-
Incident report
-
Resolution: Won't fix
-
Major
-
None
-
None
-
None
-
Zabbix Server and Agent (trunk rev.25240)
Linux
Linux GNU C Library has crashing issue.
And it also affect to Zabbix.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4051
Following command or setting make Zabbix crash.
I used latest trunk version (rev.25240)
Older versions are same.
Zabbix Agent
Executing following command cause Zabbix Agent crash.
$ zabbix_get -s 127.0.0.1 -k 'vfs.file.regexp[/etc/passwd,".*{10,}{10,}{10,}{10,}{10,}"]'
Setting following item from WebUI has same effect.
'vfs.file.regexp[/etc/passwd,".*{10,}{10,}{10,}{10,}{10,}"]'
Zabbix Server
Setting following trigger from WebUI and when some new data come from log[/tmp/out.log] it cause Zabbix Server crash.
{Zabbix server:log[/tmp/out.log].regexp(".*{10,}{10,}{10,}{10,}{10,}")}=1
As far as I know, no Linux distributer fix the issue about 1 year.
Maybe no Linux distributer will fix it.
They seems to think it is "unimportant" or application should check the input string.
https://bugzilla.redhat.com/show_bug.cgi?id=645859#c6
http://security-tracker.debian.org/tracker/CVE-2010-4051
Not only glibc, eglibc has same problem.
Debian and Ubuntu use eglibc as C Library.
I suggest to use other regex library or add check input string to fix this problem.