tag 697931 patch
thanks
Alexander Wirt schrieb am Saturday, den 12. January 2013:
> On Fri, 11 Jan 2013, Moritz Muehlenhoff wrote:
>
> > Package: icinga
> > Severity: grave
> > Tags: security
> > Justification: user security hole
> >
> > This was assigned CVE-2012-6096:
> > http://archives.neohapsis.com/archives/fulldisclosure/2012-12/0108.html
> >
> > Fix:
> > http://nagios.svn.sourceforge.net/viewvc/nagios?view=revision&revision=2547
> As it currently seems this fix is incomplete. The severity of the problem
> isn't hat high, so I want to wait until the icinga team has an official
> patch.
Ok, I backported the official patch to stable and attached it. Should I
provide an updated package for security.d.o?
Alex
--
Alexander Wirt, formo...@formorer.de
CC99 2DDD D39E 75B0 B0AA B25C D35B BC99 BC7D 020A
#! /bin/sh /usr/share/dpatch/dpatch-run
## 99_fix_CVE-2012-6096.dpatch by <root@>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: No description.
@DPATCH@
diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch'
'--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' icinga-1.0.2~/cgi/getcgi.c
icinga-1.0.2/cgi/getcgi.c
--- icinga-1.0.2~/cgi/getcgi.c 2010-06-30 09:13:42.000000000 +0000
+++ icinga-1.0.2/cgi/getcgi.c 2013-01-14 06:05:50.511798545 +0000
@@ -153,15 +153,17 @@
/* check for NULL query string environment variable - 04/28/00
(Ludo Bosmans) */
if(getenv("QUERY_STRING")==NULL){
cgiinput=(char *)malloc(1);
+ if (cgiinput != NULL) {
+ cgiinput[0] = '\x0';
+ }
+ } else
+ cgiinput = strdup(getenv("QUERY_STRING"));
if(cgiinput==NULL){
printf("getcgivars(): Could not allocate memory
for CGI input.\n");
exit(1);
- }
- cgiinput[0]='\x0';
- }
- else
- cgiinput=strdup(getenv("QUERY_STRING"));
- }
+ }
+ }
+ }
else if(!strcmp(request_method,"POST") ||
!strcmp(request_method,"PUT")){
@@ -236,7 +238,11 @@
paircount=0;
nvpair=strtok(cgiinput,"&");
while(nvpair){
- pairlist[paircount++]=strdup(nvpair);
+ pairlist[paircount] = strdup(nvpair);
+ if(pairlist[paircount++] == NULL) {
+ printf("getcgivars(): Could not allocate memory for
name-value pair element #%d.\n", paircount);
+ exit(1);
+ }
if(!(paircount%256)){
pairlist=(char
**)realloc(pairlist,(paircount+256)*sizeof(char **));
if(pairlist==NULL){
@@ -261,14 +267,29 @@
/* get the variable name preceding the equal (=) sign */
if((eqpos=strchr(pairlist[i],'='))!=NULL){
*eqpos='\0';
- unescape_cgi_input(cgivars[i*2+1]=strdup(eqpos+1));
- }
+ cgivars[i*2+1] = strdup(eqpos + 1);
+ if(cgivars[i*2+1] == NULL) {
+ printf("getcgivars(): Could not allocate memory
for cgi param value #%d.\n", i);
+ exit(1);
+ }
+ unescape_cgi_input(cgivars[i*2+1]);
+ }
else
- unescape_cgi_input(cgivars[i*2+1]=strdup(""));
+ cgivars[i*2+1] = strdup("");
+ if(cgivars[i*2+1] == NULL) {
+ printf("getcgivars(): Could not allocate memory
for empty cgi param value #%d.\n", i);
+ exit(1);
+ }
+ unescape_cgi_input(cgivars[i*2+1]);
/* get the variable value (or name/value of there was no real
"pair" in the first place) */
- unescape_cgi_input(cgivars[i*2]=strdup(pairlist[i]));
- }
+ cgivars[i*2] = strdup(pairlist[i]);
+ if(cgivars[i*2] == NULL) {
+ printf("getcgivars(): Could not allocate memory for cgi
param name #%d.\n", i);
+ exit(1);
+ }
+ unescape_cgi_input(cgivars[i*2]);
+ }
/* terminate the name-value list */
cgivars[paircount*2]='\x0';
diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch'
'--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' icinga-1.0.2~/cgi/history.c
icinga-1.0.2/cgi/history.c
--- icinga-1.0.2~/cgi/history.c 2010-06-30 09:13:42.000000000 +0000
+++ icinga-1.0.2/cgi/history.c 2013-01-14 06:05:50.511798545 +0000
@@ -808,16 +808,16 @@
else if(display_type==DISPLAY_HOSTS){
if(history_type==HOST_HISTORY ||
history_type==SERVICE_HISTORY){
- sprintf(match1," HOST ALERT:
%s;",host_name);
- sprintf(match2," SERVICE ALERT:
%s;",host_name);
+ snprintf(match1, sizeof(match1), " HOST
ALERT: %s;", host_name);
+ snprintf(match2, sizeof(match2), "
SERVICE ALERT: %s;", host_name);
}
else if(history_type==HOST_FLAPPING_HISTORY ||
history_type==SERVICE_FLAPPING_HISTORY){
- sprintf(match1," HOST FLAPPING ALERT:
%s;",host_name);
- sprintf(match2," SERVICE FLAPPING
ALERT: %s;",host_name);
+ snprintf(match1, sizeof(match1), " HOST
FLAPPING ALERT: %s;", host_name);
+ snprintf(match2, sizeof(match2), "
SERVICE FLAPPING ALERT: %s;", host_name);
}
else if(history_type==HOST_DOWNTIME_HISTORY ||
history_type==SERVICE_DOWNTIME_HISTORY){
- sprintf(match1," HOST DOWNTIME ALERT:
%s;",host_name);
- sprintf(match2," SERVICE DOWNTIME
ALERT: %s;",host_name);
+ snprintf(match1, sizeof(match1), " HOST
DOWNTIME ALERT: %s;", host_name);
+ snprintf(match2, sizeof(match2), "
SERVICE DOWNTIME ALERT: %s;", host_name);
}
if(show_all_hosts==TRUE)
@@ -856,11 +856,11 @@
else if(display_type==DISPLAY_SERVICES){
if(history_type==SERVICE_HISTORY)
- sprintf(match1," SERVICE ALERT:
%s;%s;",host_name,svc_description);
+ snprintf(match1, sizeof(match1), "
SERVICE ALERT: %s;%s;", host_name, service_desc);
else if(history_type==SERVICE_FLAPPING_HISTORY)
- sprintf(match1," SERVICE FLAPPING
ALERT: %s;%s;",host_name,svc_description);
+ snprintf(match1, sizeof(match1), "
SERVICE FLAPPING ALERT: %s;%s;", host_name, service_desc);
else if(history_type==SERVICE_DOWNTIME_HISTORY)
- sprintf(match1," SERVICE DOWNTIME
ALERT: %s;%s;",host_name,svc_description);
+ snprintf(match1, sizeof(match1), "
SERVICE DOWNTIME ALERT: %s;%s;", host_name, service_desc);
if(strstr(temp_buffer,match1) &&
(history_type==SERVICE_HISTORY || history_type==SERVICE_FLAPPING_HISTORY ||
history_type==SERVICE_DOWNTIME_HISTORY))
display_line=TRUE;
