/[packages]/updates/1/nagios/current/SOURCES/nagios-3.2.3-CVE-2012-6096.patch
ViewVC logotype

Contents of /updates/1/nagios/current/SOURCES/nagios-3.2.3-CVE-2012-6096.patch

Parent Directory Parent Directory | Revision Log Revision Log


Revision 394725 - (show annotations) (download)
Tue Feb 5 19:54:43 2013 UTC (7 years, 6 months ago) by luigiwalser
File size: 5525 byte(s)
add patch from debian to fix CVE-2012-6096
1 #! /bin/sh /usr/share/dpatch/dpatch-run
2 ## 99_securit_cve_2012_6096.dpatch by Alexander Wirt <formorer@debian.org>
3 ##
4 ## All lines beginning with `## DP:' are a description of the patch.
5 ## DP: Fix overflows in getcgi.c and history.cgi (CVE 2012-6096)
6 ## DP: Debian Bug #697930
7 ## DP: http://nagios.svn.sourceforge.net/viewvc/nagios?view=revision&revision=2547
8
9 @DPATCH@
10 diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' nagios3-3.2.1~/cgi/getcgi.c nagios3-3.2.1/cgi/getcgi.c
11 --- nagios3-3.2.1~/cgi/getcgi.c 2013-02-01 20:30:08.000000000 +0000
12 +++ nagios3-3.2.1/cgi/getcgi.c 2013-02-01 20:31:07.000000000 +0000
13 @@ -137,14 +137,15 @@
14 /* check for NULL query string environment variable - 04/28/00 (Ludo Bosmans) */
15 if(getenv("QUERY_STRING")==NULL){
16 cgiinput=(char *)malloc(1);
17 - if(cgiinput==NULL){
18 - printf("getcgivars(): Could not allocate memory for CGI input.\n");
19 - exit(1);
20 - }
21 - cgiinput[0]='\x0';
22 + if(cgiinput != NULL)
23 + cgiinput[0]='\x0';
24 }
25 else
26 cgiinput=strdup(getenv("QUERY_STRING"));
27 + if(cgiinput==NULL){
28 + printf("getcgivars(): Could not allocate memory for CGI input.\n");
29 + exit(1);
30 + }
31 }
32
33 else if(!strcmp(request_method,"POST") || !strcmp(request_method,"PUT")){
34 @@ -220,7 +221,12 @@
35 paircount=0;
36 nvpair=strtok(cgiinput,"&");
37 while(nvpair){
38 - pairlist[paircount++]=strdup(nvpair);
39 + pairlist[paircount] = strdup(nvpair);
40 + if( NULL == pairlist[paircount]) {
41 + printf("getcgivars(): Could not allocate memory for name-value pair #%d.\n", paircount);
42 + exit(1);
43 + }
44 + paircount++;
45 if(!(paircount%256)){
46 pairlist=(char **)realloc(pairlist,(paircount+256)*sizeof(char **));
47 if(pairlist==NULL){
48 @@ -245,13 +251,29 @@
49 /* get the variable name preceding the equal (=) sign */
50 if((eqpos=strchr(pairlist[i],'='))!=NULL){
51 *eqpos='\0';
52 - unescape_cgi_input(cgivars[i*2+1]=strdup(eqpos+1));
53 + cgivars[i * 2 + 1] = strdup(eqpos + 1);
54 + if( NULL == cgivars[ i * 2 + 1]) {
55 + printf("getcgivars(): Could not allocate memory for cgi value #%d.\n", i);
56 + exit(1);
57 + }
58 + unescape_cgi_input(cgivars[i * 2 + 1]);
59 + }
60 + else {
61 + cgivars[i * 2 + 1] = strdup("");
62 + if( NULL == cgivars[ i * 2 + 1]) {
63 + printf("getcgivars(): Could not allocate memory for empty stringfor variable value #%d.\n", i);
64 + exit(1);
65 + }
66 + unescape_cgi_input(cgivars[i * 2 + 1]);
67 }
68 - else
69 - unescape_cgi_input(cgivars[i*2+1]=strdup(""));
