Fedora has issued an advisory on January 14: http://lists.fedoraproject.org/pipermail/package-announce/2013-January/097239.html The issue is fixed upstream in 3.4.4. Mageia 2 is also likely to be affected.
CC: (none) => guillomovitchWhiteboard: (none) => MGA2TOO
OpenSuSE has issued an advisory for this on January 23: http://lists.opensuse.org/opensuse-updates/2013-01/msg00033.html They have a patch for 3.3.1 (the version we have in Mageia 2).
Fixed in Cauldron by Guillaume.
Version: Cauldron => 2Whiteboard: MGA2TOO => (none)
The Suse patch seems to be wrong, it just replace sprintf with snprintf without size argument... I just submitted nagios-3.3.1-2.2.mga2 to core_updates/testing. The same advisory as Fedora can be used: Nagios Core's history.cgi is vulnerable to a buffer overflow because it used sprintf on user-supplied data that was not restricted in size (CVE-2012-6096). Due to various protections of the operating system (history.cgi is compiled with SSP, FORTIFY_SOURCE is enabled, etc.) this is not believed to be exploitable and would result in a denial of service to the user sending the input to history.cgi.
Assignee: guillomovitch => qa-bugs
Thanks Guillaume! References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6096 http://lists.fedoraproject.org/pipermail/package-announce/2013-January/097239.html RPMs: nagios-3.3.1-2.2.mga2 nagios-www-3.3.1-2.2.mga2 nagios-theme-default-3.3.1-2.2.mga2 nagios-devel-3.3.1-2.2.mga2
*** Bug 8653 has been marked as a duplicate of this bug. ***
CC: (none) => oe
PoC: http://archives.neohapsis.com/archives/fulldisclosure/2012-12/0108.html " An example url that results in an overflow (and segfault): http://nagiosserver/nagios/cgi-bin/history.cgi?host=aaaaaaa... (4000 'a's) "
Patch checked into Mageia 1 SVN.
One liner to create the link echo -e "http://nagiosserver/nagios/cgi-bin/history.cgi?host="$(perl -e 'print "a" x 4000,"\n"') > nagioslink
Testing mga2 64 After install, start nagios service. No default user is configured so browsing to http://localhost/nagios you are prevented from using many of the options and at the top it shows 'Logged in as ?' Without setting up htaccess, which I believe is the way to authenticate, for the purposes of testing I edited /etc/nagios/cgi.cfg and uncommented default_user_name and changed the user from guest to nagios. Restarting httpd and browsing again it now shows 'Logged in as nagios' and stuff works. There is no explanation of how this is packaged so it's not really very user friendly. Nagios is configured to use certain plugins by default which are not installed by default so generates alot of warnings in syslog. Total Processes, Current Load, Current Users, HTTP, PING, SSH, Swap Usage, host All give warnings similar to this.. nagios: Warning: Return code of 127 for check of service 'Swap Usage' on host 'localhost' was out of bounds. Make sure the plugin you're trying to run actually exists. I do have nagios-plugins installed. # rpm -q nagios-plugins nagios-plugins-1.4.15-9.mga2 Installing eg. nagios-check_ssh causes it to restart the nagios daemon which then fails to restart. nagios[17462]: Warning: Duplicate definition found for command 'check_ssh' (config file '/etc/nagios/plugins.d/check_ssh.cfg', starting on line 3) Same for others i tried such as nagios-check_http nagios: Warning: Duplicate definition found for command 'check_http' (config file '/etc/nagios/plugins.d/check_http.cfg', starting on line 3) nagios: Error: Could not add object property in file '/etc/nagios/plugins.d/check_http.cfg' on line 4. Testing the CVE Created a link with echo -e "http://localhost/nagios/cgi-bin/history.cgi?host="$(perl -e 'print "a" x 4000,"\n"') > nagioslink Pasting the link into a browser doesn't cause any crash, it tries to view the host. After update, all the same. Unless I'm doing something badly wrong, nagios is in a bit of a state but there are no regressions after the update.
Whiteboard: (none) => has_procedure mga2-64-ok
Before installing the update, I installed task-nagios, set use_authentication=0 in /etc/nagios/cgi.cfg, and restarted httpd. Going to http://localhost/nagios/, it shows ... Error: Could not read object configuration data! Running nagios -v /etc/nagios/nagios.cfg shows ... Warning: Duplicate definition found for command 'check_ping' (config file '/etc/nagios/plugins.d/check_ping.cfg', starting on line 3) Error: Could not add object property in file '/etc/nagios/plugins.d/check_ping.cfg' on line 4. Error processing object config files! I had to remove the following files to get the -v option to not show errors. -rw-r--r-- 1 root root 456 Mar 29 2012 check_dhcp.cfg -rw-r--r-- 1 root root 211 Mar 29 2012 check_hpjd.cfg -rw-r--r-- 1 root root 2403 Mar 29 2012 check_http.cfg -rw-r--r-- 1 root root 253 Mar 29 2012 check_nt.cfg -rw-r--r-- 1 root root 2210 Mar 29 2012 check_ping.cfg -rw-r--r-- 1 root root 201 Mar 29 2012 check_smtp.cfg -rw-r--r-- 1 root root 460 Mar 29 2012 check_ssh.cfg -rw-r--r-- 1 root root 3607 Mar 29 2012 check_tcp.cfg Even after removing those files, and restarting httpd, any nagios link other then home or documentation still shows Error: Could not read object configuration data! Suggestions?
CC: (none) => davidwhodgins
I set default_user_name to nagios instead Dave and found it solved that. The errors, I found too. I'll create some more bugs.. It may be due to the existence of /etc/nagios/plugins.d/nagios-plugins.cfg_do_not_use in the nagios-plugins package but I'd had enough of trying to make it work by then to test any further.
Created new bugs. They are likely all symptoms of the same problem. Bug 8985 - nagios-check_* packages cause nagios to fail to start with errors eg Error: Could not add object property in file '/etc/nagios/plugins.d/check_ping.cfg' on line 4. Bug 8986 - nagios generates lots of warnings in syslog eg. Return code of 127 for check of service 'Swap Usage' on host 'localhost' was out of bounds. Make sure the plugin you're trying to run actually exists. Bug 8987 - Nagios fails to gather service data - (Return code of 127 is out of bounds - plugin may be missing)
Thanks Claire. Turning auth back on, and setting the default user fixed the problem. Testing complete on Mageia 2 i586. Could someone from the sysadmin team push the srpm nagios-3.3.1-2.2.mga2.src.rpm from Mageia 2 Core Updates Testing to Core Updates. Advisory: Nagios update corrects a buffer overflow problem that could be used for a denial of service attack, with application crashes. https://bugs.mageia.org/show_bug.cgi?id=8799
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsWhiteboard: has_procedure mga2-64-ok => has_procedure mga2-64-ok MGA2-32-OK
Guillaume gave a suggested advisory in Comment 3: Nagios Core's history.cgi is vulnerable to a buffer overflow because it used sprintf on user-supplied data that was not restricted in size (CVE-2012-6096). Due to various protections of the operating system (history.cgi is compiled with SSP, FORTIFY_SOURCE is enabled, etc.) this is not believed to be exploitable and would result in a denial of service to the user sending the input to history.cgi. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6096 http://lists.fedoraproject.org/pipermail/package-announce/2013-January/097239.html
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0039
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED