1 |
luigiwalser |
394725 |
#! /bin/sh /usr/share/dpatch/dpatch-run |
2 |
|
|
## 99_securit_cve_2012_6096.dpatch by Alexander Wirt <formorer@debian.org> |
3 |
|
|
## |
4 |
|
|
## All lines beginning with `## DP:' are a description of the patch. |
5 |
|
|
## DP: Fix overflows in getcgi.c and history.cgi (CVE 2012-6096) |
6 |
|
|
## DP: Debian Bug #697930 |
7 |
|
|
## DP: http://nagios.svn.sourceforge.net/viewvc/nagios?view=revision&revision=2547 |
8 |
|
|
|
9 |
|
|
@DPATCH@ |
10 |
|
|
diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' nagios3-3.2.1~/cgi/getcgi.c nagios3-3.2.1/cgi/getcgi.c |
11 |
|
|
--- nagios3-3.2.1~/cgi/getcgi.c 2013-02-01 20:30:08.000000000 +0000 |
12 |
|
|
+++ nagios3-3.2.1/cgi/getcgi.c 2013-02-01 20:31:07.000000000 +0000 |
13 |
|
|
@@ -137,14 +137,15 @@ |
14 |
|
|
/* check for NULL query string environment variable - 04/28/00 (Ludo Bosmans) */ |
15 |
|
|
if(getenv("QUERY_STRING")==NULL){ |
16 |
|
|
cgiinput=(char *)malloc(1); |
17 |
|
|
- if(cgiinput==NULL){ |
18 |
|
|
- printf("getcgivars(): Could not allocate memory for CGI input.\n"); |
19 |
|
|
- exit(1); |
20 |
|
|
- } |
21 |
|
|
- cgiinput[0]='\x0'; |
22 |
|
|
+ if(cgiinput != NULL) |
23 |
|
|
+ cgiinput[0]='\x0'; |
24 |
|
|
} |
25 |
|
|
else |
26 |
|
|
cgiinput=strdup(getenv("QUERY_STRING")); |
27 |
|
|
+ if(cgiinput==NULL){ |
28 |
|
|
+ printf("getcgivars(): Could not allocate memory for CGI input.\n"); |
29 |
|
|
+ exit(1); |
30 |
|
|
+ } |
31 |
|
|
} |
32 |
|
|
|
33 |
|
|
else if(!strcmp(request_method,"POST") || !strcmp(request_method,"PUT")){ |
34 |
|
|
@@ -220,7 +221,12 @@ |
35 |
|
|
paircount=0; |
36 |
|
|
nvpair=strtok(cgiinput,"&"); |
37 |
|
|
while(nvpair){ |
38 |
|
|
- pairlist[paircount++]=strdup(nvpair); |
39 |
|
|
+ pairlist[paircount] = strdup(nvpair); |
40 |
|
|
+ if( NULL == pairlist[paircount]) { |
41 |
|
|
+ printf("getcgivars(): Could not allocate memory for name-value pair #%d.\n", paircount); |
42 |
|
|
+ exit(1); |
43 |
|
|
+ } |
44 |
|
|
+ paircount++; |
45 |
|
|
if(!(paircount%256)){ |
46 |
|
|
pairlist=(char **)realloc(pairlist,(paircount+256)*sizeof(char **)); |
47 |
|
|
if(pairlist==NULL){ |
48 |
|
|
@@ -245,13 +251,29 @@ |
49 |
|
|
/* get the variable name preceding the equal (=) sign */ |
50 |
|
|
if((eqpos=strchr(pairlist[i],'='))!=NULL){ |
51 |
|
|
*eqpos='\0'; |
52 |
|
|
- unescape_cgi_input(cgivars[i*2+1]=strdup(eqpos+1)); |
53 |
|
|
+ cgivars[i * 2 + 1] = strdup(eqpos + 1); |
54 |
|
|
+ if( NULL == cgivars[ i * 2 + 1]) { |
55 |
|
|
+ printf("getcgivars(): Could not allocate memory for cgi value #%d.\n", i); |
56 |
|
|
+ exit(1); |
57 |
|
|
+ } |
58 |
|
|
+ unescape_cgi_input(cgivars[i * 2 + 1]); |
59 |
|
|
+ } |
60 |
|
|
+ else { |
61 |
|
|
+ cgivars[i * 2 + 1] = strdup(""); |
62 |
|
|
+ if( NULL == cgivars[ i * 2 + 1]) { |
63 |
|
|
+ printf("getcgivars(): Could not allocate memory for empty stringfor variable value #%d.\n", i); |
64 |
|
|
+ exit(1); |
65 |
|
|
+ } |
66 |
|
|
+ unescape_cgi_input(cgivars[i * 2 + 1]); |
67 |
|
|
} |
68 |
|
|
- else |
69 |
|
|
- unescape_cgi_input(cgivars[i*2+1]=strdup("")); |
70 |
|
|
|
71 |
|
|
/* get the variable value (or name/value of there was no real "pair" in the first place) */ |
72 |
|
|
