On Sun, Jan 20, 2013 at 08:49:26PM +0100, Moritz Mühlenhoff wrote: > On Fri, Jan 11, 2013 at 03:56:25PM +0000, Jonathan Wiltshire wrote: > > Control: found -1 3.2.1-2 > > > > On 2013-01-11 13:50, Moritz Muehlenhoff wrote: > > >Package: nagios3 > > >Severity: grave > > >Tags: security > > >Justification: user security hole > > > > > >This was assigned CVE-2012-6096: > > > > > >http://archives.neohapsis.com/archives/fulldisclosure/2012-12/0108.html > > > > > >Fix: > > > > > >http://nagios.svn.sourceforge.net/viewvc/nagios?view=revision&revision=2547 > > > > I tested against squeeze and reproduced the problem. We use nagios > > at work so I'm happy to prepare DSA packages if required. > > Jonathan, can you prepare packages for stable-security now that we have > a final patch?
Ok, I now have tested packages for stable-security for nagios3, debdiff and DSA text attached. -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 <directhex> i have six years of solaris sysadmin experience, from 8->10. i am well qualified to say it is made from bonghits layered on top of bonghits
diff -u nagios3-3.2.1/debian/changelog nagios3-3.2.1/debian/changelog --- nagios3-3.2.1/debian/changelog +++ nagios3-3.2.1/debian/changelog @@ -1,3 +1,11 @@ +nagios3 (3.2.1-2+squeeze1) squeeze-security; urgency=low + + * Non-maintainer upload. + * Backport 99_security_cve_2012_6096.dpatch for Squeeze, fixes + a buffer overflow crasher (Closes: #697930) CVE-2012-6096 + + -- Jonathan Wiltshire <j...@debian.org> Fri, 01 Feb 2013 18:35:55 +0000 + nagios3 (3.2.1-2) unstable; urgency=low * Fix "Missing conflict with nagios3 v3.0.6-4~lenny2 (/usr/lib/cgi- diff -u nagios3-3.2.1/debian/patches/00list nagios3-3.2.1/debian/patches/00list --- nagios3-3.2.1/debian/patches/00list +++ nagios3-3.2.1/debian/patches/00list @@ -8,0 +9 @@ +99_security_cve_2012_6096.dpatch only in patch2: unchanged: --- nagios3-3.2.1.orig/debian/patches/99_security_cve_2012_6096.dpatch +++ nagios3-3.2.1/debian/patches/99_security_cve_2012_6096.dpatch @@ -0,0 +1,128 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 99_securit_cve_2012_6096.dpatch by Alexander Wirt <formo...@debian.org> +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: Fix overflows in getcgi.c and history.cgi (CVE 2012-6096) +## DP: Debian Bug #697930 +## DP: http://nagios.svn.sourceforge.net/viewvc/nagios?view=revision&revision=2547 + +@DPATCH@ +diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' nagios3-3.2.1~/cgi/getcgi.c nagios3-3.2.1/cgi/getcgi.c +--- nagios3-3.2.1~/cgi/getcgi.c 2013-02-01 20:30:08.000000000 +0000 ++++ nagios3-3.2.1/cgi/getcgi.c 2013-02-01 20:31:07.000000000 +0000 +@@ -137,14 +137,15 @@ + /* check for NULL query string environment variable - 04/28/00 (Ludo Bosmans) */ + if(getenv("QUERY_STRING")==NULL){ + cgiinput=(char *)malloc(1); +- if(cgiinput==NULL){ +- printf("getcgivars(): Could not allocate memory for CGI input.\n"); +- exit(1); +- } +- cgiinput[0]='\x0'; ++ if(cgiinput != NULL) ++ cgiinput[0]='\x0'; + } + else + cgiinput=strdup(getenv("QUERY_STRING")); ++ if(cgiinput==NULL){ ++ printf("getcgivars(): Could not allocate memory for CGI input.