[Pkg-nagios-changes] [icinga] 02/08: Imported Upstream version 1.13.4
Bas Couwenberg
sebastic at debian.org
Fri Dec 23 09:15:18 UTC 2016
This is an automated email from the git hooks/post-receive script.
sebastic pushed a commit to branch master
in repository icinga.
commit 59f6cb869e68dec140718099b6d80426237e3c44
Author: Bas Couwenberg <sebastic at xs4all.nl>
Date: Fri Dec 23 09:39:52 2016 +0100
Imported Upstream version 1.13.4
---
Changelog | 9 +++++++
Makefile.in | 2 +-
THANKS | 1 +
base/icinga.c | 6 ++---
base/logging.c | 56 +++++++++++++++++++++++++++++++++-------
configure | 4 +--
configure.in | 4 +--
html/main.html | 6 ++---
icinga.spec | 2 +-
include/common.h | 4 +--
module/idoutils/include/common.h | 4 +--
update-version | 4 +--
12 files changed, 75 insertions(+), 27 deletions(-)
diff --git a/Changelog b/Changelog
index 2b4cc99..57883a5 100644
--- a/Changelog
+++ b/Changelog
@@ -19,6 +19,15 @@ NEWS
* This is the Icinga 1.x development branch. If you are looking for Icinga 2.x
please check https://www.icinga.org/icinga2
+1.13.4 - 22/12/2016
+
+SECURITY FIXES
+
+* Fix possible root privilege escalation during opening logs (CVE-2016-9566) #13709
+
+Icinga is **not** vulnerable to CVE-2016-9565 since we do not provide any PHP
+files nor external advertising RSS feeds inside the Classic UI.
+
1.13.3 - 07/15/2015
FIXES
diff --git a/Makefile.in b/Makefile.in
index 2514f60..72ef8e0 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -89,7 +89,7 @@ MKDIR=/bin/mkdir
###############################
# Global
###############################
-ICINGA_VERSION=1.13.3
+ICINGA_VERSION=1.13.4
CP=@CP@
diff --git a/THANKS b/THANKS
index 9551d5d..4b0397b 100644
--- a/THANKS
+++ b/THANKS
@@ -361,3 +361,4 @@ in various ways. If we missed your name, let us know.
* Dennis van Zuijlekom
* Pawel Zuzelski
* Imri Zvik
+* Dawid Golunski (http://legalhackers.com)
diff --git a/base/icinga.c b/base/icinga.c
index ea2bc0f..777f2e1 100644
--- a/base/icinga.c
+++ b/base/icinga.c
@@ -678,9 +678,6 @@ int main(int argc, char **argv, char **env) {
my_free(mac->x[MACRO_PROCESSSTARTTIME]);
asprintf(&mac->x[MACRO_PROCESSSTARTTIME], "%lu", (unsigned long)program_start);
- /* open debug log */
- open_debug_log();
-
/* drop privileges */
if (drop_privileges(nagios_user, nagios_group) == ERROR) {
@@ -690,6 +687,9 @@ int main(int argc, char **argv, char **env) {
exit(ERROR);
}
+ /* open debug log */
+ open_debug_log();
+
#ifdef USE_EVENT_BROKER
/* initialize modules */
neb_init_modules();
diff --git a/base/logging.c b/base/logging.c
index 74969ab..cc02450 100644
--- a/base/logging.c
+++ b/base/logging.c
@@ -216,21 +216,42 @@ static void write_to_all_logs_with_timestamp(char *buffer, unsigned long data_ty
}
-FILE *open_log_file(void) {
+FILE *open_log_file(void)
+{
+ int fh;
+ struct stat st;
if (log_fp) /* keep it open unless we rotate */
return log_fp;
- log_fp = fopen(log_file, "a+");
-
+ if ((fh = open(log_file, O_RDWR|O_APPEND|O_CREAT|O_NOFOLLOW, S_IRUSR|S_IWUSR)) == -1) {
+ if (daemon_mode == FALSE)
+ printf("Warning: Cannot open log file '%s' for writing\n", log_file);
+ return NULL;
+ }
+ log_fp = fdopen(fh, "a+");
if (log_fp == NULL) {
- if (daemon_mode == FALSE) {
+ if (daemon_mode == FALSE)
printf("Warnings: Cannot open log file '%s' for writing\n", log_file);
- }
return NULL;
}
- (void)fcntl(fileno(log_fp), F_SETFD, FD_CLOEXEC);
+ if ((fstat(fh, &st)) == -1) {
+ log_fp = NULL;
+ close(fh);
+ if (daemon_mode == FALSE)
+ printf("Warning: Cannot fstat log file '%s'\n", log_file);
+ return NULL;
+ }
+ if (st.st_nlink != 1 || (st.st_mode & S_IFMT) != S_IFREG) {
+ log_fp = NULL;
+ close(fh);
+ if (daemon_mode == FALSE)
+ printf("Warning: log file '%s' has an invalid mode\n", log_file);
+ return NULL;
+ }
+
+ (void)fcntl(fh, F_SETFD, FD_CLOEXEC);
return log_fp;
}
@@ -615,7 +636,10 @@ int write_log_file_info(time_t *timestamp) {
/* opens the debug log for writing */