70
71 /* get the variable value (or name/value of there was no real "pair" in the first place) */
72 - unescape_cgi_input(cgivars[i*2]=strdup(pairlist[i]));
73 + cgivars[i * 2] = strdup(pairlist[i]);
74 + if( NULL == cgivars[ i * 2]) {
75 + printf("getcgivars(): Could not allocate memory for cgi name #%d.\n", i);
76 + exit(1);
77 + }
78 + unescape_cgi_input(cgivars[i * 2]);
79 }
80
81 /* terminate the name-value list */
82 diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' nagios3-3.2.1~/cgi/history.c nagios3-3.2.1/cgi/history.c
83 --- nagios3-3.2.1~/cgi/history.c 2013-02-01 20:30:08.000000000 +0000
84 +++ nagios3-3.2.1/cgi/history.c 2013-02-01 20:31:07.000000000 +0000
85 @@ -805,16 +805,22 @@
86 else if(display_type==DISPLAY_HOSTS){
87
88 if(history_type==HOST_HISTORY || history_type==SERVICE_HISTORY){
89 - sprintf(match1," HOST ALERT: %s;",host_name);
90 - sprintf(match2," SERVICE ALERT: %s;",host_name);
91 + snprintf(match1, sizeof( match1),
92 + " HOST ALERT: %s;", host_name);
93 + snprintf(match2, sizeof( match2),
94 + " SERVICE ALERT: %s;", host_name);
95 }
96 else if(history_type==HOST_FLAPPING_HISTORY || history_type==SERVICE_FLAPPING_HISTORY){
97 - sprintf(match1," HOST FLAPPING ALERT: %s;",host_name);
98 - sprintf(match2," SERVICE FLAPPING ALERT: %s;",host_name);
99 + snprintf(match1, sizeof( match1),
100 + " HOST FLAPPING ALERT: %s;", host_name);
101 + snprintf(match2, sizeof( match2),
102 + " SERVICE FLAPPING ALERT: %s;", host_name);
103 }
104 else if(history_type==HOST_DOWNTIME_HISTORY || history_type==SERVICE_DOWNTIME_HISTORY){
105 - sprintf(match1," HOST DOWNTIME ALERT: %s;",host_name);
106 - sprintf(match2," SERVICE DOWNTIME ALERT: %s;",host_name);
107 + snprintf(match1, sizeof( match1),
108 + " HOST DOWNTIME ALERT: %s;", host_name);
109 + snprintf(match2, sizeof( match2),
110 + " SERVICE DOWNTIME ALERT: %s;", host_name);
111 }
112
113 if(show_all_hosts==TRUE)
114 @@ -853,11 +859,11 @@
115 else if(display_type==DISPLAY_SERVICES){
116
117 if(history_type==SERVICE_HISTORY)
118 - sprintf(match1," SERVICE ALERT: %s;%s;",host_name,svc_description);
119 + snprintf(match1, sizeof( match1), " SERVICE ALERT: %s;%s;", host_name, svc_description);
120 else if(history_type==SERVICE_FLAPPING_HISTORY)
121 - sprintf(match1," SERVICE FLAPPING ALERT: %s;%s;",host_name,svc_description);
122 + snprintf(match1, sizeof( match1), " SERVICE FLAPPING ALERT: %s;%s;", host_name, svc_description);
123 else if(history_type==SERVICE_DOWNTIME_HISTORY)
124 - sprintf(match1," SERVICE DOWNTIME ALERT: %s;%s;",host_name,svc_description);
125 + snprintf(match1, sizeof( match1), " SERVICE DOWNTIME ALERT: %s;%s;", host_name, svc_description);
126
127 if(strstr(temp_buffer,match1) && (history_type==SERVICE_HISTORY || history_type==SERVICE_FLAPPING_HISTORY || history_type==SERVICE_DOWNTIME_HISTORY))
128 display_line=TRUE;

  ViewVC Help
Powered by ViewVC 1.1.28