- unescape_cgi_input(cgivars[i*2]=strdup(pairlist[i])); |
73 |
|
|
+ cgivars[i * 2] = strdup(pairlist[i]); |
74 |
|
|
+ if( NULL == cgivars[ i * 2]) { |
75 |
|
|
+ printf("getcgivars(): Could not allocate memory for cgi name #%d.\n", i); |
76 |
|
|
+ exit(1); |
77 |
|
|
+ } |
78 |
|
|
+ unescape_cgi_input(cgivars[i * 2]); |
79 |
|
|
} |
80 |
|
|
|
81 |
|
|
/* terminate the name-value list */ |
82 |
|
|
diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' nagios3-3.2.1~/cgi/history.c nagios3-3.2.1/cgi/history.c |
83 |
|
|
--- nagios3-3.2.1~/cgi/history.c 2013-02-01 20:30:08.000000000 +0000 |
84 |
|
|
+++ nagios3-3.2.1/cgi/history.c 2013-02-01 20:31:07.000000000 +0000 |
85 |
|
|
@@ -805,16 +805,22 @@ |
86 |
|
|
else if(display_type==DISPLAY_HOSTS){ |
87 |
|
|
|
88 |
|
|
if(history_type==HOST_HISTORY || history_type==SERVICE_HISTORY){ |
89 |
|
|
- sprintf(match1," HOST ALERT: %s;",host_name); |
90 |
|
|
- sprintf(match2," SERVICE ALERT: %s;",host_name); |
91 |
|
|
+ snprintf(match1, sizeof( match1), |
92 |
|
|
+ " HOST ALERT: %s;", host_name); |
93 |
|
|
+ snprintf(match2, sizeof( match2), |
94 |
|
|
+ " SERVICE ALERT: %s;", host_name); |
95 |
|
|
} |
96 |
|
|
else if(history_type==HOST_FLAPPING_HISTORY || history_type==SERVICE_FLAPPING_HISTORY){ |
97 |
|
|
- sprintf(match1," HOST FLAPPING ALERT: %s;",host_name); |
98 |
|
|
- sprintf(match2," SERVICE FLAPPING ALERT: %s;",host_name); |
99 |
|
|
+ snprintf(match1, sizeof( match1), |
100 |
|
|
+ " HOST FLAPPING ALERT: %s;", host_name); |
101 |
|
|
+ snprintf(match2, sizeof( match2), |
102 |
|
|
+ " SERVICE FLAPPING ALERT: %s;", host_name); |
103 |
|
|
} |
104 |
|
|
else if(history_type==HOST_DOWNTIME_HISTORY || history_type==SERVICE_DOWNTIME_HISTORY){ |
105 |
|
|
- sprintf(match1," HOST DOWNTIME ALERT: %s;",host_name); |
106 |
|
|
- sprintf(match2," SERVICE DOWNTIME ALERT: %s;",host_name); |
107 |
|
|
+ snprintf(match1, sizeof( match1), |
108 |
|
|
+ " HOST DOWNTIME ALERT: %s;", host_name); |
109 |
|
|
+ snprintf(match2, sizeof( match2), |
110 |
|
|
+ " SERVICE DOWNTIME ALERT: %s;", host_name); |
111 |
|
|
} |
112 |
|
|
|
113 |
|
|
if(show_all_hosts==TRUE) |
114 |
|
|
@@ -853,11 +859,11 @@ |
115 |
|
|
else if(display_type==DISPLAY_SERVICES){ |
116 |
|
|
|
117 |
|
|
if(history_type==SERVICE_HISTORY) |
118 |
|
|
- sprintf(match1," SERVICE ALERT: %s;%s;",host_name,svc_description); |
119 |
|
|
+ snprintf(match1, sizeof( match1), " SERVICE ALERT: %s;%s;", host_name, svc_description); |
120 |
|
|
else if(history_type==SERVICE_FLAPPING_HISTORY) |
121 |
|
|
- sprintf(match1," SERVICE FLAPPING ALERT: %s;%s;",host_name,svc_description); |
122 |
|
|
+ snprintf(match1, sizeof( match1), " SERVICE FLAPPING ALERT: %s;%s;", host_name, svc_description); |
123 |
|
|
else if(history_type==SERVICE_DOWNTIME_HISTORY) |
124 |
|
|
- sprintf(match1," SERVICE DOWNTIME ALERT: %s;%s;",host_name,svc_description); |
125 |
|
|
+ snprintf(match1, sizeof( match1), " SERVICE DOWNTIME ALERT: %s;%s;", host_name, svc_description); |
126 |
|
|
|
127 |
|
|
if(strstr(temp_buffer,match1) && (history_type==SERVICE_HISTORY || history_type==SERVICE_FLAPPING_HISTORY || history_type==SERVICE_DOWNTIME_HISTORY)) |
128 |
|
|
display_line=TRUE; |