-int open_debug_log(void) {
+int open_debug_log(void)
+{
+ int fh;
+ struct stat st;
/* don't do anything if we're not actually running... */
if (verify_config == TRUE || test_scheduling == TRUE)
@@ -625,10 +649,24 @@ int open_debug_log(void) {
if (debug_level == DEBUGL_NONE)
return OK;
- if ((debug_file_fp = fopen(debug_file, "a+")) == NULL)
+ if ((fh = open(debug_file, O_RDWR|O_APPEND|O_CREAT|O_NOFOLLOW, S_IRUSR|S_IWUSR)) == -1) {
+ return ERROR;
+ }
+ if ((debug_file_fp = fdopen(fh, "a+")) == NULL)
+ return ERROR;
+
+ if ((fstat(fh, &st)) == -1) {
+ debug_file_fp = NULL;
+ close(fh);
+ return ERROR;
+ }
+ if (st.st_nlink != 1 || (st.st_mode & S_IFMT) != S_IFREG) {
+ debug_file_fp = NULL;
+ close(fh);
return ERROR;
+ }
- (void)fcntl(fileno(debug_file_fp), F_SETFD, FD_CLOEXEC);
+ (void)fcntl(fh, F_SETFD, FD_CLOEXEC);
return OK;
}
diff --git a/configure b/configure
index eb2efe3..f9d726a 100755
--- a/configure
+++ b/configure
@@ -2512,9 +2512,9 @@ ac_config_headers="$ac_config_headers include/config.h"
PKG_NAME=icinga-core
-PKG_VERSION="1.13.3"
+PKG_VERSION="1.13.4"
PKG_HOME_URL="http://www.icinga.org/"
-PKG_REL_DATE="07-15-2015"
+PKG_REL_DATE="12-22-2016"
ac_aux_dir=
for ac_dir in "$srcdir" "$srcdir/.." "$srcdir/../.."; do
diff --git a/configure.in b/configure.in
index d507959..0da9056 100644
--- a/configure.in
+++ b/configure.in
@@ -9,9 +9,9 @@ AC_CONFIG_HEADER(include/config.h)
AC_PREFIX_DEFAULT(/usr/local/icinga)
PKG_NAME=icinga-core
-PKG_VERSION="1.13.3"
+PKG_VERSION="1.13.4"
PKG_HOME_URL="http://www.icinga.org/"
-PKG_REL_DATE="07-15-2015"
+PKG_REL_DATE="12-22-2016"
dnl Figure out how to invoke "install" and what install options to use.
AC_PROG_INSTALL
diff --git a/html/main.html b/html/main.html
index 95ad8cc..500b696 100644
--- a/html/main.html
+++ b/html/main.html
@@ -18,9 +18,9 @@
</div>
<div id="currentversioninfo">
-<div class="version">Version 1.13.3</div>
-<div class="releasedate">Juli 15, 2015</div>
-<div class="whatsnew"><a href="docs/en/whatsnew.html">Read what's new in Icinga 1.13.3</a></div>
+<div class="version">Version 1.13.4</div>
+<div class="releasedate">December 22, 2016</div>
+<div class="whatsnew"><a href="docs/en/whatsnew.html">Read what's new in Icinga 1.13.4</a></div>
</div>
<div id="developer">
diff --git a/icinga.spec b/icinga.spec
index d7222df..273296c 100644
--- a/icinga.spec
+++ b/icinga.spec
@@ -54,7 +54,7 @@
Summary: Open Source host, service and network monitoring program
Name: icinga
-Version: 1.13.3
+Version: 1.13.4
Release: %{revision}%{?dist}
License: GPLv2
Group: Applications/System
diff --git a/include/common.h b/include/common.h
index 3204d49..17edf05 100644
--- a/include/common.h
+++ b/include/common.h
@@ -27,8 +27,8 @@
#define PROGRAM_NAME "Icinga"
#define PROGRAM_NAME_UC "ICINGA"
#define PROGRAM_NAME_LC "icinga"
-#define PROGRAM_VERSION "1.13.3"
-#define PROGRAM_MODIFICATION_DATE "07-15-2015"
+#define PROGRAM_VERSION "1.13.4"
+#define PROGRAM_MODIFICATION_DATE "12-22-2016"
/*#define DEBUG_CHECK_IPC 1 */
/*#define DEBUG_CHECK_IPC2 1*/
diff --git a/module/idoutils/include/common.h b/module/idoutils/include/common.h
index 1abe120..9381621 100644
--- a/module/idoutils/include/common.h
+++ b/module/idoutils/include/common.h
@@ -22,8 +22,8 @@
#define LOG2IDO_NAME "LOG2IDO"
/* only one space for update-version matching */
-#define IDO_DATE "07-15-2015"
-#define IDO_VERSION "1.13.3"
+#define IDO_DATE "12-22-2016"
+#define IDO_VERSION "1.13.4"
#define IDO_SCHEMA_VERSION "1.13.0"
diff --git a/update-version b/update-version
index d83c82f..e67290f 100755
--- a/update-version
+++ b/update-version
@@ -10,10 +10,10 @@ else
fi
# Current version number
-CURRENTVERSION=1.13.3
+CURRENTVERSION=1.13.4
# Last date
-LASTDATE=07-15-2015
+LASTDATE=12-22-2016
if [ "x$1" = "x" ]
then
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-nagios/icinga.git
More information about the Pkg-nagios-changes
mailing list