Bug 175196 - [maintainer-update] net-mgmt/nagios: CVE-2012-6096 Remote Command Execution Vulnerability
[maintainer-update] net-mgmt/nagios: CVE-2012-6096 Remote Command Execution V...
Status: Closed FIXED
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s)
Latest
Any Any
: Normal Affects Only Me
Assigned To: Ruslan Makhmatkhanov
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2013-01-11 07:10 UTC by jarrod
Modified: 2013-01-11 07:50 UTC (History)
0 users

See Also:


Attachments
net-mgmt-nagios-3.4.3_1.diff (5.48 KB, patch)
2013-01-11 07:10 UTC, jarrod
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description jarrod 2013-01-11 07:10:00 UTC
CVE-2012-6096 Remote Command Execution Vulnerability

Apply two manual patches as per revision 2547 from the Nagios source code
repository.  Both patches obtained 5:00pm Australian Central Daylight Time
from upstream source [1,2].  Also, bump port revision to 3.4.3_1.

The patch should have the following SHA1 checksum:
SHA1 (net-mgmt-nagios-3.4.3_1.diff) = 86912497401865efdeab6602f6fcf7631c073755

Files modified:
- ports/net-mgmt/nagios/Makefile

Files added:
- ports/net-mgmt/nagios/files/patch-CVE-2012-6096

[1] http://nagios.svn.sourceforge.net/viewvc/nagios/nagioscore/trunk/cgi/getcgi.c?view=patch&r1=2547&r2=2546&pathrev=2547
[2] http://nagios.svn.sourceforge.net/viewvc/nagios/nagioscore/trunk/cgi/history.c?view=patch&r1=2547&r2=2546&pathrev=2547

Fix: Like always, the patch can also be obtained from:
http://www.downtools.com.au/~jarrod/FreeBSD/net-mgmt-nagios-3.4.3_1.diff
Comment 1 Edwin Groothuis freebsd_committer 2013-01-11 07:10:08 UTC
Class Changed
From-To: maintainer-update->change-request

Fix category (submitter is not maintainer) (via the GNATS Auto Assign 
Tool)
Comment 2 Edwin Groothuis freebsd_committer 2013-01-11 07:10:09 UTC
Maintainer of net-mgmt/nagios,

Please note that PR ports/175196 has just been submitted.

If it contains a patch for an upgrade, an enhancement or a bug fix
you agree on, reply to this email stating that you approve the patch
and a committer will take care of it.

The full text of the PR can be found at:
    http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/175196

-- 
Edwin Groothuis via the GNATS Auto Assign Tool
edwin@FreeBSD.org
Comment 3 Edwin Groothuis freebsd_committer 2013-01-11 07:10:10 UTC
State Changed
From-To: open->feedback

Awaiting maintainers feedback (via the GNATS Auto Assign Tool)
Comment 4 Ruslan Makhmatkhanov freebsd_committer 2013-01-11 07:23:16 UTC
Responsible Changed
From-To: freebsd-ports-bugs->rm

I will take it.
Comment 5 dfilter freebsd_committer 2013-01-11 07:42:41 UTC
Author: rm
Date: Fri Jan 11 07:42:34 2013
New Revision: 310219
URL: http://svnweb.freebsd.org/changeset/ports/310219

Log:
  - add upstream patch for CVE-2012-6096
  
  PR:		175196
  Submitted by:	Jarrod Sayers <jarrod@mail.downtools.com.au> (maintainer)
  Security:	97c22a94-5b8b-11e2-b131-000c299b62e1

Added:
  head/net-mgmt/nagios/files/patch-CVE-2012-6096   (contents, props changed)
Modified:
  head/net-mgmt/nagios/Makefile   (contents, props changed)

Modified: head/net-mgmt/nagios/Makefile
==============================================================================
--- head/net-mgmt/nagios/Makefile	Fri Jan 11 07:18:27 2013	(r310218)
+++ head/net-mgmt/nagios/Makefile	Fri Jan 11 07:42:34 2013	(r310219)
@@ -3,6 +3,7 @@
 
