Hi Sean! Sean Finney wrote: > On Thu, May 11, 2006 at 05:46:16PM +0200, Martin Schulze wrote: > > > - crafting a simple "user-agent" that can illustrate the vulnerability > > > by sending a negative or 0 value for content length to a nagios cgi > > > (it doesn't have to actually inject any shell code or anything, just > > > PoC would be fine by me). > > > > Why user-agent? "All" you need to do is add some variables, so that > > as a general rule i feel much more comfortable having some kind of PoC > code available that will tell me that my patch works. granted, in this > case it's a rather straightforward patch, but still... > > > the Content-Length is either exactly INT_MAX or even larger, both > > cause an integer overrun, which cause a negative malloc() which cause > > a situation in which the attacker may control some memory they shouldn't. > > ah yes.. good point about INT_MAX. i'll forward this upstream as well, > since i don't think ethan considered this.
Thanks. Please let me know the version in sid that will have this problem fixed once you know it. Regards, Joey -- It's time to close the windows. Please always Cc to me when replying to me on the lists. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]