[Pkg-nagios-changes] [pkg-nagios-plugins] 01/02: sync with security update
Jan Wagner
waja at moszumanska.debian.org
Tue Nov 26 23:14:44 UTC 2013
This is an automated email from the git hooks/post-receive script.
waja pushed a commit to tag debian/1.4.5-1etch1
in repository pkg-nagios-plugins.
commit 70a221caeaf3fb287836ef567c6f4854659ea209
Author: Sean Finney <seanius at debian.org>
Date: Sun Feb 17 11:50:11 2008 +0000
sync with security update
---
debian/changelog | 6 ++
debian/patches/00list | 2 +
debian/patches/28_CVE-2007-5198.dpatch | 143 +++++++++++++++++++++++++++++++++
debian/patches/29_CVE-2007-5623.dpatch | 45 +++++++++++
4 files changed, 196 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index 340e10c..4f48039 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+nagios-plugins (1.4.5-1etch1) stable-security; urgency=high
+
+ * Fix CVE-2007-5198 CVE-2007-5623
+
+ -- Moritz Muehlenhoff <jmm at debian.org> Tue, 5 Feb 2008 23:48:55 +0100
+
nagios-plugins (1.4.5-1) unstable; urgency=low
* new upstream (bugfix only) release. the following patches
diff --git a/debian/patches/00list b/debian/patches/00list
index 9a9b14b..f762b1d 100644
--- a/debian/patches/00list
+++ b/debian/patches/00list
@@ -7,3 +7,5 @@
25_check_tcp-expect.dpatch
26_implicit-basename.dpatch
27_check_radius_segfault.dpatch
+28_CVE-2007-5198.dpatch
+29_CVE-2007-5623.dpatch
diff --git a/debian/patches/28_CVE-2007-5198.dpatch b/debian/patches/28_CVE-2007-5198.dpatch
new file mode 100644
index 0000000..9639a07
--- /dev/null
+++ b/debian/patches/28_CVE-2007-5198.dpatch
@@ -0,0 +1,143 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## CVE-2007-5198.dpatch
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Fixes CVE-2007-5198
+
+ at DPATCH@
+diff -urNad nagios-plugins-1.4.8~/plugins/check_http.c nagios-plugins-1.4.8/plugins/check_http.c
+--- nagios-plugins-1.4.8~/plugins/check_http.c 2007-03-06 23:45:57.000000000 +0100
++++ nagios-plugins-1.4.5/plugins/check_http.c 2007-10-28 16:25:01.000000000 +0100
+@@ -53,7 +53,8 @@
+ enum {
+ MAX_IPV4_HOSTLENGTH = 255,
+ HTTP_PORT = 80,
+- HTTPS_PORT = 443
++ HTTPS_PORT = 443,
++ MAX_PORT = 65535
+ };
+
+ #ifdef HAVE_SSL
+@@ -148,7 +149,7 @@
+
+ if (display_html == TRUE)
+ printf ("<A HREF=\"%s://%s:%d%s\" target=\"_blank\">",
+- use_ssl ? "https" : "http", host_name,
++ use_ssl ? "https" : "http", server_address,
+ server_port, server_url);
+
+ /* initialize alarm signal handling, set socket timeout, start timer */
+@@ -1057,14 +1058,14 @@
+
+ /* per RFC 2396 */
+ #define HDR_LOCATION "%*[Ll]%*[Oo]%*[Cc]%*[Aa]%*[Tt]%*[Ii]%*[Oo]%*[Nn]: "
+-#define URI_HTTP "%[HTPShtps]://"
+-#define URI_HOST "%[-.abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789]"
+-#define URI_PORT ":%[0123456789]"
++#define URI_HTTP "%5[HTPShtps]"
++#define URI_HOST "%255[-.abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789]"
++#define URI_PORT "%6d" /* MAX_PORT's width is 5 chars, 6 to detect overflow */
+ #define URI_PATH "%[-_.!~*'();/?:@&=+$,%#abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789]"
+-#define HD1 URI_HTTP URI_HOST URI_PORT URI_PATH
+-#define HD2 URI_HTTP URI_HOST URI_PATH
+-#define HD3 URI_HTTP URI_HOST URI_PORT
+-#define HD4 URI_HTTP URI_HOST
++#define HD1 URI_HTTP "://" URI_HOST ":" URI_PORT "/" URI_PATH
++#define HD2 URI_HTTP "://" URI_HOST "/" URI_PATH
++#define HD3 URI_HTTP "://" URI_HOST ":" URI_PORT
++#define HD4 URI_HTTP "://" URI_HOST
+ #define HD5 URI_PATH
+
+ void
+@@ -1075,7 +1076,6 @@
+ char xx[2];
+ char type[6];
+ char *addr;
+- char port[6];
+ char *url;
+
+ addr = malloc (MAX_IPV4_HOSTLENGTH + 1);
+@@ -1087,7 +1087,7 @@
+ die (STATE_UNKNOWN, _("Could not allocate url\n"));
+
+ while (pos) {
+- sscanf (pos, "%[Ll]%*[Oo]%*[Cc]%*[Aa]%*[Tt]%*[Ii]%*[Oo]%*[Nn]:%n", xx, &i);
++ sscanf (pos, "%1[Ll]%*[Oo]%*[Cc]%*[Aa]%*[Tt]%*[Ii]%*[Oo]%*[Nn]:%n", xx, &i);
+ if (i == 0) {
