[Pkg-nagios-devel] Bug#697931: Bug#697931: icinga: CVE-2012-6096

Alexander Wirt formorer at debian.org
Mon Jan 14 12:17:52 UTC 2013


tag 697931 patch
thanks

Alexander Wirt schrieb am Saturday, den 12. January 2013:

> On Fri, 11 Jan 2013, Moritz Muehlenhoff wrote:
> 
> > Package: icinga
> > Severity: grave
> > Tags: security
> > Justification: user security hole
> > 
> > This was assigned CVE-2012-6096:
> > http://archives.neohapsis.com/archives/fulldisclosure/2012-12/0108.html
> > 
> > Fix:
> > http://nagios.svn.sourceforge.net/viewvc/nagios?view=revision&revision=2547
> As it currently seems this fix is incomplete. The severity of the problem
> isn't hat high, so I want to wait until the icinga team has an official
> patch.
Ok, I backported the official patch to stable and attached it. Should I
provide an updated package for security.d.o?

Alex
-- 
Alexander Wirt, formorer at formorer.de 
CC99 2DDD D39E 75B0 B0AA  B25C D35B BC99 BC7D 020A
-------------- next part --------------
#! /bin/sh /usr/share/dpatch/dpatch-run
## 99_fix_CVE-2012-6096.dpatch by  <root@>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: No description.

@DPATCH@
diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' icinga-1.0.2~/cgi/getcgi.c icinga-1.0.2/cgi/getcgi.c
--- icinga-1.0.2~/cgi/getcgi.c	2010-06-30 09:13:42.000000000 +0000
+++ icinga-1.0.2/cgi/getcgi.c	2013-01-14 06:05:50.511798545 +0000
@@ -153,15 +153,17 @@
 		/* check for NULL query string environment variable - 04/28/00 (Ludo Bosmans) */
 		if(getenv("QUERY_STRING")==NULL){
 			cgiinput=(char *)malloc(1);
+			if (cgiinput != NULL) {
+				cgiinput[0] = '\x0';
+			}
+		} else 
+			cgiinput = strdup(getenv("QUERY_STRING"));
 			if(cgiinput==NULL){
 				printf("getcgivars(): Could not allocate memory for CGI input.\n");
 				exit(1);
-			        }
-			cgiinput[0]='\x0';
-		        }
-		else
-			cgiinput=strdup(getenv("QUERY_STRING"));
-	        }
+			}
+		}
+	}
 
 	else if(!strcmp(request_method,"POST") || !strcmp(request_method,"PUT")){
 
@@ -236,7 +238,11 @@
 	paircount=0;
 	nvpair=strtok(cgiinput,"&");
 	while(nvpair){
-		pairlist[paircount++]=strdup(nvpair);
+		pairlist[paircount] = strdup(nvpair);
+		if(pairlist[paircount++] == NULL) {
+			printf("getcgivars(): Could not allocate memory for name-value pair element #%d.\n", paircount);
+			exit(1);
+		}
 		if(!(paircount%256)){
 			pairlist=(char **)realloc(pairlist,(paircount+256)*sizeof(char **));
 			if(pairlist==NULL){
@@ -261,14 +267,29 @@
 		/* get the variable name preceding the equal (=) sign */
 		if((eqpos=strchr(pairlist[i],'='))!=NULL){
 			*eqpos='\0';
-			unescape_cgi_input(cgivars[i*2+1]=strdup(eqpos+1));
-		        } 
+			cgivars[i*2+1] = strdup(eqpos + 1);
+			if(cgivars[i*2+1] == NULL) {
+				printf("getcgivars(): Could not allocate memory for cgi param value #%d.\n", i);
+				exit(1);
+			}
+			unescape_cgi_input(cgivars[i*2+1]);
+		} 
 		else
-			unescape_cgi_input(cgivars[i*2+1]=strdup(""));
+			cgivars[i*2+1] = strdup("");
+			if(cgivars[i*2+1] == NULL) {
+				printf("getcgivars(): Could not allocate memory for empty cgi param value #%d.\n", i);
+				exit(1);
+			}
+			unescape_cgi_input(cgivars[i*2+1]);
 
