current/SOURCES/nagios-3.2.3-CVE-2012-6096.patch

#! /bin/sh /usr/share/dpatch/dpatch-run
## 99_securit_cve_2012_6096.dpatch by Alexander Wirt <formorer@debian.org>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: Fix overflows in getcgi.c and history.cgi (CVE 2012-6096)
## DP: Debian Bug #697930
## DP: http://nagios.svn.sourceforge.net/viewvc/nagios?view=revision&revision=2547

@DPATCH@
diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' nagios3-3.2.1~/cgi/getcgi.c nagios3-3.2.1/cgi/getcgi.c
--- nagios3-3.2.1~/cgi/getcgi.c 2013-02-01 20:30:08.000000000 +0000
+++ nagios3-3.2.1/cgi/getcgi.c  2013-02-01 20:31:07.000000000 +0000
@@ -137,14 +137,15 @@
                /* check for NULL query string environment variable - 04/28/00 (Ludo Bosmans) */
                if(getenv("QUERY_STRING")==NULL){
                        cgiinput=(char *)malloc(1);
-                       if(cgiinput==NULL){
-                               printf("getcgivars(): Could not allocate memory for CGI input.\n");
-                               exit(1);
-                               }
-                       cgiinput[0]='\x0';
+                       if(cgiinput != NULL)
+                               cgiinput[0]='\x0';
                        }
                else
                        cgiinput=strdup(getenv("QUERY_STRING"));
+               if(cgiinput==NULL){
+                       printf("getcgivars(): Could not allocate memory for CGI input.\n");
+                       exit(1);
+                       }
                }
 
        else if(!strcmp(request_method,"POST") || !strcmp(request_method,"PUT")){
@@ -220,7 +221,12 @@
        paircount=0;
        nvpair=strtok(cgiinput,"&");
        while(nvpair){
-               pairlist[paircount++]=strdup(nvpair);
+               pairlist[paircount] = strdup(nvpair);
+               if( NULL == pairlist[paircount]) {
+                       printf("getcgivars(): Could not allocate memory for name-value pair #%d.\n", paircount);
+                       exit(1);
+                       }
+               paircount++;
                if(!(paircount%256)){
                        pairlist=(char **)realloc(pairlist,(paircount+256)*sizeof(char **));
                        if(pairlist==NULL){
@@ -245,13 +251,29 @@
                /* get the variable name preceding the equal (=) sign */
                if((eqpos=strchr(pairlist[i],'='))!=NULL){
                        *eqpos='\0';
-                       unescape_cgi_input(cgivars[i*2+1]=strdup(eqpos+1));
+                       cgivars[i * 2 + 1] = strdup(eqpos + 1);
+                       if( NULL == cgivars[ i * 2 + 1]) {
+                               printf("getcgivars(): Could not allocate memory for cgi value #%d.\n", i);
+                               exit(1);
+                               }
+                       unescape_cgi_input(cgivars[i * 2 + 1]);
+                       }
+               else {
+                       cgivars[i * 2 + 1] = strdup("");
+                       if( NULL == cgivars[ i * 2 + 1]) {
+                               printf("getcgivars(): Could not allocate memory for empty stringfor variable value #%d.\n", i);
+                               exit(1);
+                               }
+                       unescape_cgi_input(cgivars[i * 2 + 1]);
                        } 
-               else
-                       unescape_cgi_input(cgivars[i*2+1]=strdup(""));
 
                /* get the variable value (or name/value of there was no real "pair" in the first place) */
-               unescape_cgi_input(cgivars[i*2]=strdup(pairlist[i]));
+               cgivars[i * 2] = strdup(pairlist[i]);
+               if( NULL == cgivars[ i * 2]) {
+                       printf("getcgivars(): Could not allocate memory for cgi name #%d.\n", i);
+                       exit(1);
+                       }
+               unescape_cgi_input(cgivars[i * 2]);
                }
 
        /* terminate the name-value list */
diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' nagios3-3.2.1~/cgi/history.c nagios3-3.2.1/cgi/history.c
--- nagios3-3.2.1~/cgi/history.c        2013-02-01 20:30:08.000000000 +0000
+++ nagios3-3.2.1/cgi/history.c 2013-02-01 20:31:07.000000000 +0000
@@ -805,16 +805,22 @@
                        else if(display_type==DISPLAY_HOSTS){
 
