1 |
creffett 14/09/02 14:29:10 |
2 |
|
3 |
Added: nagios-core-3.5.1-process_cgivars.patch |
4 |
Log: |
5 |
Bump to 3.5.1 and add patch wrt security bugs 501200, 495132, 447802 |
6 |
|
7 |
(Portage version: 2.2.12-r1/cvs/Linux x86_64, signed Manifest commit with key 28DB029C) |
8 |
|
9 |
Revision Changes Path |
10 |
1.1 net-analyzer/nagios-core/files/nagios-core-3.5.1-process_cgivars.patch |
11 |
|
12 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-analyzer/nagios-core/files/nagios-core-3.5.1-process_cgivars.patch?rev=1.1&view=markup |
13 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-analyzer/nagios-core/files/nagios-core-3.5.1-process_cgivars.patch?rev=1.1&content-type=text/plain |
14 |
|
15 |
Index: nagios-core-3.5.1-process_cgivars.patch |
16 |
=================================================================== |
17 |
commit d97e03f32741a7d851826b03ed73ff4c9612a866 |
18 |
Author: Eric Stanley <estanley@××××××.com> |
19 |
Date: Fri Dec 20 13:14:30 2013 -0600 |
20 |
|
21 |
CGIs: Fixed minor vulnerability where a custom query could crash the CGI. |
22 |
|
23 |
Most CGIs previously incremented the input variable counter twice when |
24 |
it encountered a long key value. This could cause the CGI to read past |
25 |
the end of the list of CGI variables. This commit removes the second |
26 |
increment, removing the possibility of reading past the end of the list |
27 |
of CGI variables. |
28 |
|
29 |
diff --git a/cgi/avail.c b/cgi/avail.c |
30 |
index 76afd86..64eaadc 100644 |
31 |
--- a/cgi/avail.c |
32 |
+++ b/cgi/avail.c |
33 |
@@ -1096,7 +1096,6 @@ int process_cgivars(void) { |
34 |
|
35 |
/* do some basic length checking on the variable identifier to prevent buffer overflows */ |
36 |
if(strlen(variables[x]) >= MAX_INPUT_BUFFER - 1) { |
37 |
- x++; |
38 |
continue; |
39 |
} |
40 |
|
41 |
diff --git a/cgi/cmd.c b/cgi/cmd.c |
42 |
index fa6cf5a..50504eb 100644 |
43 |
--- a/cgi/cmd.c |
44 |
+++ b/cgi/cmd.c |
45 |
@@ -311,7 +311,6 @@ int process_cgivars(void) { |
46 |
|
47 |
/* do some basic length checking on the variable identifier to prevent buffer overflows */ |
48 |
if(strlen(variables[x]) >= MAX_INPUT_BUFFER - 1) { |
49 |
- x++; |
50 |
continue; |
51 |
} |
52 |
|
53 |
diff --git a/cgi/config.c b/cgi/config.c |
54 |
index f061b0f..3360e70 100644 |
55 |
--- a/cgi/config.c |
56 |
+++ b/cgi/config.c |
57 |
@@ -344,7 +344,6 @@ int process_cgivars(void) { |
58 |
|
59 |
/* do some basic length checking on the variable identifier to prevent buffer overflows */ |
60 |
if(strlen(variables[x]) >= MAX_INPUT_BUFFER - 1) { |
61 |
- x++; |
62 |
continue; |
63 |
} |
64 |
|
65 |
diff --git a/cgi/extinfo.c b/cgi/extinfo.c |
66 |
index 62a1b18..5113df4 100644 |
67 |
--- a/cgi/extinfo.c |
68 |
+++ b/cgi/extinfo.c |
69 |
@@ -591,7 +591,6 @@ int process_cgivars(void) { |
70 |
|
71 |
/* do some basic length checking on the variable identifier to prevent buffer overflows */ |
72 |
if(strlen(variables[x]) >= MAX_INPUT_BUFFER - 1) { |
73 |
- x++; |
74 |
continue; |
75 |
} |
76 |
|
77 |
diff --git a/cgi/histogram.c b/cgi/histogram.c |
78 |
index 4616541..f6934d0 100644 |
79 |
--- a/cgi/histogram.c |
80 |
+++ b/cgi/histogram.c |
81 |
@@ -1060,7 +1060,6 @@ int process_cgivars(void) { |
82 |
|
83 |
/* do some basic length checking on the variable identifier to prevent buffer overflows */ |
84 |
if(strlen(variables[x]) >= MAX_INPUT_BUFFER - 1) { |
85 |
- x++; |
86 |
continue; |
87 |
} |
88 |
|
89 |
diff --git a/cgi/notifications.c b/cgi/notifications.c |
90 |
index 8ba11c1..461ae84 100644 |
91 |
--- a/cgi/notifications.c |
