[Pkg-nagios-changes] [pkg-nagios] r894 - in nagios/branches/sarge/debian: . patches

Sean Finney seanius at costa.debian.org
Fri May 12 09:44:52 UTC 2006 

Author: seanius
Date: 2006-05-12 09:44:51 +0000 (Fri, 12 May 2006)
New Revision: 894

Modified:
   nagios/branches/sarge/debian/changelog
   nagios/branches/sarge/debian/patches/10100_CVE-2006-2162_content_length_header.dpatch
Log:
updated the CVE patch to catch integer overflow as well.


Modified: nagios/branches/sarge/debian/changelog
===================================================================
--- nagios/branches/sarge/debian/changelog	2006-05-11 08:22:22 UTC (rev 893)
+++ nagios/branches/sarge/debian/changelog	2006-05-12 09:44:51 UTC (rev 894)
@@ -3,7 +3,9 @@
   * Sean Finney:
     - security update prepared for the security team.
     - add fix for Content-Length header bounds/sanity checking.
-      thanks to Ethan Galstad for providing the patch.
+      thanks to Ethan Galstad for providing the patch, and to
+      joey for noticing the potential for the problem through a
+      second vector.
       References: CVE-2006-2162.
 
  -- sean finney <seanius at debian.org>  Thu, 11 May 2006 10:06:58 +0200

Modified: nagios/branches/sarge/debian/patches/10100_CVE-2006-2162_content_length_header.dpatch
===================================================================
--- nagios/branches/sarge/debian/patches/10100_CVE-2006-2162_content_length_header.dpatch	2006-05-11 08:22:22 UTC (rev 893)
+++ nagios/branches/sarge/debian/patches/10100_CVE-2006-2162_content_length_header.dpatch	2006-05-12 09:44:51 UTC (rev 894)
@@ -1,18 +1,28 @@
 #! /bin/sh /usr/share/dpatch/dpatch-run
-## 10100_CVE-2006-2162_content_length_header.dpatch by  <seanius at debian.org>
+## 10100_CVE-2006-2162_content_length_header.dpatch by <seanius at debian.org>
 ##
-## DP: fix from the upstream author, ethan galstad (thanks!)
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: prevent content-length errors from negative size and integer overflow
 
 @DPATCH@
-diff -urNad nagios-1.3-cvs.20050402~/cgi/getcgi.c nagios-1.3-cvs.20050402/cgi/getcgi.c
---- nagios-1.3-cvs.20050402~/cgi/getcgi.c	2002-09-25 01:04:02.000000000 +0200
-+++ nagios-1.3-cvs.20050402/cgi/getcgi.c	2006-05-11 10:02:48.000000000 +0200
-@@ -166,6 +166,8 @@
+--- nagios-1.3-cvs.20050402/cgi/getcgi.c~	2006-05-11 17:43:35.000000000 +0200
++++ nagios-1.3-cvs.20050402/cgi/getcgi.c	2006-05-11 17:43:00.000000000 +0200
+@@ -9,6 +9,7 @@
+ #include "../common/config.h"
+ #include <stdio.h>
+ #include <stdlib.h>
++#include <limits.h>
+ #include "getcgi.h"
+ 
+ 
+@@ -166,6 +167,10 @@ char **getcgivars(void){
  			printf("getcgivars(): No Content-Length was sent with the POST request.\n") ;
  			exit(1);
  		        }
-+		if(content_length<0)
-+			content_length=0;
++		if((content_length<0) || (content_length >= INT_MAX-1)){
++			printf("getcgivars(): Suspicious Content-Length was sent with the POST request.\n");
++			exit(1);
++			}
  		if(!(cgiinput=(char *)malloc(content_length+1))){
  			printf("getcgivars(): Could not allocate memory for CGI input.\n");
  			exit(1);

More information about the Pkg-nagios-changes mailing list