From f38128c1e7f198d6033638a94dd7a4090b879a63 Mon Sep 17 00:00:00 2001 From: obache Date: Tue, 15 Apr 2014 10:16:47 +0000 Subject: Apply patch for CVE-2014-1878, taken from icinga. Bump PKGREVISION. --- net/nagios-base/Makefile | 3 ++- net/nagios-base/distinfo | 4 ++-- net/nagios-base/patches/patch-cgi_cmd.c | 24 +++++++++++++++++++++--- 3 files changed, 25 insertions(+), 6 deletions(-) diff --git a/net/nagios-base/Makefile b/net/nagios-base/Makefile index 932fe49d69c..63bde03ccb4 100644 --- a/net/nagios-base/Makefile +++ b/net/nagios-base/Makefile @@ -1,8 +1,9 @@ -# $NetBSD: Makefile,v 1.53 2014/04/02 10:37:21 he Exp $ +# $NetBSD: Makefile,v 1.54 2014/04/15 10:16:47 obache Exp $ # DISTNAME= nagios-3.5.1 PKGNAME= ${DISTNAME:S/-/-base-/} +PKGREVISION= 1 CATEGORIES= net sysutils DISTFILES= ${DISTNAME}${EXTRACT_SUFX} MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=nagios/} diff --git a/net/nagios-base/distinfo b/net/nagios-base/distinfo index 1dac731465d..b038f60874e 100644 --- a/net/nagios-base/distinfo +++ b/net/nagios-base/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.20 2014/04/02 10:37:21 he Exp $ +$NetBSD: distinfo,v 1.21 2014/04/15 10:16:47 obache Exp $ SHA1 (nagios-3.5.1.tar.gz) = 486fd6c75db47000b96d6eebb1654c30d5e9bc72 RMD160 (nagios-3.5.1.tar.gz) = 0ce5693a745f617c9fbf627f18af27b793de884d @@ -10,7 +10,7 @@ SHA1 (patch-Makefile.in) = 6a02bb8a9e4f10ddf19458c8485ccda813057637 SHA1 (patch-base_Makefile.in) = 4c56192ec7d4df0b162f1fe09018902a970dd5c7 SHA1 (patch-cgi_Makefile.in) = d8e6bb1ca4039e1f613caae8537666738f61ce08 SHA1 (patch-cgi_avail.c) = 1ca4bbc28496ba1a4f4034284d003b8bfaed5a82 -SHA1 (patch-cgi_cmd.c) = a62e800e500ded9f32441649a0474d644e837d9b +SHA1 (patch-cgi_cmd.c) = 69b34e73dc54f99335626058e53d4e1f65313f72 SHA1 (patch-cgi_config.c) = 9eb7887ee774e312f9254e9db38a04e41614d5e8 SHA1 (patch-cgi_extinfo.c) = 27fada8f82a42ff80933ed8bacf6e6263ea7f3c0 SHA1 (patch-cgi_getcgi.c) = 3aa7223473c7a961645591ee9ad46120cd7231b3 diff --git a/net/nagios-base/patches/patch-cgi_cmd.c b/net/nagios-base/patches/patch-cgi_cmd.c index fe9d04401e7..712677fd79e 100644 --- a/net/nagios-base/patches/patch-cgi_cmd.c +++ b/net/nagios-base/patches/patch-cgi_cmd.c @@ -1,8 +1,9 @@ -$NetBSD: patch-cgi_cmd.c,v 1.1 2014/04/02 10:22:37 he Exp $ +$NetBSD: patch-cgi_cmd.c,v 1.2 2014/04/15 10:16:47 obache Exp $ -Fix off-by-one vulnerabilities, ref. http://secunia.com/advisories/55976/ +* Fix off-by-one vulnerabilities, ref. http://secunia.com/advisories/55976/ +* Fix CVE-2014-1878 ---- cgi/cmd.c.orig 2013-03-09 21:46:35.000000000 +0000 +--- cgi/cmd.c.orig 2013-08-30 17:46:14.000000000 +0000 +++ cgi/cmd.c @@ -321,7 +321,6 @@ int process_cgivars(void) { @@ -12,3 +13,20 @@ Fix off-by-one vulnerabilities, ref. http://secunia.com/advisories/55976/ continue; } +@@ -1923,14 +1922,14 @@ static int cmd_submitf(int id, const cha + return ERROR; + + len = snprintf(cmd, sizeof(cmd) - 1, "[%lu] %s;", time(NULL), command); +- if(len < 0) ++ if(len < 0 || len >= sizeof(cmd)) + return ERROR; + + if(fmt) { + va_start(ap, fmt); + len2 = vsnprintf(&cmd[len], sizeof(cmd) - len - 1, fmt, ap); + va_end(ap); +- if(len2 < 0) ++ if(len2 < 0 || len2 >= sizeof(cmd) - len) + return ERROR; + } + -- cgit v1.2.3