#! /bin/sh /usr/share/dpatch/dpatch-run
## 99_securit_cve_2012_6096.dpatch by Alexander Wirt <formorer@debian.org>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: Fix overflows in getcgi.c and history.cgi (CVE 2012-6096)
## DP: Debian Bug #697930
## DP: http://nagios.svn.sourceforge.net/viewvc/nagios?view=revision&revision=2547

@DPATCH@
diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' nagios3-3.2.1~/cgi/getcgi.c nagios3-3.2.1/cgi/getcgi.c
--- nagios3-3.2.1~/cgi/getcgi.c	2013-02-01 20:30:08.000000000 +0000
+++ nagios3-3.2.1/cgi/getcgi.c	2013-02-01 20:31:07.000000000 +0000
@@ -137,14 +137,15 @@
 		/* check for NULL query string environment variable - 04/28/00 (Ludo Bosmans) */
 		if(getenv("QUERY_STRING")==NULL){
 			cgiinput=(char *)malloc(1);
-			if(cgiinput==NULL){
-				printf("getcgivars(): Could not allocate memory for CGI input.\n");
-				exit(1);
-			        }
-			cgiinput[0]='\x0';
+			if(cgiinput != NULL)
+				cgiinput[0]='\x0';
 		        }
 		else
 			cgiinput=strdup(getenv("QUERY_STRING"));
+		if(cgiinput==NULL){
+			printf("getcgivars(): Could not allocate memory for CGI input.\n");
+			exit(1);
+		        }
 	        }
 
 	else if(!strcmp(request_method,"POST") || !strcmp(request_method,"PUT")){
@@ -220,7 +221,12 @@
 	paircount=0;
 	nvpair=strtok(cgiinput,"&");
 	while(nvpair){
-		pairlist[paircount++]=strdup(nvpair);
+		pairlist[paircount] = strdup(nvpair);
+		if( NULL == pairlist[paircount]) {
+			printf("getcgivars(): Could not allocate memory for name-value pair #%d.\n", paircount);
+			exit(1);
+			}
+		paircount++;
 		if(!(paircount%256)){
 			pairlist=(char **)realloc(pairlist,(paircount+256)*sizeof(char **));
 			if(pairlist==NULL){
@@ -245,13 +251,29 @@
 		/* get the variable name preceding the equal (=) sign */
 		if((eqpos=strchr(pairlist[i],'='))!=NULL){
 			*eqpos='\0';
-			unescape_cgi_input(cgivars[i*2+1]=strdup(eqpos+1));
+			cgivars[i * 2 + 1] = strdup(eqpos + 1);
+			if( NULL == cgivars[ i * 2 + 1]) {
+				printf("getcgivars(): Could not allocate memory for cgi value #%d.\n", i);
+				exit(1);
+				}
+			unescape_cgi_input(cgivars[i * 2 + 1]);
+			}
+		else {
+			cgivars[i * 2 + 1] = strdup("");
+			if( NULL == cgivars[ i * 2 + 1]) {
+				printf("getcgivars(): Could not allocate memory for empty stringfor variable value #%d.\n", i);
+				exit(1);
+				}
+			unescape_cgi_input(cgivars[i * 2 + 1]);
 		        } 
-		else
-			unescape_cgi_input(cgivars[i*2+1]=strdup(""));
 
 		/* get the variable value (or name/value of there was no real "pair" in the first place) */
-		unescape_cgi_input(cgivars[i*2]=strdup(pairlist[i]));
+		cgivars[i * 2] = strdup(pairlist[i]);
+		if( NULL == cgivars[ i * 2]) {
+			printf("getcgivars(): Could not allocate memory for cgi name #%d.\n", i);
+			exit(1);
+			}
+		unescape_cgi_input(cgivars[i * 2]);
 	        }
 
 	/* terminate the name-value list */
diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' nagios3-3.2.1~/cgi/history.c nagios3-3.2.1/cgi/history.c
--- nagios3-3.2.1~/cgi/history.c	2013-02-01 20:30:08.000000000 +0000
+++ nagios3-3.2.1/cgi/history.c	2013-02-01 20:31:07.000000000 +0000
@@ -805,16 +805,22 @@
 			else if(display_type==DISPLAY_HOSTS){
 
 				if(history_type==HOST_HISTORY || history_type==SERVICE_HISTORY){
-					sprintf(match1," HOST ALERT: %s;",host_name);
-					sprintf(match2," SERVICE ALERT: %s;",host_name);
+					snprintf(match1, sizeof( match1), 
+							" HOST ALERT: %s;", host_name);
+					snprintf(match2, sizeof( match2), 
+							" SERVICE ALERT: %s;", host_name);
 				        }
 				else if(history_type==HOST_FLAPPING_HISTORY || history_type==SERVICE_FLAPPING_HISTORY){
-					sprintf(match1," HOST FLAPPING ALERT: %s;",host_name);
-					sprintf(match2," SERVICE FLAPPING ALERT: %s;",host_name);
+					snprintf(match1, sizeof( match1), 
+							" HOST FLAPPING ALERT: %s;", host_name);
+					snprintf(match2, sizeof( match2), 
+							" SERVICE FLAPPING ALERT: %s;", host_name);
 				        }
 				else if(history_type==HOST_DOWNTIME_HISTORY || history_type==SERVICE_DOWNTIME_HISTORY){
-					sprintf(match1," HOST DOWNTIME ALERT: %s;",host_name);
-					sprintf(match2," SERVICE DOWNTIME ALERT: %s;",host_name);
+					snprintf(match1, sizeof( match1), 
+							" HOST DOWNTIME ALERT: %s;", host_name);
+					snprintf(match2, sizeof( match2), 
+							" SERVICE DOWNTIME ALERT: %s;", host_name);
 				        }
 
 				if(show_all_hosts==TRUE)
@@ -853,11 +859,11 @@
 			else if(display_type==DISPLAY_SERVICES){
 
 				if(history_type==SERVICE_HISTORY)
-					sprintf(match1," SERVICE ALERT: %s;%s;",host_name,svc_description);
+					snprintf(match1, sizeof( match1), " SERVICE ALERT: %s;%s;", host_name, svc_description);
 				else if(history_type==SERVICE_FLAPPING_HISTORY)
-					sprintf(match1," SERVICE FLAPPING ALERT: %s;%s;",host_name,svc_description);
+					snprintf(match1, sizeof( match1), " SERVICE FLAPPING ALERT: %s;%s;", host_name, svc_description);
 				else if(history_type==SERVICE_DOWNTIME_HISTORY)
-					sprintf(match1," SERVICE DOWNTIME ALERT: %s;%s;",host_name,svc_description);
+					snprintf(match1, sizeof( match1), " SERVICE DOWNTIME ALERT: %s;%s;", host_name, svc_description);
 
 				if(strstr(temp_buffer,match1) && (history_type==SERVICE_HISTORY || history_type==SERVICE_FLAPPING_HISTORY || history_type==SERVICE_DOWNTIME_HISTORY))
 					display_line=TRUE;