92 |
+++ b/cgi/notifications.c |
93 |
@@ -327,7 +327,6 @@ int process_cgivars(void) { |
94 |
|
95 |
/* do some basic length checking on the variable identifier to prevent buffer overflows */ |
96 |
if(strlen(variables[x]) >= MAX_INPUT_BUFFER - 1) { |
97 |
- x++; |
98 |
continue; |
99 |
} |
100 |
|
101 |
diff --git a/cgi/outages.c b/cgi/outages.c |
102 |
index 426ede6..cb58dee 100644 |
103 |
--- a/cgi/outages.c |
104 |
+++ b/cgi/outages.c |
105 |
@@ -225,7 +225,6 @@ int process_cgivars(void) { |
106 |
|
107 |
/* do some basic length checking on the variable identifier to prevent buffer overflows */ |
108 |
if(strlen(variables[x]) >= MAX_INPUT_BUFFER - 1) { |
109 |
- x++; |
110 |
continue; |
111 |
} |
112 |
|
113 |
diff --git a/cgi/status.c b/cgi/status.c |
114 |
index 3253340..4ec1c92 100644 |
115 |
--- a/cgi/status.c |
116 |
+++ b/cgi/status.c |
117 |
@@ -567,7 +567,6 @@ int process_cgivars(void) { |
118 |
|
119 |
/* do some basic length checking on the variable identifier to prevent buffer overflows */ |
120 |
if(strlen(variables[x]) >= MAX_INPUT_BUFFER - 1) { |
121 |
- x++; |
122 |
continue; |
123 |
} |
124 |
|
125 |
diff --git a/cgi/statusmap.c b/cgi/statusmap.c |
126 |
index ea48368..2580ae5 100644 |
127 |
--- a/cgi/statusmap.c |
128 |
+++ b/cgi/statusmap.c |
129 |
@@ -400,7 +400,6 @@ int process_cgivars(void) { |
130 |
|
131 |
/* do some basic length checking on the variable identifier to prevent buffer overflows */ |
132 |
if(strlen(variables[x]) >= MAX_INPUT_BUFFER - 1) { |
133 |
- x++; |
134 |
continue; |
135 |
} |
136 |
|
137 |
diff --git a/cgi/statuswml.c b/cgi/statuswml.c |
138 |
index bd8cea2..d25abef 100644 |
139 |
--- a/cgi/statuswml.c |
140 |
+++ b/cgi/statuswml.c |
141 |
@@ -226,8 +226,13 @@ int process_cgivars(void) { |
142 |
|
143 |
for(x = 0; variables[x] != NULL; x++) { |
144 |
|
145 |
+ /* do some basic length checking on the variable identifier to prevent buffer overflows */ |
146 |
+ if(strlen(variables[x]) >= MAX_INPUT_BUFFER - 1) { |
147 |
+ continue; |
148 |
+ } |
149 |
+ |
150 |
/* we found the hostgroup argument */ |
151 |
- if(!strcmp(variables[x], "hostgroup")) { |
152 |
+ else if(!strcmp(variables[x], "hostgroup")) { |
153 |
display_type = DISPLAY_HOSTGROUP; |
154 |
x++; |
155 |
if(variables[x] == NULL) { |
156 |
diff --git a/cgi/summary.c b/cgi/summary.c |
157 |
index 126ce5e..749a02c 100644 |
158 |
--- a/cgi/summary.c |
159 |
+++ b/cgi/summary.c |
160 |
@@ -725,7 +725,6 @@ int process_cgivars(void) { |
161 |
|
162 |
/* do some basic length checking on the variable identifier to prevent buffer overflows */ |
163 |
if(strlen(variables[x]) >= MAX_INPUT_BUFFER - 1) { |
164 |
- x++; |
165 |
continue; |
166 |
} |
167 |
|
168 |
diff --git a/cgi/trends.c b/cgi/trends.c |
169 |
index b35c18e..895db01 100644 |
170 |
--- a/cgi/trends.c |
171 |
+++ b/cgi/trends.c |
172 |
@@ -1263,7 +1263,6 @@ int process_cgivars(void) { |
173 |
|
174 |
/* do some basic length checking on the variable identifier to prevent buffer overflows */ |
175 |
if(strlen(variables[x]) >= MAX_INPUT_BUFFER - 1) { |
176 |
- x++; |
177 |
continue; |
178 |
} |
179 |
|
180 |
diff --git a/contrib/daemonchk.c b/contrib/daemonchk.c |
181 |
index 78716e5..9bb6c4b 100644 |
182 |
--- a/contrib/daemonchk.c |
183 |
+++ b/contrib/daemonchk.c |
184 |
@@ -174,7 +174,6 @@ static int process_cgivars(void) { |
185 |
|
186 |
/* do some basic length checking on the variable identifier to prevent buffer overflows */ |
187 |
if(strlen(variables[x]) >= MAX_INPUT_BUFFER - 1) { |
188 |
- x++; |
189 |
continue; |
190 |
} |
191 |
} |