1 |
#! /bin/sh /usr/share/dpatch/dpatch-run |
2 |
## 99_securit_cve_2012_6096.dpatch by Alexander Wirt <formorer@debian.org> |
3 |
## |
4 |
## All lines beginning with `## DP:' are a description of the patch. |
5 |
## DP: Fix overflows in getcgi.c and history.cgi (CVE 2012-6096) |
6 |
## DP: Debian Bug #697930 |
7 |
## DP: http://nagios.svn.sourceforge.net/viewvc/nagios?view=revision&revision=2547 |
8 |
|
9 |
@DPATCH@ |
10 |
diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' nagios3-3.2.1~/cgi/getcgi.c nagios3-3.2.1/cgi/getcgi.c |
11 |
--- nagios3-3.2.1~/cgi/getcgi.c 2013-02-01 20:30:08.000000000 +0000 |
12 |
+++ nagios3-3.2.1/cgi/getcgi.c 2013-02-01 20:31:07.000000000 +0000 |
13 |
@@ -137,14 +137,15 @@ |
14 |
/* check for NULL query string environment variable - 04/28/00 (Ludo Bosmans) */ |
15 |
if(getenv("QUERY_STRING")==NULL){ |
16 |
cgiinput=(char *)malloc(1); |
17 |
- if(cgiinput==NULL){ |
18 |
- printf("getcgivars(): Could not allocate memory for CGI input.\n"); |
19 |
- exit(1); |
20 |
- } |
21 |
- cgiinput[0]='\x0'; |
22 |
+ if(cgiinput != NULL) |
23 |
+ cgiinput[0]='\x0'; |
24 |
} |
25 |
else |
26 |
cgiinput=strdup(getenv("QUERY_STRING")); |
27 |
+ if(cgiinput==NULL){ |
28 |
+ printf("getcgivars(): Could not allocate memory for CGI input.\n"); |
29 |
+ exit(1); |
30 |
+ } |
31 |
} |
32 |
|
33 |
else if(!strcmp(request_method,"POST") || !strcmp(request_method,"PUT")){ |
34 |
@@ -220,7 +221,12 @@ |
35 |
paircount=0; |
36 |
nvpair=strtok(cgiinput,"&"); |
37 |
while(nvpair){ |
38 |
- pairlist[paircount++]=strdup(nvpair); |
39 |
+ pairlist[paircount] = strdup(nvpair); |
40 |
+ if( NULL == pairlist[paircount]) { |
41 |
+ printf("getcgivars(): Could not allocate memory for name-value pair #%d.\n", paircount); |
42 |
+ exit(1); |
43 |
+ } |
44 |
+ paircount++; |
45 |
if(!(paircount%256)){ |
46 |
pairlist=(char **)realloc(pairlist,(paircount+256)*sizeof(char **)); |
47 |
if(pairlist==NULL){ |
48 |
@@ -245,13 +251,29 @@ |
49 |
/* get the variable name preceding the equal (=) sign */ |
50 |
if((eqpos=strchr(pairlist[i],'='))!=NULL){ |
51 |
*eqpos='\0'; |
52 |
- unescape_cgi_input(cgivars[i*2+1]=strdup(eqpos+1)); |
53 |
+ cgivars[i * 2 + 1] = strdup(eqpos + 1); |
54 |
+ if( NULL == cgivars[ i * 2 + 1]) { |
55 |
+ printf("getcgivars(): Could not allocate memory for cgi value #%d.\n", i); |
56 |
+ exit(1); |
57 |
+ } |
58 |
+ unescape_cgi_input(cgivars[i * 2 + 1]); |
59 |
+ } |
60 |
+ else { |
61 |
+ cgivars[i * 2 + 1] = strdup(""); |
62 |
+ if( NULL == cgivars[ i * 2 + 1]) { |
63 |
+ printf("getcgivars(): Could not allocate memory for empty stringfor variable value #%d.\n", i); |
64 |
+ exit(1); |
65 |
+ } |
66 |
+ unescape_cgi_input(cgivars[i * 2 + 1]); |
67 |
} |
68 |
- else |
69 |
- unescape_cgi_input(cgivars[i*2+1]=strdup("")); |
70 |
|
71 |
/* get the variable value (or name/value of there was no real "pair" in the first place) */ |
72 |
- unescape_cgi_input(cgivars[i*2]=strdup(pairlist[i])); |
