On Wed, Jul 24, 2019 at 06:46:51PM -0700, Japheth Cleaver wrote:
CSIRT may still have a write-up pending on these, but it is believed that
the only impact are segfaults when passed in invalid/overflow input. This is
typically a hostsvc being parsed and assigned to a PATH_MAX-sized variable
via sprintf rather than snprintf.
In addition the Debian binaries of Xymon (not sure if this is also covered
in the upstream build system or a Debian-specific change by relying on
Debian's dpkg-buildflags infrastructure) are built with FORTIFY_SOURCE.
Cheers,
Moritz