| 1 |
creffett 14/09/02 14:29:10 |
| 2 |
|
| 3 |
Added: nagios-core-3.5.1-process_cgivars.patch |
| 4 |
Log: |
| 5 |
Bump to 3.5.1 and add patch wrt security bugs 501200, 495132, 447802 |
| 6 |
|
| 7 |
(Portage version: 2.2.12-r1/cvs/Linux x86_64, signed Manifest commit with key 28DB029C) |
| 8 |
|
| 9 |
Revision Changes Path |
| 10 |
1.1 net-analyzer/nagios-core/files/nagios-core-3.5.1-process_cgivars.patch |
| 11 |
|
| 12 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-analyzer/nagios-core/files/nagios-core-3.5.1-process_cgivars.patch?rev=1.1&view=markup |
| 13 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-analyzer/nagios-core/files/nagios-core-3.5.1-process_cgivars.patch?rev=1.1&content-type=text/plain |
| 14 |
|
| 15 |
Index: nagios-core-3.5.1-process_cgivars.patch |
| 16 |
=================================================================== |
| 17 |
commit d97e03f32741a7d851826b03ed73ff4c9612a866 |
| 18 |
Author: Eric Stanley <estanley@××××××.com> |
| 19 |
Date: Fri Dec 20 13:14:30 2013 -0600 |
| 20 |
|
| 21 |
CGIs: Fixed minor vulnerability where a custom query could crash the CGI. |
| 22 |
|
| 23 |
Most CGIs previously incremented the input variable counter twice when |
| 24 |
it encountered a long key value. This could cause the CGI to read past |
| 25 |
the end of the list of CGI variables. This commit removes the second |
| 26 |
increment, removing the possibility of reading past the end of the list |
| 27 |
of CGI variables. |
| 28 |
|
| 29 |
diff --git a/cgi/avail.c b/cgi/avail.c |
| 30 |
index 76afd86..64eaadc 100644 |
| 31 |
--- a/cgi/avail.c |
| 32 |
+++ b/cgi/avail.c |
| 33 |
@@ -1096,7 +1096,6 @@ int process_cgivars(void) { |
| 34 |
|
| 35 |
/* do some basic length checking on the variable identifier to prevent buffer overflows */ |
| 36 |
if(strlen(variables[x]) >= MAX_INPUT_BUFFER - 1) { |
| 37 |
- x++; |
| 38 |
continue; |
| 39 |
} |
| 40 |
|
| 41 |
diff --git a/cgi/cmd.c b/cgi/cmd.c |
| 42 |
index fa6cf5a..50504eb 100644 |
| 43 |
--- a/cgi/cmd.c |
| 44 |
+++ b/cgi/cmd.c |
| 45 |
@@ -311,7 +311,6 @@ int process_cgivars(void) { |
| 46 |
|
| 47 |
/* do some basic length checking on the variable identifier to prevent buffer overflows */ |
| 48 |
if(strlen(variables[x]) >= MAX_INPUT_BUFFER - 1) { |
| 49 |
- x++; |
| 50 |
continue; |
| 51 |
} |
| 52 |
|
| 53 |
diff --git a/cgi/config.c b/cgi/config.c |
| 54 |
index f061b0f..3360e70 100644 |
| 55 |
--- a/cgi/config.c |
| 56 |
+++ b/cgi/config.c |
| 57 |
@@ -344,7 +344,6 @@ int process_cgivars(void) { |
| 58 |
|
| 59 |
/* do some basic length checking on the variable identifier to prevent buffer overflows */ |
| 60 |
if(strlen(variables[x]) >= MAX_INPUT_BUFFER - 1) { |
| 61 |
- x++; |
| 62 |
continue; |
| 63 |
} |
| 64 |
|
| 65 |
diff --git a/cgi/extinfo.c b/cgi/extinfo.c |
| 66 |
index 62a1b18..5113df4 100644 |
| 67 |
--- a/cgi/extinfo.c |
| 68 |
+++ b/cgi/extinfo.c |
| 69 |
@@ -591,7 +591,6 @@ int process_cgivars(void) { |
| 70 |
|
| 71 |
/* do some basic length checking on the variable identifier to prevent buffer overflows */ |
| 72 |
if(strlen(variables[x]) >= MAX_INPUT_BUFFER - 1) { |
| 73 |
- x++; |
| 74 |
continue; |
| 75 |
} |
| 76 |
|
| 77 |
diff --git a/cgi/histogram.c b/cgi/histogram.c |
| 78 |
index 4616541..f6934d0 100644 |
| 79 |
--- a/cgi/histogram.c |
| 80 |
+++ b/cgi/histogram.c |
| 81 |
@@ -1060,7 +1060,6 @@ int process_cgivars(void) { |
| 82 |
|
| 83 |
/* do some basic length checking on the variable identifier to prevent buffer overflows */ |
| 84 |
if(strlen(variables[x]) >= MAX_INPUT_BUFFER - 1) { |
| 85 |
- x++; |
| 86 |
continue; |
| 87 |
} |
| 88 |
|
| 89 |
diff --git a/cgi/notifications.c b/cgi/notifications.c |
| 90 |
index 8ba11c1..461ae84 100644 |
| 91 |
--- a/cgi/notifications.c |
| 92 |
