25 Jul
2019
25 Jul
'19
7:52 a.m.
On Wed, Jul 24, 2019 at 06:46:51PM -0700, Japheth Cleaver wrote:
CSIRT may still have a write-up pending on these, but it is believed that the only impact are segfaults when passed in invalid/overflow input. This is typically a hostsvc being parsed and assigned to a PATH_MAX-sized variable via sprintf rather than snprintf.
In addition the Debian binaries of Xymon (not sure if this is also covered in the upstream build system or a Debian-specific change by relying on Debian's dpkg-buildflags infrastructure) are built with FORTIFY_SOURCE.
Cheers, Moritz