[Pkg-nagios-changes] [SCM] Debian packaging for Nagios3 branch, master, updated. debian/3.4.1-2-19-g04df464

Alexander Wirt formorer at debian.org
Thu Jun 27 05:47:48 UTC 2013 

The following commit has been merged in the master branch:
commit a2c78a1d33b1c389ea71dc17042c102b961d5cf1
Author: Alexander Wirt <formorer at debian.org>
Date:   Wed Jun 26 22:22:20 2013 +0200

    Stop status.cgi from listing unauthorized hosts and services in servicegroup
    view (CVE-2013-2214)
    
    Thanks: Jonas Meurer for the report and the patch
    Closes: #714171

diff --git a/debian/patches/00list b/debian/patches/00list
index 06a7d30..b2b0f96 100644
--- a/debian/patches/00list
+++ b/debian/patches/00list
@@ -9,3 +9,4 @@
 99_remove_update-check.dpatch
 99_fix_php_warning.dpatch
 999_daemon-downtime-Handle-loading-effective-downtime-fr.dpatch
+99_security_status_cgi_servicegroup.dpatch
diff --git a/debian/patches/99_security_status_cgi_servicegroup.dpatch b/debian/patches/99_security_status_cgi_servicegroup.dpatch
new file mode 100644
index 0000000..3c850e1
--- /dev/null
+++ b/debian/patches/99_security_status_cgi_servicegroup.dpatch
@@ -0,0 +1,56 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 99_security_status_cgi_servicegroup.dpatch by Jonas Meurer <jmeurer at inet.de>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Stop cgi-bin/status.c from listing unauthorized hosts and
+## DP:				services in servicegroup view
+## DP: Upstream bugreport: http://tracker.nagios.org/view.php?id=456
+
+ at DPATCH@
+diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' nagios3-3.4.1~/cgi/status.c nagios3-3.4.1/cgi/status.c
+--- nagios3-3.4.1~/cgi/status.c	2012-02-13 21:40:42.000000000 +0100
++++ nagios3-3.4.1/cgi/status.c	2013-06-26 16:52:37.668132234 +0200
+@@ -2534,6 +2534,10 @@
+ 		if(temp_host == NULL)
+ 			continue;
+ 
++		/* make sure user has rights to view this host */
++		if(is_authorized_for_host(temp_host, &current_authdata) == FALSE)
++			continue;
++
+ 		/* skip this if it isn't a new host... */
+ 		if(temp_host == last_host)
+ 			continue;
+@@ -2739,6 +2743,10 @@
+ 		if(temp_host == NULL)
+ 			continue;
+ 
++		/* make sure user has rights to view this host */
++		if(is_authorized_for_host(temp_host, &current_authdata) == FALSE)
++			continue;
++
+ 		/* skip this if it isn't a new host... */
+ 		if(temp_host == last_host)
+ 			continue;
+@@ -2918,6 +2926,10 @@
+ 		if(temp_service == NULL)
+ 			continue;
+ 
++		/* make sure user has rights to view this service */
++		if(is_authorized_for_service(temp_service, &current_authdata) == FALSE)
++			continue;
++
+ 		/* find the service status */
+ 		temp_servicestatus = find_servicestatus(temp_service->host_name, temp_service->description);
+ 		if(temp_servicestatus == NULL)
+@@ -3270,6 +3282,10 @@
+ 		if(temp_host == NULL)
+ 			continue;
+ 
++		/* make sure user has rights to view this host */
++		if(is_authorized_for_host(temp_host, &current_authdata) == FALSE)
++			continue;
++
+ 		/* get the status of the host */
+ 		temp_hoststatus = find_hoststatus(temp_host->name);
+ 		if(temp_hoststatus == NULL)

-- 
Debian packaging for Nagios3

More information about the Pkg-nagios-changes mailing list