1816813 – (CVE-2020-6582) CVE-2020-6582 nrpe: heap-based buffer overflow due to a wrong integer type conversion

Bug 1816813 (CVE-2020-6582) - CVE-2020-6582 nrpe: heap-based buffer overflow due to a wrong integer type conversion

Summary: CVE-2020-6582 nrpe: heap-based buffer overflow due to a wrong integer type co...

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2020-6582
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1816814 1816816
Blocks:	1816815
TreeView+	depends on / blocked

Reported:	2020-03-24 19:18 UTC by Guilherme de Almeida Suckevicz
Modified:	2021-06-09 17:35 UTC (History)
CC List:	10 users (show)
Fixed In Version:	nrpe 4.0.0
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in nrpe. A heap-based buffer overflow is possible due to the interpretation of a small negative number as a large positive number during a bzero call. The highest threat from this vulnerability is to system availability.
Clone Of:
Environment:
Last Closed:	2020-03-25 14:18:12 UTC
Embargoed:

Attachments	(Terms of Use)

Description Guilherme de Almeida Suckevicz 2020-03-24 19:18:13 UTC

Nagios NRPE 3.2.1 has a Heap-Based Buffer Overflow, as demonstrated by interpretation of a small negative number as a large positive number during a bzero call.

Reference:
https://herolab.usd.de/security-advisories/usd-2020-0001/

Comment 1 Guilherme de Almeida Suckevicz 2020-03-24 19:19:00 UTC

Created nrpe tracking bugs for this issue:

Affects: epel-all [bug 1816816]
Affects: fedora-all [bug 1816814]

Comment 2 Hardik Vyas 2020-03-25 14:18:18 UTC

Statement:

Nagios is considered deprecated. Nagios plugins and Nagios server are no longer maintained or supported. Refer following release notes for details: "https://access.redhat.com/documentation/en-us/red_hat_gluster_storage/3.5/html-single/3.5_release_notes/index". The older version of nrpe which was shipped with Red Hat Gluster Storage does not support v3 packet format.

Comment 3 Hardik Vyas 2020-03-25 14:18:23 UTC

External References:

https://herolab.usd.de/security-advisories/usd-2020-0001/

Comment 4 Hardik Vyas 2020-03-25 14:18:34 UTC

Mitigation:

There is no known mitigation for this issue, the flaw can only be resolved by applying updates.

Note You need to log in before you can comment on or make changes to this bug.