Date: Fri, 11 Jan 2013 17:30:06 +1030 (CST) From: Jarrod Sayers <jarrod@mail.downtools.com.au> To: FreeBSD-gnats-submit@freebsd.org Subject: ports/175196: [maintainer-update] net-mgmt/nagios: CVE-2012-6096 Remote Command Execution Vulnerability Message-ID: <201301110700.r0B706bg056505@mail.downtools.com.au> Resent-Message-ID: <201301110710.r0B7A04Z017138@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 175196 >Category: ports >Synopsis: [maintainer-update] net-mgmt/nagios: CVE-2012-6096 Remote Command Execution Vulnerability >Confidential: no >Severity: critical >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: maintainer-update >Submitter-Id: current-users >Arrival-Date: Fri Jan 11 07:10:00 UTC 2013 >Closed-Date: >Last-Modified: >Originator: Jarrod Sayers >Release: FreeBSD 9.0-RELEASE-p5 i386 >Organization: >Environment: System: FreeBSD mail.downtools.com.au 9.0-RELEASE-p5 FreeBSD 9.0-RELEASE-p5 #23: Sat Dec 15 08:56:43 CST 2012 root@burbank.downtools.com.au:/usr/obj/usr/src/sys/BURBANK i386 >Description: CVE-2012-6096 Remote Command Execution Vulnerability Apply two manual patches as per revision 2547 from the Nagios source code repository. Both patches obtained 5:00pm Australian Central Daylight Time from upstream source [1,2]. Also, bump port revision to 3.4.3_1. The patch should have the following SHA1 checksum: SHA1 (net-mgmt-nagios-3.4.3_1.diff) = 86912497401865efdeab6602f6fcf7631c073755 Files modified: - ports/net-mgmt/nagios/Makefile Files added: - ports/net-mgmt/nagios/files/patch-CVE-2012-6096 [1] http://nagios.svn.sourceforge.net/viewvc/nagios/nagioscore/trunk/cgi/getcgi.c?view=patch&r1=2547&r2=2546&pathrev=2547 [2] http://nagios.svn.sourceforge.net/viewvc/nagios/nagioscore/trunk/cgi/history.c?view=patch&r1=2547&r2=2546&pathrev=2547 >How-To-Repeat: >Fix: Like always, the patch can also be obtained from: http://www.downtools.com.au/~jarrod/FreeBSD/net-mgmt-nagios-3.4.3_1.diff --- net-mgmt-nagios-3.4.3_1.diff begins here --- diff -ruN ports/net-mgmt/nagios.orig/Makefile ports/net-mgmt/nagios/Makefile --- ports/net-mgmt/nagios.orig/Makefile 2013-01-11 05:42:02.403593000 +1030 +++ ports/net-mgmt/nagios/Makefile 2013-01-11 17:10:30.000000000 +1030 @@ -3,6 +3,7 @@ PORTNAME= nagios PORTVERSION= 3.4.3 +PORTREVISION= 1 CATEGORIES= net-mgmt MASTER_SITES= SF/${PORTNAME}/${PORTNAME}-3.x/${PORTNAME}-${PORTVERSION} diff -ruN ports/net-mgmt/nagios.orig/files/patch-CVE-2012-6096 ports/net-mgmt/nagios/files/patch-CVE-2012-6096 --- ports/net-mgmt/nagios.orig/files/patch-CVE-2012-6096 1970-01-01 09:30:00.000000000 +0930 +++ ports/net-mgmt/nagios/files/patch-CVE-2012-6096 2013-01-11 17:05:56.000000000 +1030 @@ -0,0 +1,117 @@ +--- cgi/getcgi.c.orig 2011-08-17 17:06:27.000000000 +0930 ++++ cgi/getcgi.c 2013-01-11 17:02:53.000000000 +1030 +@@ -137,14 +137,15 @@ + /* check for NULL query string environment variable - 04/28/00 (Ludo Bosmans) */ + if(getenv("QUERY_STRING") == NULL) { + cgiinput = (char *)malloc(1); +- if(cgiinput == NULL) { +- printf("getcgivars(): Could not allocate memory for CGI input.\n"); +- exit(1); +- } +- cgiinput[0] = '\x0'; ++ if(cgiinput != NULL) ++ cgiinput[0] = '\x0'; + } + else + cgiinput = strdup(getenv("QUERY_STRING")); ++ if(cgiinput == NULL) { ++ printf("getcgivars(): Could not allocate memory for CGI input.\n"); ++ exit(1); ++ } + } + + else if(!strcmp(request_method, "POST") || !strcmp(request_method, "PUT")) { +@@ -220,7 +221,12 @@ + paircount = 0; + nvpair = strtok(cgiinput, "&"); + while(nvpair) { +- pairlist[paircount++] = strdup(nvpair); ++ pairlist[paircount] = strdup(nvpair); ++ if( NULL == pairlist[paircount]) { ++ printf("getcgivars(): Could not allocate memory for name-value pair #%d.