+++ b/cgi/notifications.c |
| 93 |
@@ -327,7 +327,6 @@ int process_cgivars(void) { |
| 94 |
|
| 95 |
/* do some basic length checking on the variable identifier to prevent buffer overflows */ |
| 96 |
if(strlen(variables[x]) >= MAX_INPUT_BUFFER - 1) { |
| 97 |
- x++; |
| 98 |
continue; |
| 99 |
} |
| 100 |
|
| 101 |
diff --git a/cgi/outages.c b/cgi/outages.c |
| 102 |
index 426ede6..cb58dee 100644 |
| 103 |
--- a/cgi/outages.c |
| 104 |
+++ b/cgi/outages.c |
| 105 |
@@ -225,7 +225,6 @@ int process_cgivars(void) { |
| 106 |
|
| 107 |
/* do some basic length checking on the variable identifier to prevent buffer overflows */ |
| 108 |
if(strlen(variables[x]) >= MAX_INPUT_BUFFER - 1) { |
| 109 |
- x++; |
| 110 |
continue; |
| 111 |
} |
| 112 |
|
| 113 |
diff --git a/cgi/status.c b/cgi/status.c |
| 114 |
index 3253340..4ec1c92 100644 |
| 115 |
--- a/cgi/status.c |
| 116 |
+++ b/cgi/status.c |
| 117 |
@@ -567,7 +567,6 @@ int process_cgivars(void) { |
| 118 |
|
| 119 |
/* do some basic length checking on the variable identifier to prevent buffer overflows */ |
| 120 |
if(strlen(variables[x]) >= MAX_INPUT_BUFFER - 1) { |
| 121 |
- x++; |
| 122 |
continue; |
| 123 |
} |
| 124 |
|
| 125 |
diff --git a/cgi/statusmap.c b/cgi/statusmap.c |
| 126 |
index ea48368..2580ae5 100644 |
| 127 |
--- a/cgi/statusmap.c |
| 128 |
+++ b/cgi/statusmap.c |
| 129 |
@@ -400,7 +400,6 @@ int process_cgivars(void) { |
| 130 |
|
| 131 |
/* do some basic length checking on the variable identifier to prevent buffer overflows */ |
| 132 |
if(strlen(variables[x]) >= MAX_INPUT_BUFFER - 1) { |
| 133 |
- x++; |
| 134 |
continue; |
| 135 |
} |
| 136 |
|
| 137 |
diff --git a/cgi/statuswml.c b/cgi/statuswml.c |
| 138 |
index bd8cea2..d25abef 100644 |
| 139 |
--- a/cgi/statuswml.c |
| 140 |
+++ b/cgi/statuswml.c |
| 141 |
@@ -226,8 +226,13 @@ int process_cgivars(void) { |
| 142 |
|
| 143 |
for(x = 0; variables[x] != NULL; x++) { |
| 144 |
|
| 145 |
+ /* do some basic length checking on the variable identifier to prevent buffer overflows */ |
| 146 |
+ if(strlen(variables[x]) >= MAX_INPUT_BUFFER - 1) { |
| 147 |
+ continue; |
| 148 |
+ } |
| 149 |
+ |
| 150 |
/* we found the hostgroup argument */ |
| 151 |
- if(!strcmp(variables[x], "hostgroup")) { |
| 152 |
+ else if(!strcmp(variables[x], "hostgroup")) { |
| 153 |
display_type = DISPLAY_HOSTGROUP; |
| 154 |
x++; |
| 155 |
if(variables[x] == NULL) { |
| 156 |
diff --git a/cgi/summary.c b/cgi/summary.c |
| 157 |
index 126ce5e..749a02c 100644 |
| 158 |
--- a/cgi/summary.c |
| 159 |
+++ b/cgi/summary.c |
| 160 |
@@ -725,7 +725,6 @@ int process_cgivars(void) { |
| 161 |
|
| 162 |
/* do some basic length checking on the variable identifier to prevent buffer overflows */ |
| 163 |
if(strlen(variables[x]) >= MAX_INPUT_BUFFER - 1) { |
| 164 |
- x++; |
| 165 |
continue; |
| 166 |
} |
| 167 |
|
| 168 |
diff --git a/cgi/trends.c b/cgi/trends.c |
| 169 |
index b35c18e..895db01 100644 |
| 170 |
--- a/cgi/trends.c |
| 171 |
+++ b/cgi/trends.c |
| 172 |
@@ -1263,7 +1263,6 @@ int process_cgivars(void) { |
| 173 |
|
| 174 |
/* do some basic length checking on the variable identifier to prevent buffer overflows */ |
| 175 |
if(strlen(variables[x]) >= MAX_INPUT_BUFFER - 1) { |
| 176 |
- x++; |
| 177 |
continue; |
| 178 |
} |
| 179 |
|
| 180 |
diff --git a/contrib/daemonchk.c b/contrib/daemonchk.c |
| 181 |
index 78716e5..9bb6c4b 100644 |
| 182 |
--- a/contrib/daemonchk.c |
| 183 |
+++ b/contrib/daemonchk.c |
| 184 |
@@ -174,7 +174,6 @@ static int process_cgivars(void) { |
| 185 |
|
| 186 |
/* do some basic length checking on the variable identifier to prevent buffer overflows */ |
| 187 |
if(strlen(variables[x]) >= MAX_INPUT_BUFFER - 1) { |
| 188 |
- x++; |
| 189 |
continue; |
| 190 |
} |
| 191 |
} |
Archives