Date: Tue, 14 Jan 2014 15:11:38 +0000 (UTC) From: Mathieu Arnold <mat@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-branches@freebsd.org Subject: svn commit: r339690 - in branches/2014Q1: net-mgmt/nagios net-mgmt/nagios/files security/vuxml Message-ID: <201401141511.s0EFBcBP014325@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: mat Date: Tue Jan 14 15:11:38 2014 New Revision: 339690 URL: http://svnweb.freebsd.org/changeset/ports/339690 Log: MFH: r339686, r339689 * Add a patch from upstream fixing a cgi vulnerability Poked by: ohauer Security: CVE-2013-7108 CVE-2013-7205 Added: branches/2014Q1/net-mgmt/nagios/files/patch-d97e03f32741a7d851826b03ed73ff4c9612a866 - copied unchanged from r339689, head/net-mgmt/nagios/files/patch-d97e03f32741a7d851826b03ed73ff4c9612a866 Modified: branches/2014Q1/net-mgmt/nagios/Makefile branches/2014Q1/security/vuxml/vuln.xml Directory Properties: branches/2014Q1/ (props changed) Modified: branches/2014Q1/net-mgmt/nagios/Makefile ============================================================================== --- branches/2014Q1/net-mgmt/nagios/Makefile Tue Jan 14 14:23:36 2014 (r339689) +++ branches/2014Q1/net-mgmt/nagios/Makefile Tue Jan 14 15:11:38 2014 (r339690) @@ -3,6 +3,7 @@ PORTNAME= nagios PORTVERSION= 3.5.1 +PORTREVISION= 3 CATEGORIES= net-mgmt MASTER_SITES= SF/${PORTNAME}/${PORTNAME}-3.x/${PORTNAME}-${PORTVERSION} @@ -97,7 +98,7 @@ post-extract: .include <bsd.port.options.mk> post-patch: - @${REINPLACE_CMD} -e '/^INSTALL_OPTS=/d' `${FIND} ${WRKSRC} -name Makefile.in` + @${REINPLACE_CMD} -e '/^INSTALL_OPTS=/d;/^COMMAND_OPTS=/d' `${FIND} ${WRKSRC} -name Makefile.in` .if ${PORT_OPTIONS:MUNHANDLED_HACK} @${REINPLACE_CMD} -e 's#;serviceprops=42\&#;serviceprops=10\&#g' \ -e 's#;hostprops=42\"#;hostprops=10\"#g' ${WRKSRC}/html/side.php Copied: branches/2014Q1/net-mgmt/nagios/files/patch-d97e03f32741a7d851826b03ed73ff4c9612a866 (from r339689, head/net-mgmt/nagios/files/patch-d97e03f32741a7d851826b03ed73ff4c9612a866) ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ branches/2014Q1/net-mgmt/nagios/files/patch-d97e03f32741a7d851826b03ed73ff4c9612a866 Tue Jan 14 15:11:38 2014 (r339690, copy of r339689, head/net-mgmt/nagios/files/patch-d97e03f32741a7d851826b03ed73ff4c9612a866) @@ -0,0 +1,175 @@ +commit d97e03f32741a7d851826b03ed73ff4c9612a866 +Author: Eric Stanley <estanley@nagios.com> +Date: 2013-12-20 13:14:30 -0600 + + CGIs: Fixed minor vulnerability where a custom query could crash the CGI. + + Most CGIs previously incremented the input variable counter twice when + it encountered a long key value. This could cause the CGI to read past + the end of the list of CGI variables. This commit removes the second + increment, removing the possibility of reading past the end of the list + of CGI variables. + +diff --git ./cgi/avail.c ./cgi/avail.c +index 76afd86..64eaadc 100644 +--- ./cgi/avail.c ++++ ./cgi/avail.c +@@ -1096,7 +1096,6 @@ int process_cgivars(void) { + + /* do some basic length checking on the variable identifier to prevent buffer overflows */ + if(strlen(variables[x]) >= MAX_INPUT_BUFFER - 1) { +- x++; + continue; + } + +diff --git ./cgi/cmd.c ./cgi/cmd.c +index fa6cf5a..50504eb 100644 +--- ./cgi/cmd.c ++++ ./cgi/cmd.c +@@ -311,7 +311,6 @@ int process_cgivars(void) { + + /* do some basic length checking on the variable identifier to prevent buffer overflows */ + if(strlen(variables[x]) >= MAX_INPUT_BUFFER - 1) { +- x++; + continue; + } + +diff --git ./cgi/config.c ./cgi/config.c +index f061b0f..3360e70 100644 +--- ./cgi/config.c ++++ ./cgi/config.c +@@ -344,7 +344,6 @@ int process_cgivars(void) { + + /* do some basic length checking on the variable identifier to prevent buffer overflows */ + if(strlen(variables[x]) >= MAX_INPUT_BUFFER - 1) { +- x++; + continue; + } + +diff --git ./cgi/extinfo.c ./cgi/extinfo.c +index 62a1b18..5113df4 100644 +--- ./cgi/extinfo.c ++++ ./cgi/extinfo.c +@@ -591,7 +591,6 @@ int process_cgivars(void) { + + /* do some basic length checking on the variable identifier to prevent buffer overflows */ + if(strlen(variables[x]) >= MAX_INPUT_BUFFER - 1) { +- x++; + continue; + } + +diff --git ./cgi/histogram.c ./cgi/histogram.c +index 4616541..f6934d0 100644 +--- ./cgi/histogram.c ++++ ./cgi/histogram.c +@@ -1060,7 +1060,6 @@ int process_cgivars(void) { + + /* do some basic length checking on the variable identifier to prevent buffer overflows */ + if(strlen(variables[x]) >= MAX_INPUT_BUFFER - 1) { +- x++; + continue; + } + +diff --git ./cgi/notifications.c ./cgi/notifications.c +index 8ba11c1..461ae84 100644 +--- ./cgi/notifications.c ++++ ./cgi/notifications.c +@@ -327,7 +327,6 @@ int process_cgivars(void) { + + /* do some basic length checking on the variable identifier to prevent buffer overflows */ + if(strlen(variables[x]) >= MAX_INPUT_BUFFER - 1) { +- x++; + continue; + } + +diff --git ./cgi/outages.c ./cgi/outages.c +index 426ede6..cb58dee 100644 +--- ./cgi/outages.c ++++ ./cgi/outages.c +@@ -225,7 +225,6 @@ int process_cgivars(void) { + + /* do some basic length checking on the variable identifier to prevent buffer overflows */ + if(strlen(variables[x]) >= MAX_INPUT_BUFFER - 1) { +- x++; + continue; + } + +diff --git ./cgi/status.c ./cgi/status.c +index 3253340..4ec1c92 100644 +--- ./cgi/status.c ++++ ./cgi/status.c +@@ -567,7 +567,6 @@ int process_cgivars(void) { + + /* do some basic length checking on the variable identifier to prevent buffer overflows */ + if(strlen(variables[x]) >= MAX_INPUT_BUFFER - 1) { +- x++; + continue; + } + +diff --git ./cgi/statusmap.c ./cgi/statusmap.c +index ea48368..2580ae5 100644 +--- ./cgi/statusmap.c ++++ ./cgi/statusmap.c +@@ -400,7 +400,6 @@ int process_cgivars(void) { + + /* do some basic length checking on the variable identifier to prevent buffer overflows */ + if(strlen(variables[x]) >= MAX_INPUT_BUFFER - 1) { +- x++; + continue; + } + +diff --git ./cgi/statuswml.c ./cgi/statuswml.c +index bd8cea2..d25abef 100644 +--- ./cgi/statuswml.c ++++ ./cgi/statuswml.c +@@ -226,8 +226,13 @@ int process_cgivars(void) { + + for(x = 0; variables[x] != NULL; x++) { + ++ /* do some basic length checking on the variable identifier to prevent buffer overflows */ ++ if(strlen(variables[x]) >= MAX_INPUT_BUFFER - 1) { ++ continue; ++ } ++ + /* we found the hostgroup argument */ +- if(!strcmp(variables[x], "hostgroup")) { ++ else if(!strcmp(variables[x], "hostgroup")) { + display_type = DISPLAY_HOSTGROUP; + x++; + if(variables[x] == NULL) { +diff --git ./cgi/summary.c ./cgi/summary.c +index 126ce5e..749a02c 100644 +--- ./cgi/summary.c ++++ ./cgi/summary.c +@@ -725,7 +725,6 @@ int process_cgivars(void) { + + /* do some basic length checking on the variable identifier to prevent buffer overflows */ + if(strlen(variables[x]) >= MAX_INPUT_BUFFER - 1) { +- x++; + continue; + } + +diff --git ./cgi/trends.c ./cgi/trends.c +index b35c18e..895db01 100644 +--- ./cgi/trends.c ++++ ./cgi/trends.c +@@ -1263,7 +1263,6 @@ int process_cgivars(void) { + + /* do some basic length checking on the variable identifier to prevent buffer overflows */ + if(strlen(variables[x]) >= MAX_INPUT_BUFFER - 1) { +- x++; + continue; + } + +diff --git ./contrib/daemonchk.c ./contrib/daemonchk.c +index 78716e5..9bb6c4b 100644 +--- ./contrib/daemonchk.c ++++ ./contrib/daemonchk.c +@@ -174,7 +174,6 @@ static int process_cgivars(void) { + + /* do some basic length checking on the variable identifier to prevent buffer overflows */ + if(strlen(variables[x]) >= MAX_INPUT_BUFFER - 1) { +- x++; + continue; + } + } Modified: branches/2014Q1/security/vuxml/vuln.xml ============================================================================== --- branches/2014Q1/security/vuxml/vuln.xml Tue Jan 14 14:23:36 2014 (r339689) +++ branches/2014Q1/security/vuxml/vuln.xml Tue Jan 14 15:11:38 2014 (r339690) @@ -51,6 +51,36 @@ Note: Please add new entries to the beg --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; + <vuln vid="ba04a373-7d20-11e3-8992-00132034b086"> + <topic>nagios -- denial of service vulnerability</topic> + <affects> + <package> + <name>nagios</name> + <range><lt>3.5.1_3</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Eric Stanley reports:</p> + <blockquote cite="http://sourceforge.net/p/nagios/nagioscore/ci/d97e03f32741a7d851826b03ed73ff4c9612a866/">; + <p>Most CGIs previously incremented the input variable counter twice + when it encountered a long key value. This could cause the CGI to + read past the end of the list of CGI variables.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2013-7108</cvename> + <cvename>CVE-2013-7205</cvename> + <url>http://sourceforge.net/p/nagios/nagioscore/ci/d97e03f32741a7d851826b03ed73ff4c9612a866/</url>; + <url>https://bugzilla.redhat.com/show_bug.cgi?id=1046113</url>; + </references> + <dates> + <discovery>2013-12-20</discovery> + <entry>2014-01-14</entry> + </dates> + </vuln> + <vuln vid="cb252f01-7c43-11e3-b0a6-005056a37f68"> <topic>bind -- denial of service vulnerability</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201401141511.s0EFBcBP014325>