\n", paircount); ++ exit(1); ++ } ++ paircount++; + if(!(paircount % 256)) { + pairlist = (char **)realloc(pairlist, (paircount + 256) * sizeof(char **)); + if(pairlist == NULL) { +@@ -245,13 +251,29 @@ + /* get the variable name preceding the equal (=) sign */ + if((eqpos = strchr(pairlist[i], '=')) != NULL) { + *eqpos = '\0'; +- unescape_cgi_input(cgivars[i * 2 + 1] = strdup(eqpos + 1)); ++ cgivars[i * 2 + 1] = strdup(eqpos + 1); ++ if( NULL == cgivars[ i * 2 + 1]) { ++ printf("getcgivars(): Could not allocate memory for cgi value #%d.\n", i); ++ exit(1); ++ } ++ unescape_cgi_input(cgivars[i * 2 + 1]); ++ } ++ else { ++ cgivars[i * 2 + 1] = strdup(""); ++ if( NULL == cgivars[ i * 2 + 1]) { ++ printf("getcgivars(): Could not allocate memory for empty stringfor variable value #%d.\n", i); ++ exit(1); ++ } ++ unescape_cgi_input(cgivars[i * 2 + 1]); + } +- else +- unescape_cgi_input(cgivars[i * 2 + 1] = strdup("")); + + /* get the variable value (or name/value of there was no real "pair" in the first place) */ +- unescape_cgi_input(cgivars[i * 2] = strdup(pairlist[i])); ++ cgivars[i * 2] = strdup(pairlist[i]); ++ if( NULL == cgivars[ i * 2]) { ++ printf("getcgivars(): Could not allocate memory for cgi name #%d.\n", i); ++ exit(1); ++ } ++ unescape_cgi_input(cgivars[i * 2]); + } + + /* terminate the name-value list */ +--- cgi/history.c.orig 2011-08-17 17:06:27.000000000 +0930 ++++ cgi/history.c 2013-01-11 17:03:18.000000000 +1030 +@@ -805,16 +805,22 @@ + else if(display_type == DISPLAY_HOSTS) { + + if(history_type == HOST_HISTORY || history_type == SERVICE_HISTORY) { +- sprintf(match1, " HOST ALERT: %s;", host_name); +- sprintf(match2, " SERVICE ALERT: %s;", host_name); ++ snprintf(match1, sizeof( match1), ++ " HOST ALERT: %s;", host_name); ++ snprintf(match2, sizeof( match2), ++ " SERVICE ALERT: %s;", host_name); + } + else if(history_type == HOST_FLAPPING_HISTORY || history_type == SERVICE_FLAPPING_HISTORY) { +- sprintf(match1, " HOST FLAPPING ALERT: %s;", host_name); +- sprintf(match2, " SERVICE FLAPPING ALERT: %s;", host_name); ++ snprintf(match1, sizeof( match1), ++ " HOST FLAPPING ALERT: %s;", host_name); ++ snprintf(match2, sizeof( match2), ++ " SERVICE FLAPPING ALERT: %s;", host_name); + } + else if(history_type == HOST_DOWNTIME_HISTORY || history_type == SERVICE_DOWNTIME_HISTORY) { +- sprintf(match1, " HOST DOWNTIME ALERT: %s;", host_name); +- sprintf(match2, " SERVICE DOWNTIME ALERT: %s;", host_name); ++ snprintf(match1, sizeof( match1), ++ " HOST DOWNTIME ALERT: %s;", host_name); ++ snprintf(match2, sizeof( match2), ++ " SERVICE DOWNTIME ALERT: %s;", host_name); + } + + if(show_all_hosts == TRUE) +@@ -853,11 +859,11 @@ + else if(display_type == DISPLAY_SERVICES) { + + if(history_type == SERVICE_HISTORY) +- sprintf(match1, " SERVICE ALERT: %s;%s;", host_name, svc_description); ++ snprintf(match1, sizeof( match1), " SERVICE ALERT: %s;%s;", host_name, svc_description); + else if(history_type == SERVICE_FLAPPING_HISTORY) +- sprintf(match1, " SERVICE FLAPPING ALERT: %s;%s;", host_name, svc_description); ++ snprintf(match1, sizeof( match1), " SERVICE FLAPPING ALERT: %s;%s;", host_name, svc_description); + else if(history_type == SERVICE_DOWNTIME_HISTORY) +- sprintf(match1, " SERVICE DOWNTIME ALERT: %s;%s;", host_name, svc_description); ++ snprintf(match1, sizeof( match1), " SERVICE DOWNTIME ALERT: %s;%s;", host_name, svc_description); + + if(strstr(temp_buffer, match1) && (history_type == SERVICE_HISTORY || history_type == SERVICE_FLAPPING_HISTORY || history_type == SERVICE_DOWNTIME_HISTORY)) + display_line = TRUE; --- net-mgmt-nagios-3.4.3_1.diff ends here --- >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201301110700.r0B706bg056505>