[Pkg-nagios-changes] [SCM] Debian packaging for nagios nrpe branch, master, updated. debian/2.13-2-5-g4d71cc9

Alexander Wirt formorer at debian.org
Sat Mar 9 07:56:25 UTC 2013 

The following commit has been merged in the master branch:
commit e55afd1c6505488f6f357a7ea088763a5f69962d
Author: Alexander Wirt <formorer at debian.org>
Date:   Sat Mar 9 08:38:51 2013 +0100

    Add 08_CVE-2013-1362.dpatch patch.
    
    If command arguments are enabled in the NRPE configuration, it was
    possible to pass $() as arguments as the checking for nasty caracters
    was not strict enough to catch $(). This allowed executing shell
    commands under a subprocess and pass the output as a parameter to the
    called script (if run under bash). CVE-2013-1362 (Closes: #701227)
    
    Git-Dch: Full

diff --git a/debian/patches/00list b/debian/patches/00list
index 1355e2e..35cd403 100644
--- a/debian/patches/00list
+++ b/debian/patches/00list
@@ -5,3 +5,4 @@
 05_pid_privileges.dpatch
 06_pid_directory.dpatch
 07_warn_ssloption.dpatch
+08_CVE-2013-1362.dpatch 
diff --git a/debian/patches/08_CVE-2013-1362.dpatch b/debian/patches/08_CVE-2013-1362.dpatch
new file mode 100755
index 0000000..3e96194
--- /dev/null
+++ b/debian/patches/08_CVE-2013-1362.dpatch
@@ -0,0 +1,26 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 08_CVE-2013-1362.dpatch by Salvatore Bonaccorso <carnil at debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: nagios-nrpe prior to 2.14 allows the passing of $() as command
+## DP: arguments to execute shell commands if command arguments are
+## DP: explicitly enabled. Filtering out nasty caracters is not 
+## DP: strict enough to disallow $(), allowing executing shell commands
+## DP: under a subprocess and pass the output as a parameter to the
+## DP: called script (if run under bash).
+
+ at DPATCH@
+diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' pkg-nrpe~/src/nrpe.c pkg-nrpe/src/nrpe.c
+--- pkg-nrpe~/src/nrpe.c	2013-03-09 08:12:53.000000000 +0100
++++ pkg-nrpe/src/nrpe.c	2013-03-09 08:15:25.714710355 +0100
+@@ -1746,6 +1746,10 @@
+ 				syslog(LOG_ERR,"Error: Request contained an empty command argument");
+ 				return ERROR;
+ 		                }
++            if(strstr(macro_argv[x],"$(")) {
++                syslog(LOG_ERR,"Error: Request contained a bash command substitution!");
++                return ERROR;
++                        }
+ 		        }
+ 	        }
+ #endif

-- 
Debian packaging for nagios nrpe

More information about the Pkg-nagios-changes mailing list