+ pos += (size_t) strcspn (pos, "\r\n");
+ pos += (size_t) strspn (pos, "\r\n");
+@@ -1099,17 +1099,21 @@
+ }
+
+ pos += i;
+- pos += strspn (pos, " \t\r\n");
++ pos += strspn (pos, " \t");
++ for (; (i = strspn (pos, "\r\n")); pos += i) {
++ pos += i;
++ if (!(i = strspn (pos, " \t"))) {
++ die (STATE_UNKNOWN, _("HTTP UNKNOWN - Empty redirect location%s\n"),display_html ? "</A>" : "");
++ }
++ }
+
+- url = realloc (url, strcspn (pos, "\r\n"));
++ url = realloc (url, strcspn (pos, "\r\n")+ 1);
+ if (url == NULL)
+ die (STATE_UNKNOWN, _("could not allocate url\n"));
+
+ /* URI_HTTP, URI_HOST, URI_PORT, URI_PATH */
+- if (sscanf (pos, HD1, type, addr, port, url) == 4) {
++ if (sscanf (pos, HD1, type, addr, &i, url) == 4)
+ use_ssl = server_type_check (type);
+- i = atoi (port);
+- }
+
+ /* URI_HTTP URI_HOST URI_PATH */
+ else if (sscanf (pos, HD2, type, addr, url) == 3 ) {
+@@ -1118,10 +1122,9 @@
+ }
+
+ /* URI_HTTP URI_HOST URI_PORT */
+- else if(sscanf (pos, HD3, type, addr, port) == 3) {
++ else if(sscanf (pos, HD3, type, addr, &i) == 3) {
+ strcpy (url, HTTP_URL);
+ use_ssl = server_type_check (type);
+- i = atoi (port);
+ }
+
+ /* URI_HTTP URI_HOST */
+@@ -1141,7 +1144,7 @@
+ }
+ i = server_port;
+ strcpy (type, server_type);
+- strcpy (addr, host_name);
++ strcpy (addr, server_address);
+ }
+
+ else {
+@@ -1167,7 +1170,6 @@
+ _("WARNING - redirection creates an infinite loop - %s://%s:%d%s%s\n"),
+ type, addr, i, url, (display_html ? "</A>" : ""));
+
+- server_port = i;
+ strcpy (server_type, type);
+
+ free (host_name);
+@@ -1177,7 +1179,18 @@
+ server_address = strdup (addr);
+
+ free (server_url);
++ if ((url[0] == '/'))
+ server_url = strdup (url);
++ else if (asprintf(&server_url, "/%s", url) == -1)
++ die (STATE_UNKNOWN, _("HTTP UNKNOWN - Could not allocate server_url%s\n"), display_html ? "</A>" : "");
++ free(url);
++
++ if ((server_port = i) > MAX_PORT)
++ die (STATE_UNKNOWN, _("HTTP UNKNOWN - Redirection to port above %d - %s://%s:%d%s%s\n"),
++ MAX_PORT, server_type, server_address, server_port, server_url, display_html ? "</A>" : "");
++
++ if (verbose)
++ printf ("Redirection to %s://%s:%d%s\n", server_type, server_address, server_port, server_url);
+
+ check_http ();
+ }
diff --git a/debian/patches/29_CVE-2007-5623.dpatch b/debian/patches/29_CVE-2007-5623.dpatch
new file mode 100644
index 0000000..3ac951b
--- /dev/null
+++ b/debian/patches/29_CVE-2007-5623.dpatch
@@ -0,0 +1,45 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## CVE-2007-5623.dpatch by Nico Golde <nion at debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: No description.
+
+ at DPATCH@
+diff -urNad nagios-plugins-1.4.8~/plugins/check_snmp.c nagios-plugins-1.4.8/plugins/check_snmp.c
+--- nagios-plugins-1.4.8~/plugins/check_snmp.c 2007-02-02 10:10:22.000000000 +0100
++++ nagios-plugins-1.4.5/plugins/check_snmp.c 2007-10-28 16:14:48.000000000 +0100
+@@ -217,12 +217,16 @@
+
+ ptr = output;
+
+- strcat(perfstr, "| ");
++ strncat(perfstr, "| ", sizeof(perfstr)-strlen(perfstr)-1);
+ while (ptr) {
+ char *foo;
++ unsigned int copylen;
+
+ foo = strstr (ptr, delimiter);
+- strncat(perfstr, ptr, foo-ptr);
++ copylen = foo-ptr;
++ if (copylen > sizeof(perfstr)-strlen(perfstr)-1)
++ copylen = sizeof(perfstr)-strlen(perfstr)-1;
++ strncat(perfstr, ptr, copylen);
+ ptr = foo;
+
+ if (ptr == NULL)
+@@ -351,11 +355,11 @@
+
+ i++;
+
+- strcat(perfstr, "=");
+- strcat(perfstr, show);
++ strncat(perfstr, "=", sizeof(perfstr)-strlen(perfstr)-1);
++ strncat(perfstr, show, sizeof(perfstr)-strlen(perfstr)-1);
+ if (type)
+- strcat(perfstr, type);
+- strcat(perfstr, " ");
++ strncat(perfstr, type, sizeof(perfstr)-strlen(perfstr)-1);
++ strncat(perfstr, " ", sizeof(perfstr)-strlen(perfstr)-1);
+
+ } /* end while (ptr) */
+
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-nagios/pkg-nagios-plugins.git
More information about the Pkg-nagios-changes
mailing list