 PORTNAME=	nagios
 PORTVERSION=	3.4.3
+PORTREVISION=	1
 CATEGORIES=	net-mgmt
 MASTER_SITES=	SF/${PORTNAME}/${PORTNAME}-3.x/${PORTNAME}-${PORTVERSION}
 

Added: head/net-mgmt/nagios/files/patch-CVE-2012-6096
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/net-mgmt/nagios/files/patch-CVE-2012-6096	Fri Jan 11 07:42:34 2013	(r310219)
@@ -0,0 +1,117 @@
+--- cgi/getcgi.c.orig	2011-08-17 17:06:27.000000000 +0930
++++ cgi/getcgi.c	2013-01-11 17:02:53.000000000 +1030
+@@ -137,14 +137,15 @@
+ 		/* check for NULL query string environment variable - 04/28/00 (Ludo Bosmans) */
+ 		if(getenv("QUERY_STRING") == NULL) {
+ 			cgiinput = (char *)malloc(1);
+-			if(cgiinput == NULL) {
+-				printf("getcgivars(): Could not allocate memory for CGI input.\n");
+-				exit(1);
+-				}
+-			cgiinput[0] = '\x0';
++			if(cgiinput != NULL) 
++				cgiinput[0] = '\x0';
+ 			}
+ 		else
+ 			cgiinput = strdup(getenv("QUERY_STRING"));
++		if(cgiinput == NULL) {
++			printf("getcgivars(): Could not allocate memory for CGI input.\n");
++			exit(1);
++			}
+ 		}
+ 
+ 	else if(!strcmp(request_method, "POST") || !strcmp(request_method, "PUT")) {
+@@ -220,7 +221,12 @@
+ 	paircount = 0;
+ 	nvpair = strtok(cgiinput, "&");
+ 	while(nvpair) {
+-		pairlist[paircount++] = strdup(nvpair);
++		pairlist[paircount] = strdup(nvpair);
++		if( NULL == pairlist[paircount]) {
++			printf("getcgivars(): Could not allocate memory for name-value pair #%d.\n", paircount);
++			exit(1);
++			}
++		paircount++;
+ 		if(!(paircount % 256)) {
+ 			pairlist = (char **)realloc(pairlist, (paircount + 256) * sizeof(char **));
+ 			if(pairlist == NULL) {
+@@ -245,13 +251,29 @@
+ 		/* get the variable name preceding the equal (=) sign */
+ 		if((eqpos = strchr(pairlist[i], '=')) != NULL) {
+ 			*eqpos = '\0';
+-			unescape_cgi_input(cgivars[i * 2 + 1] = strdup(eqpos + 1));
++			cgivars[i * 2 + 1] = strdup(eqpos + 1);
++			if( NULL == cgivars[ i * 2 + 1]) {
++				printf("getcgivars(): Could not allocate memory for cgi value #%d.\n", i);
++				exit(1);
++				}
++			unescape_cgi_input(cgivars[i * 2 + 1]);
++			}
++		else {
++			cgivars[i * 2 + 1] = strdup("");
++			if( NULL == cgivars[ i * 2 + 1]) {
++				printf("getcgivars(): Could not allocate memory for empty stringfor variable value #%d.\n", i);
++				exit(1);
++				}
++			unescape_cgi_input(cgivars[i * 2 + 1]);
+ 			}
+-		else
+-			unescape_cgi_input(cgivars[i * 2 + 1] = strdup(""));
+ 
+ 		/* get the variable value (or name/value of there was no real "pair" in the first place) */
+-		unescape_cgi_input(cgivars[i * 2] = strdup(pairlist[i]));
++		cgivars[i * 2] = strdup(pairlist[i]);
++		if( NULL == cgivars[ i * 2]) {
++			printf("getcgivars(): Could not allocate memory for cgi name #%d.\n", i);
++			exit(1);
++			}
++		unescape_cgi_input(cgivars[i * 2]);
+ 		}
+ 
