[Pkg-nagios-changes] [pkg-nagios] r895 - in nagios/trunk/debian: .
patches
Sean Finney
seanius at costa.debian.org
Fri May 12 10:54:25 UTC 2006
Author: seanius
Date: 2006-05-12 10:54:24 +0000 (Fri, 12 May 2006)
New Revision: 895
Added:
nagios/trunk/debian/patches/16_CVE-2006-2162_content-length.dpatch
Modified:
nagios/trunk/debian/changelog
nagios/trunk/debian/patches/00list
Log:
updated patch for the listed CVE
Modified: nagios/trunk/debian/changelog
===================================================================
--- nagios/trunk/debian/changelog 2006-05-12 09:44:51 UTC (rev 894)
+++ nagios/trunk/debian/changelog 2006-05-12 10:54:24 UTC (rev 895)
@@ -1,13 +1,15 @@
-nagios (2:1.4-1) UNRELEASED; urgency=low
+nagios (2:1.4-1) unstable; urgency=high
- * not released yet... needs testing.
[sean finney]
* resynchronize with upstream source.
- upstream has incorporated 14_xdata_check-fulldisks.dpatch
* includes fix for Content-Length bounds/sanity checking mentioned
in CVE-2006-2162 (closes: #366682).
+ * includes fix for the above fix, which was incomplete
+ (16_CVE-2006-2162_content-length.dpatch).
+ * security release, bumped the urgency.
- -- sean finney <seanius at debian.org> Thu, 11 May 2006 10:13:33 +0200
+ -- sean finney <seanius at debian.org> Fri, 12 May 2006 12:37:37 +0200
nagios (2:1.3-cvs.20050402-13) unstable; urgency=medium
Modified: nagios/trunk/debian/patches/00list
===================================================================
--- nagios/trunk/debian/patches/00list 2006-05-12 09:44:51 UTC (rev 894)
+++ nagios/trunk/debian/patches/00list 2006-05-12 10:54:24 UTC (rev 895)
@@ -14,3 +14,4 @@
12_xrddb.c-errorhandling.dpatch
13_config.h.in-traceroute_hardcoded.dpatch
15_submit_check_result_via_nsca-nagioshost.dpatch
+16_CVE-2006-2162_content-length.dpatch
Added: nagios/trunk/debian/patches/16_CVE-2006-2162_content-length.dpatch
===================================================================
--- nagios/trunk/debian/patches/16_CVE-2006-2162_content-length.dpatch 2006-05-12 09:44:51 UTC (rev 894)
+++ nagios/trunk/debian/patches/16_CVE-2006-2162_content-length.dpatch 2006-05-12 10:54:24 UTC (rev 895)
@@ -0,0 +1,31 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 16_CVE-2006-2162_content-length.dpatch by <seanius at debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: No description.
+
+ at DPATCH@
+diff -urNad nagios-1.4~/cgi/getcgi.c nagios-1.4/cgi/getcgi.c
+--- nagios-1.4~/cgi/getcgi.c 2006-04-12 21:25:14.000000000 +0200
++++ nagios-1.4/cgi/getcgi.c 2006-05-12 12:40:54.000000000 +0200
+@@ -9,6 +9,7 @@
+ #include "../common/config.h"
+ #include <stdio.h>
+ #include <stdlib.h>
++#include <limits.h>
+ #include "getcgi.h"
+
+
+@@ -166,8 +167,10 @@
+ printf("getcgivars(): No Content-Length was sent with the POST request.\n") ;
+ exit(1);
+ }
+- if(content_length<0)
+- content_length=0;
++ if((content_length<0) || (content_length >= INT_MAX-1)){
++ printf("getcgivars(): Suspicious Content-Length was sent with the POST request.\n");
++ exit(1);
++ }
+ if(!(cgiinput=(char *)malloc(content_length+1))){
+ printf("getcgivars(): Could not allocate memory for CGI input.\n");
+ exit(1);
Property changes on: nagios/trunk/debian/patches/16_CVE-2006-2162_content-length.dpatch
___________________________________________________________________
Name: svn:executable
+ *
More information about the Pkg-nagios-changes
mailing list