[pkg-nagios-changes] [Git][nagios-team/pkg-monitoring-plugins][master] 2 commits: New changelog

Jan Wagner gitlab at salsa.debian.org
Wed Apr 7 16:36:27 BST 2021



Jan Wagner pushed to branch master at Debian Nagios Maintainer Group / pkg-monitoring-plugins


Commits:
7576422c by Jan Wagner at 2021-01-06T22:17:56+01:00
New changelog

- - - - -
c055b9a0 by Jan Wagner at 2021-04-07T17:24:41+02:00
Adding d/p/10_check_pqsql_db_name_too_strict (Closes: #982847)

- - - - -


3 changed files:

- debian/changelog
- + debian/patches/10_check_pqsql_db_name_too_strict
- debian/patches/series


Changes:

=====================================
debian/changelog
=====================================
@@ -1,3 +1,9 @@
+monitoring-plugins (2.3-2) UNRELEASED; urgency=medium
+
+  * NOT RELEASED YET
+
+ -- Jan Wagner <waja at cyconet.org>  Wed, 06 Jan 2021 22:17:51 +0100
+
 monitoring-plugins (2.3-1) unstable; urgency=medium
 
   * Upload to unstable


=====================================
debian/patches/10_check_pqsql_db_name_too_strict
=====================================
@@ -0,0 +1,31 @@
+From dae075e65a38c65352d04f8c8fdfa21e2056d01c Mon Sep 17 00:00:00 2001
+From: Florian Lohoff <f at zz.de>
+Date: Mon, 15 Feb 2021 15:34:07 +0100
+Subject: [PATCH] Using snprintf which honors the buffers size and guarantees
+ null termination. (Closes: #1601)
+
+As strcpy may overflow the resulting buffer:
+
+flo at p5:~$ /tmp/f/usr/lib/nagios/plugins/check_pgsql -d "$(seq 1 10000)"
+*** buffer overflow detected ***: terminated
+Aborted
+
+I would propose to change the code rather like this, using snprintf
+which honors the buffers size and guarantees null termination.
+---
+ plugins/check_pgsql.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/plugins/check_pgsql.c b/plugins/check_pgsql.c
+index 11ce6916..b8fc5f1d 100644
+--- a/plugins/check_pgsql.c
++++ b/plugins/check_pgsql.c
+@@ -347,7 +347,7 @@ process_arguments (int argc, char **argv)
+ 			if (!is_pg_dbname (optarg)) /* checks length and valid chars */
+ 				usage2 (_("Database name is not valid"), optarg);
+ 			else /* we know length, and know optarg is terminated, so us strcpy */
+-				strcpy (dbName, optarg);
++				snprintf(dbName, NAMEDATALEN, "%s", optarg);
+ 			break;
+ 		case 'l':     /* login name */
+ 			if (!is_pg_logname (optarg))


=====================================
debian/patches/series
=====================================
@@ -1,2 +1,3 @@
 02_check_icmp_links
 # commited upstream
+10_check_pqsql_db_name_too_strict



View it on GitLab: https://salsa.debian.org/nagios-team/pkg-monitoring-plugins/-/compare/d1fae5082b7e9f5854b5f1deab5b11893f59391b...c055b9a04a98bc51801333ebbecae4611e1bd7df

-- 
View it on GitLab: https://salsa.debian.org/nagios-team/pkg-monitoring-plugins/-/compare/d1fae5082b7e9f5854b5f1deab5b11893f59391b...c055b9a04a98bc51801333ebbecae4611e1bd7df
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-nagios-changes/attachments/20210407/f69eb56c/attachment-0001.htm>


More information about the pkg-nagios-changes mailing list