 		/* get the variable value (or name/value of there was no real "pair" in the first place) */
-		unescape_cgi_input(cgivars[i*2]=strdup(pairlist[i]));
-	        }
+		cgivars[i*2] = strdup(pairlist[i]);
+		if(cgivars[i*2] == NULL) {
+			printf("getcgivars(): Could not allocate memory for cgi param name #%d.\n", i);
+			exit(1);
+		}
+		unescape_cgi_input(cgivars[i*2]);
+	}
 
 	/* terminate the name-value list */
 	cgivars[paircount*2]='\x0';
diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' icinga-1.0.2~/cgi/history.c icinga-1.0.2/cgi/history.c
--- icinga-1.0.2~/cgi/history.c	2010-06-30 09:13:42.000000000 +0000
+++ icinga-1.0.2/cgi/history.c	2013-01-14 06:05:50.511798545 +0000
@@ -808,16 +808,16 @@
 			else if(display_type==DISPLAY_HOSTS){
 
 				if(history_type==HOST_HISTORY || history_type==SERVICE_HISTORY){
-					sprintf(match1," HOST ALERT: %s;",host_name);
-					sprintf(match2," SERVICE ALERT: %s;",host_name);
+					snprintf(match1, sizeof(match1), " HOST ALERT: %s;", host_name);
+					snprintf(match2, sizeof(match2), " SERVICE ALERT: %s;", host_name);
 				        }
 				else if(history_type==HOST_FLAPPING_HISTORY || history_type==SERVICE_FLAPPING_HISTORY){
-					sprintf(match1," HOST FLAPPING ALERT: %s;",host_name);
-					sprintf(match2," SERVICE FLAPPING ALERT: %s;",host_name);
+					snprintf(match1, sizeof(match1), " HOST FLAPPING ALERT: %s;", host_name);
+					snprintf(match2, sizeof(match2), " SERVICE FLAPPING ALERT: %s;", host_name);
 				        }
 				else if(history_type==HOST_DOWNTIME_HISTORY || history_type==SERVICE_DOWNTIME_HISTORY){
-					sprintf(match1," HOST DOWNTIME ALERT: %s;",host_name);
-					sprintf(match2," SERVICE DOWNTIME ALERT: %s;",host_name);
+					snprintf(match1, sizeof(match1), " HOST DOWNTIME ALERT: %s;", host_name);
+					snprintf(match2, sizeof(match2), " SERVICE DOWNTIME ALERT: %s;", host_name);
 				        }
 
 				if(show_all_hosts==TRUE)
@@ -856,11 +856,11 @@
 			else if(display_type==DISPLAY_SERVICES){
 
 				if(history_type==SERVICE_HISTORY)
-					sprintf(match1," SERVICE ALERT: %s;%s;",host_name,svc_description);
+					snprintf(match1, sizeof(match1), " SERVICE ALERT: %s;%s;", host_name, service_desc);
 				else if(history_type==SERVICE_FLAPPING_HISTORY)
-					sprintf(match1," SERVICE FLAPPING ALERT: %s;%s;",host_name,svc_description);
+					snprintf(match1, sizeof(match1), " SERVICE FLAPPING ALERT: %s;%s;", host_name, service_desc);
 				else if(history_type==SERVICE_DOWNTIME_HISTORY)
-					sprintf(match1," SERVICE DOWNTIME ALERT: %s;%s;",host_name,svc_description);
+					snprintf(match1, sizeof(match1), " SERVICE DOWNTIME ALERT: %s;%s;", host_name, service_desc);
 
 				if(strstr(temp_buffer,match1) && (history_type==SERVICE_HISTORY || history_type==SERVICE_FLAPPING_HISTORY || history_type==SERVICE_DOWNTIME_HISTORY))
 					display_line=TRUE;


More information about the Pkg-nagios-devel mailing list