+ 	/* terminate the name-value list */
+--- cgi/history.c.orig	2011-08-17 17:06:27.000000000 +0930
++++ cgi/history.c	2013-01-11 17:03:18.000000000 +1030
+@@ -805,16 +805,22 @@
+ 			else if(display_type == DISPLAY_HOSTS) {
+ 
+ 				if(history_type == HOST_HISTORY || history_type == SERVICE_HISTORY) {
+-					sprintf(match1, " HOST ALERT: %s;", host_name);
+-					sprintf(match2, " SERVICE ALERT: %s;", host_name);
++					snprintf(match1, sizeof( match1), 
++							" HOST ALERT: %s;", host_name);
++					snprintf(match2, sizeof( match2), 
++							" SERVICE ALERT: %s;", host_name);
+ 					}
+ 				else if(history_type == HOST_FLAPPING_HISTORY || history_type == SERVICE_FLAPPING_HISTORY) {
+-					sprintf(match1, " HOST FLAPPING ALERT: %s;", host_name);
+-					sprintf(match2, " SERVICE FLAPPING ALERT: %s;", host_name);
++					snprintf(match1, sizeof( match1), 
++							" HOST FLAPPING ALERT: %s;", host_name);
++					snprintf(match2, sizeof( match2), 
++							" SERVICE FLAPPING ALERT: %s;", host_name);
+ 					}
+ 				else if(history_type == HOST_DOWNTIME_HISTORY || history_type == SERVICE_DOWNTIME_HISTORY) {
+-					sprintf(match1, " HOST DOWNTIME ALERT: %s;", host_name);
+-					sprintf(match2, " SERVICE DOWNTIME ALERT: %s;", host_name);
++					snprintf(match1, sizeof( match1), 
++							" HOST DOWNTIME ALERT: %s;", host_name);
++					snprintf(match2, sizeof( match2), 
++							" SERVICE DOWNTIME ALERT: %s;", host_name);
+ 					}
+ 
+ 				if(show_all_hosts == TRUE)
+@@ -853,11 +859,11 @@
+ 			else if(display_type == DISPLAY_SERVICES) {
+ 
+ 				if(history_type == SERVICE_HISTORY)
+-					sprintf(match1, " SERVICE ALERT: %s;%s;", host_name, svc_description);
++					snprintf(match1, sizeof( match1), " SERVICE ALERT: %s;%s;", host_name, svc_description);
+ 				else if(history_type == SERVICE_FLAPPING_HISTORY)
+-					sprintf(match1, " SERVICE FLAPPING ALERT: %s;%s;", host_name, svc_description);
++					snprintf(match1, sizeof( match1), " SERVICE FLAPPING ALERT: %s;%s;", host_name, svc_description);
+ 				else if(history_type == SERVICE_DOWNTIME_HISTORY)
+-					sprintf(match1, " SERVICE DOWNTIME ALERT: %s;%s;", host_name, svc_description);
++					snprintf(match1, sizeof( match1), " SERVICE DOWNTIME ALERT: %s;%s;", host_name, svc_description);
+ 
+ 				if(strstr(temp_buffer, match1) && (history_type == SERVICE_HISTORY || history_type == SERVICE_FLAPPING_HISTORY || history_type == SERVICE_DOWNTIME_HISTORY))
+ 					display_line = TRUE;
\ No newline at end of file
_______________________________________________
svn-ports-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-ports-all
To unsubscribe, send any mail to "svn-ports-all-unsubscribe@freebsd.org"
Comment 6 Ruslan Makhmatkhanov freebsd_committer 2013-01-11 07:43:37 UTC
State Changed
From-To: feedback->closed

Committed, thank you!