[Pkg-nagios-devel] Bug#697930: nagios3: CVE-2012-6096

Jonathan Wiltshire jmw at debian.org
Fri Feb 1 22:09:34 UTC 2013


On Sun, Jan 20, 2013 at 08:49:26PM +0100, Moritz Mühlenhoff wrote:
> On Fri, Jan 11, 2013 at 03:56:25PM +0000, Jonathan Wiltshire wrote:
> > Control: found -1 3.2.1-2
> > 
> > On 2013-01-11 13:50, Moritz Muehlenhoff wrote:
> > >Package: nagios3
> > >Severity: grave
> > >Tags: security
> > >Justification: user security hole
> > >
> > >This was assigned CVE-2012-6096:
> > >
> > >http://archives.neohapsis.com/archives/fulldisclosure/2012-12/0108.html
> > >
> > >Fix:
> > >
> > >http://nagios.svn.sourceforge.net/viewvc/nagios?view=revision&revision=2547
> > 
> > I tested against squeeze and reproduced the problem. We use nagios
> > at work so I'm happy to prepare DSA packages if required.
> 
> Jonathan, can you prepare packages for stable-security now that we have
> a final patch?

Ok, I now have tested packages for stable-security for nagios3, debdiff
and DSA text attached.

-- 
Jonathan Wiltshire                                      jmw at debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

<directhex> i have six years of solaris sysadmin experience, from
            8->10. i am well qualified to say it is made from bonghits
			layered on top of bonghits
-------------- next part --------------
diff -u nagios3-3.2.1/debian/changelog nagios3-3.2.1/debian/changelog
--- nagios3-3.2.1/debian/changelog
+++ nagios3-3.2.1/debian/changelog
@@ -1,3 +1,11 @@
+nagios3 (3.2.1-2+squeeze1) squeeze-security; urgency=low
+
+  * Non-maintainer upload.
+  * Backport 99_security_cve_2012_6096.dpatch for Squeeze, fixes
+    a buffer overflow crasher (Closes: #697930) CVE-2012-6096
+
+ -- Jonathan Wiltshire <jmw at debian.org>  Fri, 01 Feb 2013 18:35:55 +0000
+
 nagios3 (3.2.1-2) unstable; urgency=low
 