73 |
+ cgivars[i * 2] = strdup(pairlist[i]); |
74 |
+ if( NULL == cgivars[ i * 2]) { |
75 |
+ printf("getcgivars(): Could not allocate memory for cgi name #%d.\n", i); |
76 |
+ exit(1); |
77 |
+ } |
78 |
+ unescape_cgi_input(cgivars[i * 2]); |
79 |
} |
80 |
|
81 |
/* terminate the name-value list */ |
82 |
diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' nagios3-3.2.1~/cgi/history.c nagios3-3.2.1/cgi/history.c |
83 |
--- nagios3-3.2.1~/cgi/history.c 2013-02-01 20:30:08.000000000 +0000 |
84 |
+++ nagios3-3.2.1/cgi/history.c 2013-02-01 20:31:07.000000000 +0000 |
85 |
@@ -805,16 +805,22 @@ |
86 |
else if(display_type==DISPLAY_HOSTS){ |
87 |
|
88 |
if(history_type==HOST_HISTORY || history_type==SERVICE_HISTORY){ |
89 |
- sprintf(match1," HOST ALERT: %s;",host_name); |
90 |
- sprintf(match2," SERVICE ALERT: %s;",host_name); |
91 |
+ snprintf(match1, sizeof( match1), |
92 |
+ " HOST ALERT: %s;", host_name); |
93 |
+ snprintf(match2, sizeof( match2), |
94 |
+ " SERVICE ALERT: %s;", host_name); |
95 |
} |
96 |
else if(history_type==HOST_FLAPPING_HISTORY || history_type==SERVICE_FLAPPING_HISTORY){ |
97 |
- sprintf(match1," HOST FLAPPING ALERT: %s;",host_name); |
98 |
- sprintf(match2," SERVICE FLAPPING ALERT: %s;",host_name); |
99 |
+ snprintf(match1, sizeof( match1), |
100 |
+ " HOST FLAPPING ALERT: %s;", host_name); |
101 |
+ snprintf(match2, sizeof( match2), |
102 |
+ " SERVICE FLAPPING ALERT: %s;", host_name); |
103 |
} |
104 |
else if(history_type==HOST_DOWNTIME_HISTORY || history_type==SERVICE_DOWNTIME_HISTORY){ |
105 |
- sprintf(match1," HOST DOWNTIME ALERT: %s;",host_name); |
106 |
- sprintf(match2," SERVICE DOWNTIME ALERT: %s;",host_name); |
107 |
+ snprintf(match1, sizeof( match1), |
108 |
+ " HOST DOWNTIME ALERT: %s;", host_name); |
109 |
+ snprintf(match2, sizeof( match2), |
110 |
+ " SERVICE DOWNTIME ALERT: %s;", host_name); |
111 |
} |
112 |
|
113 |
if(show_all_hosts==TRUE) |
114 |
@@ -853,11 +859,11 @@ |
115 |
else if(display_type==DISPLAY_SERVICES){ |
116 |
|
117 |
if(history_type==SERVICE_HISTORY) |
118 |
- sprintf(match1," SERVICE ALERT: %s;%s;",host_name,svc_description); |
119 |
+ snprintf(match1, sizeof( match1), " SERVICE ALERT: %s;%s;", host_name, svc_description); |
120 |
else if(history_type==SERVICE_FLAPPING_HISTORY) |
121 |
- sprintf(match1," SERVICE FLAPPING ALERT: %s;%s;",host_name,svc_description); |
122 |
+ snprintf(match1, sizeof( match1), " SERVICE FLAPPING ALERT: %s;%s;", host_name, svc_description); |
123 |
else if(history_type==SERVICE_DOWNTIME_HISTORY) |
124 |
- sprintf(match1," SERVICE DOWNTIME ALERT: %s;%s;",host_name,svc_description); |
125 |
+ snprintf(match1, sizeof( match1), " SERVICE DOWNTIME ALERT: %s;%s;", host_name, svc_description); |
126 |
|
127 |
if(strstr(temp_buffer,match1) && (history_type==SERVICE_HISTORY || history_type==SERVICE_FLAPPING_HISTORY || history_type==SERVICE_DOWNTIME_HISTORY)) |
128 |
display_line=TRUE; |