tag 697931 patch thanks Alexander Wirt schrieb am Saturday, den 12. January 2013:
> On Fri, 11 Jan 2013, Moritz Muehlenhoff wrote: > > > Package: icinga > > Severity: grave > > Tags: security > > Justification: user security hole > > > > This was assigned CVE-2012-6096: > > http://archives.neohapsis.com/archives/fulldisclosure/2012-12/0108.html > > > > Fix: > > http://nagios.svn.sourceforge.net/viewvc/nagios?view=revision&revision=2547 > As it currently seems this fix is incomplete. The severity of the problem > isn't hat high, so I want to wait until the icinga team has an official > patch. Ok, I backported the official patch to stable and attached it. Should I provide an updated package for security.d.o? Alex -- Alexander Wirt, formo...@formorer.de CC99 2DDD D39E 75B0 B0AA B25C D35B BC99 BC7D 020A
#! /bin/sh /usr/share/dpatch/dpatch-run ## 99_fix_CVE-2012-6096.dpatch by <root@> ## ## All lines beginning with `## DP:' are a description of the patch. ## DP: No description. @DPATCH@ diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' icinga-1.0.2~/cgi/getcgi.c icinga-1.0.2/cgi/getcgi.c --- icinga-1.0.2~/cgi/getcgi.c 2010-06-30 09:13:42.000000000 +0000 +++ icinga-1.0.2/cgi/getcgi.c 2013-01-14 06:05:50.511798545 +0000 @@ -153,15 +153,17 @@ /* check for NULL query string environment variable - 04/28/00 (Ludo Bosmans) */ if(getenv("QUERY_STRING")==NULL){ cgiinput=(char *)malloc(1); + if (cgiinput != NULL) { + cgiinput[0] = '\x0'; + } + } else + cgiinput = strdup(getenv("QUERY_STRING")); if(cgiinput==NULL){ printf("getcgivars(): Could not allocate memory for CGI input.\n"); exit(1); - } - cgiinput[0]='\x0'; - } - else - cgiinput=strdup(getenv("QUERY_STRING")); - } + } + } + } else if(!strcmp(request_method,"POST") || !strcmp(request_method,"PUT")){ @@ -236,7 +238,11 @@ paircount=0; nvpair=strtok(cgiinput,"&"); while(nvpair){ - pairlist[paircount++]=strdup(nvpair); + pairlist[paircount] = strdup(nvpair); + if(pairlist[paircount++] == NULL) { + printf("getcgivars(): Could not allocate memory for name-value pair element #%d.\n", paircount); + exit(1); + } if(!(paircount%256)){ pairlist=(char **)realloc(pairlist,(paircount+256)*sizeof(char **)); if(pairlist==NULL){ @@ -261,14 +267,29 @@ /* get the variable name preceding the equal (=) sign */ if((eqpos=strchr(pairlist[i],'='))!=NULL){ *eqpos='\0'; - unescape_cgi_input(cgivars[i*2+1]=strdup(eqpos+1)); - } + cgivars[i*2+1] = strdup(eqpos + 1); + if(cgivars[i*2+1] == NULL) { + printf("getcgivars(): Could not allocate memory for cgi param value #%d.\n", i); + exit(1); + } + unescape_cgi_input(cgivars[i*2+1]); + } else - unescape_cgi_input(cgivars[i*2+1]=strdup("")); + cgivars[i*2+1] = strdup(""); + if(cgivars[i*2+1] == NULL) { + printf("getcgivars(): Could not allocate memory for empty cgi param value #%d.\n", i); + exit(1); + } + unescape_cgi_input(cgivars[i*2+1]); /* get the variable value (or name/value of there was no real "pair" in the first place) */ - unescape_cgi_input(cgivars[i*2]=strdup(pairlist[i])); - } + cgivars[i*2] = strdup(pairlist[i]); + if(cgivars[i*2] == NULL) { + printf("getcgivars(): Could not allocate memory for cgi param name #%d.\n", i); + exit(1); + } + unescape_cgi_input(cgivars[i*2]); + } /* terminate the name-value list */ cgivars[paircount*2]='\x0'; diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' icinga-1.0.2~/cgi/history.c icinga-1.0.2/cgi/history.c --- icinga-1.0.2~/cgi/history.c 2010-06-30 09:13:42.000000000 +0000 +++ icinga-1.0.2/cgi/history.c 2013-01-14 06:05:50.511798545 +0000 @@ -808,16 +808,16 @@ else if(display_type==DISPLAY_HOSTS){ if(history_type==HOST_HISTORY || history_type==SERVICE_HISTORY){ - sprintf(match1," HOST ALERT: %s;",host_name); - sprintf(match2," SERVICE ALERT: %s;",host_name); + snprintf(match1, sizeof(match1), " HOST ALERT: %s;", host_name); + snprintf(match2, sizeof(match2), " SERVICE ALERT: %s;", host_name); } else if(history_type==HOST_FLAPPING_HISTORY || history_type==SERVICE_FLAPPING_HISTORY){ - sprintf(match1," HOST FLAPPING ALERT: %s;",host_name); - sprintf(match2," SERVICE FLAPPING ALERT: %s;",host_name); + snprintf(match1, sizeof(match1), " HOST FLAPPING ALERT: %s;", host_name); + snprintf(match2, sizeof(match2), " SERVICE FLAPPING ALERT: %s;", host_name); } else if(history_type==HOST_DOWNTIME_HISTORY || history_type==SERVICE_DOWNTIME_HISTORY){ - sprintf(match1," HOST DOWNTIME ALERT: %s;",host_name); - sprintf(match2," SERVICE DOWNTIME ALERT: %s;",host_name); + snprintf(match1, sizeof(match1), " HOST DOWNTIME ALERT: %s;", host_name); + snprintf(match2, sizeof(match2), " SERVICE DOWNTIME ALERT: %s;", host_name); } if(show_all_hosts==TRUE) @@ -856,11 +856,11 @@ else if(display_type==DISPLAY_SERVICES){ if(history_type==SERVICE_HISTORY) - sprintf(match1," SERVICE ALERT: %s;%s;",host_name,svc_description); + snprintf(match1, sizeof(match1), " SERVICE ALERT: %s;%s;", host_name, service_desc); else if(history_type==SERVICE_FLAPPING_HISTORY) - sprintf(match1," SERVICE FLAPPING ALERT: %s;%s;",host_name,svc_description); + snprintf(match1, sizeof(match1), " SERVICE FLAPPING ALERT: %s;%s;", host_name, service_desc); else if(history_type==SERVICE_DOWNTIME_HISTORY) - sprintf(match1," SERVICE DOWNTIME ALERT: %s;%s;",host_name,svc_description); + snprintf(match1, sizeof(match1), " SERVICE DOWNTIME ALERT: %s;%s;", host_name, service_desc); if(strstr(temp_buffer,match1) && (history_type==SERVICE_HISTORY || history_type==SERVICE_FLAPPING_HISTORY || history_type==SERVICE_DOWNTIME_HISTORY)) display_line=TRUE;