   * Fix "Missing conflict with nagios3 v3.0.6-4~lenny2 (/usr/lib/cgi-
diff -u nagios3-3.2.1/debian/patches/00list nagios3-3.2.1/debian/patches/00list
--- nagios3-3.2.1/debian/patches/00list
+++ nagios3-3.2.1/debian/patches/00list
@@ -8,0 +9 @@
+99_security_cve_2012_6096.dpatch
only in patch2:
unchanged:
--- nagios3-3.2.1.orig/debian/patches/99_security_cve_2012_6096.dpatch
+++ nagios3-3.2.1/debian/patches/99_security_cve_2012_6096.dpatch
@@ -0,0 +1,128 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 99_securit_cve_2012_6096.dpatch by Alexander Wirt <formorer at debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Fix overflows in getcgi.c and history.cgi (CVE 2012-6096)
+## DP: Debian Bug #697930
+## DP: http://nagios.svn.sourceforge.net/viewvc/nagios?view=revision&revision=2547
+
+ at DPATCH@
+diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' nagios3-3.2.1~/cgi/getcgi.c nagios3-3.2.1/cgi/getcgi.c
+--- nagios3-3.2.1~/cgi/getcgi.c	2013-02-01 20:30:08.000000000 +0000
++++ nagios3-3.2.1/cgi/getcgi.c	2013-02-01 20:31:07.000000000 +0000
+@@ -137,14 +137,15 @@
+ 		/* check for NULL query string environment variable - 04/28/00 (Ludo Bosmans) */
+ 		if(getenv("QUERY_STRING")==NULL){
+ 			cgiinput=(char *)malloc(1);
+-			if(cgiinput==NULL){
+-				printf("getcgivars(): Could not allocate memory for CGI input.\n");
+-				exit(1);
+-			        }
+-			cgiinput[0]='\x0';
++			if(cgiinput != NULL)
++				cgiinput[0]='\x0';
+ 		        }
+ 		else
+ 			cgiinput=strdup(getenv("QUERY_STRING"));
++		if(cgiinput==NULL){
++			printf("getcgivars(): Could not allocate memory for CGI input.\n");
++			exit(1);
++		        }
+ 	        }
+ 
+ 	else if(!strcmp(request_method,"POST") || !strcmp(request_method,"PUT")){
+@@ -220,7 +221,12 @@
+ 	paircount=0;
+ 	nvpair=strtok(cgiinput,"&");
+ 	while(nvpair){
+-		pairlist[paircount++]=strdup(nvpair);
++		pairlist[paircount] = strdup(nvpair);
++		if( NULL == pairlist[paircount]) {
++			printf("getcgivars(): Could not allocate memory for name-value pair #%d.\n", paircount);
++			exit(1);
++			}
++		paircount++;
+ 		if(!(paircount%256)){
+ 			pairlist=(char **)realloc(pairlist,(paircount+256)*sizeof(char **));
+ 			if(pairlist==NULL){
+@@ -245,13 +251,29 @@
+ 		/* get the variable name preceding the equal (=) sign */
+ 		if((eqpos=strchr(pairlist[i],'='))!=NULL){
+ 			*eqpos='\0';
+-			unescape_cgi_input(cgivars[i*2+1]=strdup(eqpos+1));
++			cgivars[i * 2 + 1] = strdup(eqpos + 1);
++			if( NULL == cgivars[ i * 2 + 1]) {
++				printf("getcgivars(): Could not allocate memory for cgi value #%d.\n", i);
++				exit(1);
++				}
++			unescape_cgi_input(cgivars[i * 2 + 1]);
++			}
++		else {
++			cgivars[i * 2 + 1] = strdup("");
++			if( NULL == cgivars[ i * 2 + 1]) {
++				printf("getcgivars(): Could not allocate memory for empty stringfor variable value #%d.\n", i);
++				exit(1);
++				}
++			unescape_cgi_input(cgivars[i * 2 + 1]);
+ 		        } 
+-		else
+-			unescape_cgi_input(cgivars[i*2+1]=strdup(""));
+ 
+ 		/* get the variable value (or name/value of there was no real "pair" in the first place) */
+-		unescape_cgi_input(cgivars[i*2]=strdup(pairlist[i]));
++		cgivars[i * 2] = strdup(pairlist[i]);
++		if( NULL == cgivars[ i * 2]) {
++			printf("getcgivars(): Could not allocate memory for cgi name #%d.\n", i);
++			exit(1);
++			}
++		unescape_cgi_input(cgivars[i * 2]);
+ 	        }
+ 
+ 	/* terminate the name-value list */
+diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' nagios3-3.2.1~/cgi/history.c nagios3-3.2.1/cgi/history.c
+--- nagios3-3.2.1~/cgi/history.c	2013-02-01 20:30:08.000000000 +0000
++++ nagios3-3.2.1/cgi/history.c	2013-02-01 20:31:07.000000000 +0000
+@@ -805,16 +805,22 @@
+ 			else if(display_type==DISPLAY_HOSTS){
+ 
+ 				if(history_type==HOST_HISTORY || history_type==SERVICE_HISTORY){
+-					sprintf(match1," HOST ALERT: %s;",host_name);
+-					sprintf(match2," SERVICE ALERT: %s;",host_name);
++					snprintf(match1, sizeof( match1), 
++							" HOST ALERT: %s;", host_name);
++					snprintf(match2, sizeof( match2), 
++							" SERVICE ALERT: %s;", host_name);
+ 				        }
+ 				else if(history_type==HOST_FLAPPING_HISTORY || history_type==SERVICE_FLAPPING_HISTORY){
+-					sprintf(match1," HOST FLAPPING ALERT: %s;",host_name);
+-					sprintf(match2," SERVICE FLAPPING ALERT: %s;",host_name);
++					snprintf(match1, sizeof( match1), 
++							" HOST FLAPPING ALERT: %s;", host_name);
++					snprintf(match2, sizeof( match2), 
++							" SERVICE FLAPPING ALERT: %s;", host_name);
+ 				        }
+ 				else if(history_type==HOST_DOWNTIME_HISTORY || history_type==SERVICE_DOWNTIME_HISTORY){
+-					sprintf(match1," HOST DOWNTIME ALERT: %s;",host_name);
+-					sprintf(match2," SERVICE DOWNTIME ALERT: %s;",host_name);
++					snprintf(match1, sizeof( match1), 
++							" HOST DOWNTIME ALERT: %s;", host_name);
++					snprintf(match2, sizeof( match2), 
++							" SERVICE DOWNTIME ALERT: %s;", host_name);
+ 				        }
+ 
+ 				if(show_all_hosts==TRUE)
+@@ -853,11 +859,11 @@
+ 			else if(display_type==DISPLAY_SERVICES){
+ 
+ 				if(history_type==SERVICE_HISTORY)
+-					sprintf(match1," SERVICE ALERT: %s;%s;",host_name,svc_description);
++					snprintf(match1, sizeof( match1), " SERVICE ALERT: %s;%s;", host_name, svc_description);
+ 				else if(history_type==SERVICE_FLAPPING_HISTORY)
+-					sprintf(match1," SERVICE FLAPPING ALERT: %s;%s;",host_name,svc_description);
++					snprintf(match1, sizeof( match1), " SERVICE FLAPPING ALERT: %s;%s;", host_name, svc_description);
+ 				else if(history_type==SERVICE_DOWNTIME_HISTORY)
+-					sprintf(match1," SERVICE DOWNTIME ALERT: %s;%s;",host_name,svc_description);
++					snprintf(match1, sizeof( match1), " SERVICE DOWNTIME ALERT: %s;%s;", host_name, svc_description);
+ 
+ 				if(strstr(temp_buffer,match1) && (history_type==SERVICE_HISTORY || history_type==SERVICE_FLAPPING_HISTORY || history_type==SERVICE_DOWNTIME_HISTORY))
+ 					display_line=TRUE;
-------------- next part --------------
From: Jonathan Wiltshire <jmw at debian.org>
To: debian-security-announce at lists.debian.org
Subject: [DSA 2616-1] nagios3 security update

-------------------------------------------------------------------------
Debian Security Advisory DSA-2616-1                   security at debian.org
http://www.debian.org/security/                        Jonathan Wiltshire
February 01, 2013                      http://www.debian.org/security/faq
-------------------------------------------------------------------------

Package        : nagios3
Vulnerability  : buffer overflow in CGI scripts
Problem type   : remote
Debian-specific: no
CVE ID         : CVE-2012-6096
Debian Bug     : 697930

A buffer overflow problem has been found in nagios3, a host/service/network
monitoring and management system. A mailicious client could craft a
request to history.cgi and cause application crashes.

For the stable distribution (squeeze), this problem has been fixed in
version 3.2.1-2+squeeze1.

For the testing distribution (wheezy), this problem will be fixed soon.

For the unstable distribution (sid), this problem has been fixed in
version 3.4.1-3.

We recommend that you upgrade your nagios3 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-announce at lists.debian.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-nagios-devel/attachments/20130201/ef9b959e/attachment.pgp>


More information about the Pkg-nagios-devel mailing list