                                if(history_type==HOST_HISTORY || history_type==SERVICE_HISTORY){
-                                       sprintf(match1," HOST ALERT: %s;",host_name);
-                                       sprintf(match2," SERVICE ALERT: %s;",host_name);
+                                       snprintf(match1, sizeof( match1), 
+                                                       " HOST ALERT: %s;", host_name);
+                                       snprintf(match2, sizeof( match2), 
+                                                       " SERVICE ALERT: %s;", host_name);
                                        }
                                else if(history_type==HOST_FLAPPING_HISTORY || history_type==SERVICE_FLAPPING_HISTORY){
-                                       sprintf(match1," HOST FLAPPING ALERT: %s;",host_name);
-                                       sprintf(match2," SERVICE FLAPPING ALERT: %s;",host_name);
+                                       snprintf(match1, sizeof( match1), 
+                                                       " HOST FLAPPING ALERT: %s;", host_name);
+                                       snprintf(match2, sizeof( match2), 
+                                                       " SERVICE FLAPPING ALERT: %s;", host_name);
                                        }
                                else if(history_type==HOST_DOWNTIME_HISTORY || history_type==SERVICE_DOWNTIME_HISTORY){
-                                       sprintf(match1," HOST DOWNTIME ALERT: %s;",host_name);
-                                       sprintf(match2," SERVICE DOWNTIME ALERT: %s;",host_name);
+                                       snprintf(match1, sizeof( match1), 
+                                                       " HOST DOWNTIME ALERT: %s;", host_name);
+                                       snprintf(match2, sizeof( match2), 
+                                                       " SERVICE DOWNTIME ALERT: %s;", host_name);
                                        }
 
                                if(show_all_hosts==TRUE)
@@ -853,11 +859,11 @@
                        else if(display_type==DISPLAY_SERVICES){
 
                                if(history_type==SERVICE_HISTORY)
-                                       sprintf(match1," SERVICE ALERT: %s;%s;",host_name,svc_description);
+                                       snprintf(match1, sizeof( match1), " SERVICE ALERT: %s;%s;", host_name, svc_description);
                                else if(history_type==SERVICE_FLAPPING_HISTORY)
-                                       sprintf(match1," SERVICE FLAPPING ALERT: %s;%s;",host_name,svc_description);
+                                       snprintf(match1, sizeof( match1), " SERVICE FLAPPING ALERT: %s;%s;", host_name, svc_description);
                                else if(history_type==SERVICE_DOWNTIME_HISTORY)
-                                       sprintf(match1," SERVICE DOWNTIME ALERT: %s;%s;",host_name,svc_description);
+                                       snprintf(match1, sizeof( match1), " SERVICE DOWNTIME ALERT: %s;%s;", host_name, svc_description);
 
