?func=detail&aid=1687867&group_id=29880&atid=397597

Revision history for this message
Luca Falavigna (dktrkranz) wrote :

Attached debdiff should fix this vulnerability. It is taken from nagios-plugins SVN repository, revno 1742.

Changed in nagios-plugins:
status: New → Confirmed
Revision history for this message
Luca Falavigna (dktrkranz) wrote :

Steffen Joeris just prepared a NMU, attaching debdiff to process a merge, then.

Revision history for this message
Andrea Veri (av) wrote :

Uploaded and approved both Edgy and Feisty tasks.

Changed in nagios-plugins:
status: New → Confirmed
status: New → Confirmed
Revision history for this message
Luca Falavigna (dktrkranz) wrote :

Accepted and built in Gutsy. I will prepare debdiffs for stable releases ASAP.

Changed in nagios-plugins:
status: Confirmed → Fix Released
Luca Falavigna (dktrkranz)
Changed in nagios-plugins:
assignee: nobody → dktrkranz
status: Confirmed → In Progress
assignee: nobody → dktrkranz
status: Confirmed → In Progress
Revision history for this message
Luca Falavigna (dktrkranz) wrote :

Debdiff for feisty-security.

Changed in nagios-plugins:
assignee: dktrkranz → nobody
status: In Progress → Confirmed
Revision history for this message
Luca Falavigna (dktrkranz) wrote :

Debdiff for edgy-security.

Changed in nagios-plugins:
assignee: dktrkranz → nobody
status: In Progress → Confirmed
Revision history for this message
Luca Falavigna (dktrkranz) wrote :

Debdiff for dapper-security.

Jamie Strandboge (jdstrand)
Changed in nagios-plugins:
assignee: nobody → jamie-strandboge
assignee: nobody → jamie-strandboge
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thanks for your great work Luca. I have tested and verified the debdiffs and submitted them for upload.

Changed in nagios-plugins:
status: Confirmed → In Progress
status: Confirmed → In Progress
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Spoke too soon. Upstream's patch doesn't completely fix the problem, so the upload will take a bit longer.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

nagios-plugins (1.4.5-2ubuntu0.1) feisty-security; urgency=low

  * SECURITY UPDATE: denial of service via multiple HTTPS redirects
  * debian/patches/28_SECURITY_LP153697.dpatch: set SSL context and SSL
    connection to NULL in np_net_ssl_cleanup()
  * SECURITY UPDATE: denial of service via multiple redirects
  * debian/patches/29_SECURITY_LP153703.dpatch: fix off-by-one error to
    re-allocate the proper amount of memory in redir()
  * SECURITY UPDATE: denial of service and possible arbitrary code execution
    as the user in check_http.c via crafted Location Header
  * debian/patches/30_SECURITY_CVE-2007-5198.dpatch: properly validate
    Location header in redir(). Thanks to Luca Falavigna for preliminary
    patches.
  * References
    LP: #153697
    LP: #153703
    CVE-2007-5198
    LP: #152624
  * Modify Maintainer value to match the DebianMaintainerField
    specification.

 -- Jamie Strandboge <email address hidden> Wed, 17 Oct 2007 15:26:20 -0400

Changed in nagios-plugins:
status: In Progress → Fix Released
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

nagios-plugins (1.4.8-2.1ubuntu1.1) gutsy-security; urgency=low

  * SECURITY UPDATE: denial of service via multiple HTTPS redirects
  * debian/patches/29_SECURITY_LP153697.dpatch: set SSL context and SSL
    connection to NULL in np_net_ssl_cleanup()
  * SECURITY UPDATE: denial of service via multiple redirects
  * debian/patches/30_SECURITY_LP153703.dpatch: fix off-by-one error to
    re-allocate the proper amount of memory in redir()
  * SECURITY UPDATE: denial of service and possible arbitrary code execution
    as the user in check_http.c via crafted Location Header
  * debian/patches/CVE-2007-5198.dpatch: previous patch was not complete.
    Patch now reworked to properly validate Location header in redir().
  * References
    LP: #153697
    LP: #153703
    CVE-2007-5198
    LP: #152624

 -- Jamie Strandboge <email address hidden> Thu, 18 Oct 2007 14:10:13 +0000

Jamie Strandboge (jdstrand)
Changed in nagios-plugins:
status: In Progress → Fix Released
Thierry Carrez (ttx)
Changed in nagios-plugins (Ubuntu Dapper):
status: New → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.