[Pkg-nagios-devel] Bug#744922: check_packages: check for security updates broken

Felix Geyer fgeyer at debian.org
Wed Apr 16 09:47:34 UTC 2014 

Package: nagios-plugins-contrib
Version: 9.20140106
Tags: patch

check_packages incorrectly determines whether a security update is available
in the following cases:

1)
libxml2:
  Installed: 2.8.0+dfsg1-7+nmu2
  Candidate: 2.8.0+dfsg1-7+nmu3
  Version table:
     2.8.0+dfsg1-7+nmu3 0
        500 http://ftp.fr.debian.org/debian/ wheezy-proposed-updates/main amd64 Packages
 *** 2.8.0+dfsg1-7+nmu2 0
        500 http://ftp.fr.debian.org/debian/ wheezy/main amd64 Packages
        500 http://security.debian.org/ wheezy/updates/main amd64 Packages
        100 /var/lib/dpkg/status

check_packages thinks there is a security update because it sees the security line
without checking if that is actually part of the update.
$candidate_found is set to 1 after the "2.8.0+dfsg1-7+nmu3 0" line and never reset to 0.

2)
[this apt-cache policy output is faked]
libxml2:
  Installed: 2.8.0+dfsg1-7+nmu2
  Candidate: 2.8.0+dfsg1-7+nmu4
  Version table:
     2.8.0+dfsg1-7+nmu4 0
        500 http://ftp.fr.debian.org/debian/ wheezy-updates/main amd64 Packages
     2.8.0+dfsg1-7+nmu3 0
        500 http://security.debian.org/ wheezy/updates/main amd64 Packages
 *** 2.8.0+dfsg1-7+nmu2 0
        500 http://ftp.fr.debian.org/debian/ wheezy/main amd64 Packages
        100 /var/lib/dpkg/status

Here it fails to notice the security update. $candidate_found is set to 0 after
the "2.8.0+dfsg1-7+nmu3 0" line so it fails to notice that a previous unapplied update
fixed a security issue.

The attached updated security_updates_critical patch fixes this by resetting
$candidate_found only when parsing a different package from the apt-cache output or
when parsing the installed version.

Cheers,
Felix
-------------- next part --------------
A non-text attachment was scrubbed...
Name: security_updates_critical
Type: text/x-diff
Size: 2911 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-nagios-devel/attachments/20140416/e86fc611/attachment.diff>

More information about the Pkg-nagios-devel mailing list