                                if(strstr(temp_buffer,match1) && (history_type==SERVICE_HISTORY || history_type==SERVICE_FLAPPING_HISTORY || history_type==SERVICE_DOWNTIME_HISTORY))
                                        display_line=TRUE;
1	luigiwalser	394725	#! /bin/sh /usr/share/dpatch/dpatch-run
2			## 99_securit_cve_2012_6096.dpatch by Alexander Wirt <formorer@debian.org>
3			##
4			## All lines beginning with `## DP:' are a description of the patch.
5			## DP: Fix overflows in getcgi.c and history.cgi (CVE 2012-6096)
6			## DP: Debian Bug #697930
7			## DP: http://nagios.svn.sourceforge.net/viewvc/nagios?view=revision&revision=2547
8
9			@DPATCH@
10			diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' nagios3-3.2.1~/cgi/getcgi.c nagios3-3.2.1/cgi/getcgi.c
11			--- nagios3-3.2.1~/cgi/getcgi.c 2013-02-01 20:30:08.000000000 +0000
12			+++ nagios3-3.2.1/cgi/getcgi.c 2013-02-01 20:31:07.000000000 +0000
13			@@ -137,14 +137,15 @@
14			/* check for NULL query string environment variable - 04/28/00 (Ludo Bosmans) */
15			if(getenv("QUERY_STRING")==NULL){
16			cgiinput=(char *)malloc(1);
17			- if(cgiinput==NULL){
18			- printf("getcgivars(): Could not allocate memory for CGI input.\n");
19			- exit(1);
20			- }
21			- cgiinput[0]='\x0';
22			+ if(cgiinput != NULL)
23			+ cgiinput[0]='\x0';
24			}
25			else
26			cgiinput=strdup(getenv("QUERY_STRING"));
27			+ if(cgiinput==NULL){
28			+ printf("getcgivars(): Could not allocate memory for CGI input.\n");
29			+ exit(1);
30			+ }
31			}
32
33			else if(!strcmp(request_method,"POST") \|\| !strcmp(request_method,"PUT")){
34			@@ -220,7 +221,12 @@
35			paircount=0;
36			nvpair=strtok(cgiinput,"&");
37			while(nvpair){
38			- pairlist[paircount++]=strdup(nvpair);
39			+ pairlist[paircount] = strdup(nvpair);
40			+ if( NULL == pairlist[paircount]) {
41			+ printf("getcgivars(): Could not allocate memory for name-value pair #%d.\n", paircount);
42			+ exit(1);
43			+ }
44			+ paircount++;
45			if(!(paircount%256)){
46			pairlist=(char *)realloc(pairlist,(paircount+256)sizeof(char **));
47			if(pairlist==NULL){
48			@@ -245,13 +251,29 @@
49			/* get the variable name preceding the equal (=) sign */
50			if((eqpos=strchr(pairlist[i],'='))!=NULL){
51			*eqpos='\0';
52			- unescape_cgi_input(cgivars[i*2+1]=strdup(eqpos+1));
53			+ cgivars[i * 2 + 1] = strdup(eqpos + 1);
54			+ if( NULL == cgivars[ i * 2 + 1]) {
55			+ printf("getcgivars(): Could not allocate memory for cgi value #%d.\n", i);
56			+ exit(1);
57			+ }
58			+ unescape_cgi_input(cgivars[i * 2 + 1]);
59			+ }
60			+ else {
61			+ cgivars[i * 2 + 1] = strdup("");
62			+ if( NULL == cgivars[ i * 2 + 1]) {
63			+ printf("getcgivars(): Could not allocate memory for empty stringfor variable value #%d.\n", i);
64			+ exit(1);
65			+ }
66			+ unescape_cgi_input(cgivars[i * 2 + 1]);
67			}
68			- else
69			- unescape_cgi_input(cgivars[i*2+1]=strdup(""));
70
71			/* get the variable value (or name/value of there was no real "pair" in the first place) */
72			- unescape_cgi_input(cgivars[i*2]=strdup(pairlist[i]));
73			+ cgivars[i * 2] = strdup(pairlist[i]);
74			+ if( NULL == cgivars[ i * 2]) {
75			+ printf("getcgivars(): Could not allocate memory for cgi name #%d.\n", i);
76			+ exit(1);
77			+ }
78			+ unescape_cgi_input(cgivars[i * 2]);
79			}
80
81			/* terminate the name-value list */
82			diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' nagios3-3.2.1~/cgi/history.c nagios3-3.2.1/cgi/history.c
83			--- nagios3-3.2.1~/cgi/history.c 2013-02-01 20:30:08.000000000 +0000
84			+++ nagios3-3.2.1/cgi/history.c 2013-02-01 20:31:07.000000000 +0000
85			@@ -805,16 +805,22 @@
86			else if(display_type==DISPLAY_HOSTS){
87
88			if(history_type==HOST_HISTORY \|\| history_type==SERVICE_HISTORY){
89			- sprintf(match1," HOST ALERT: %s;",host_name);
90			- sprintf(match2," SERVICE ALERT: %s;",host_name);
91			+ snprintf(match1, sizeof( match1),
92			+ " HOST ALERT: %s;", host_name);
93			+ snprintf(match2, sizeof( match2),
94			+ " SERVICE ALERT: %s;", host_name);
95			}
96			else if(history_type==HOST_FLAPPING_HISTORY \|\| history_type==SERVICE_FLAPPING_HISTORY){
97			- sprintf(match1," HOST FLAPPING ALERT: %s;",host_name);
98			- sprintf(match2," SERVICE FLAPPING ALERT: %s;",host_name);
99			+ snprintf(match1, sizeof( match1),
100			+ " HOST FLAPPING ALERT: %s;", host_name);
101			+ snprintf(match2, sizeof( match2),
102			+ " SERVICE FLAPPING ALERT: %s;", host_name);
103			}
104			else if(history_type==HOST_DOWNTIME_HISTORY \|\| history_type==SERVICE_DOWNTIME_HISTORY){
105			- sprintf(match1," HOST DOWNTIME ALERT: %s;",host_name);
106			- sprintf(match2," SERVICE DOWNTIME ALERT: %s;",host_name);
107			+ snprintf(match1, sizeof( match1),
108			+ " HOST DOWNTIME ALERT: %s;", host_name);
109			+ snprintf(match2, sizeof( match2),
110			+ " SERVICE DOWNTIME ALERT: %s;", host_name);
111			}
112
113			if(show_all_hosts==TRUE)
114			@@ -853,11 +859,11 @@
115			else if(display_type==DISPLAY_SERVICES){
116
117			if(history_type==SERVICE_HISTORY)
118			- sprintf(match1," SERVICE ALERT: %s;%s;",host_name,svc_description);
119			+ snprintf(match1, sizeof( match1), " SERVICE ALERT: %s;%s;", host_name, svc_description);
120			else if(history_type==SERVICE_FLAPPING_HISTORY)
121			- sprintf(match1," SERVICE FLAPPING ALERT: %s;%s;",host_name,svc_description);
122			+ snprintf(match1, sizeof( match1), " SERVICE FLAPPING ALERT: %s;%s;", host_name, svc_description);
123			else if(history_type==SERVICE_DOWNTIME_HISTORY)
124			- sprintf(match1," SERVICE DOWNTIME ALERT: %s;%s;",host_name,svc_description);
125			+ snprintf(match1, sizeof( match1), " SERVICE DOWNTIME ALERT: %s;%s;", host_name, svc_description);
126
127			if(strstr(temp_buffer,match1) && (history_type==SERVICE_HISTORY \|\| history_type==SERVICE_FLAPPING_HISTORY \|\| history_type==SERVICE_DOWNTIME_HISTORY))
128			display_line=TRUE;