\n"); ++ exit(1); ++ } + } + + else if(!strcmp(request_method,"POST") || !strcmp(request_method,"PUT")){ +@@ -220,7 +221,12 @@ + paircount=0; + nvpair=strtok(cgiinput,"&"); + while(nvpair){ +- pairlist[paircount++]=strdup(nvpair); ++ pairlist[paircount] = strdup(nvpair); ++ if( NULL == pairlist[paircount]) { ++ printf("getcgivars(): Could not allocate memory for name-value pair #%d.\n", paircount); ++ exit(1); ++ } ++ paircount++; + if(!(paircount%256)){ + pairlist=(char **)realloc(pairlist,(paircount+256)*sizeof(char **)); + if(pairlist==NULL){ +@@ -245,13 +251,29 @@ + /* get the variable name preceding the equal (=) sign */ + if((eqpos=strchr(pairlist[i],'='))!=NULL){ + *eqpos='\0'; +- unescape_cgi_input(cgivars[i*2+1]=strdup(eqpos+1)); ++ cgivars[i * 2 + 1] = strdup(eqpos + 1); ++ if( NULL == cgivars[ i * 2 + 1]) { ++ printf("getcgivars(): Could not allocate memory for cgi value #%d.\n", i); ++ exit(1); ++ } ++ unescape_cgi_input(cgivars[i * 2 + 1]); ++ } ++ else { ++ cgivars[i * 2 + 1] = strdup(""); ++ if( NULL == cgivars[ i * 2 + 1]) { ++ printf("getcgivars(): Could not allocate memory for empty stringfor variable value #%d.\n", i); ++ exit(1); ++ } ++ unescape_cgi_input(cgivars[i * 2 + 1]); + } +- else +- unescape_cgi_input(cgivars[i*2+1]=strdup("")); + + /* get the variable value (or name/value of there was no real "pair" in the first place) */ +- unescape_cgi_input(cgivars[i*2]=strdup(pairlist[i])); ++ cgivars[i * 2] = strdup(pairlist[i]); ++ if( NULL == cgivars[ i * 2]) { ++ printf("getcgivars(): Could not allocate memory for cgi name #%d.\n", i); ++ exit(1); ++ } ++ unescape_cgi_input(cgivars[i * 2]); + } + + /* terminate the name-value list */ +diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' nagios3-3.2.1~/cgi/history.c nagios3-3.2.1/cgi/history.c +--- nagios3-3.2.1~/cgi/history.c 2013-02-01 20:30:08.000000000 +0000 ++++ nagios3-3.2.1/cgi/history.c 2013-02-01 20:31:07.000000000 +0000 +@@ -805,16 +805,22 @@ + else if(display_type==DISPLAY_HOSTS){ + + if(history_type==HOST_HISTORY || history_type==SERVICE_HISTORY){ +- sprintf(match1," HOST ALERT: %s;",host_name); +- sprintf(match2," SERVICE ALERT: %s;",host_name); ++ snprintf(match1, sizeof( match1), ++ " HOST ALERT: %s;", host_name); ++ snprintf(match2, sizeof( match2), ++ " SERVICE ALERT: %s;", host_name); + } + else if(history_type==HOST_FLAPPING_HISTORY || history_type==SERVICE_FLAPPING_HISTORY){ +- sprintf(match1," HOST FLAPPING ALERT: %s;",host_name); +- sprintf(match2," SERVICE FLAPPING ALERT: %s;",host_name); ++ snprintf(match1, sizeof( match1), ++ " HOST FLAPPING ALERT: %s;", host_name); ++ snprintf(match2, sizeof( match2), ++ " SERVICE FLAPPING ALERT: %s;", host_name); + } + else if(history_type==HOST_DOWNTIME_HISTORY || history_type==SERVICE_DOWNTIME_HISTORY){ +- sprintf(match1," HOST DOWNTIME ALERT: %s;",host_name); +- sprintf(match2," SERVICE DOWNTIME ALERT: %s;",host_name); ++ snprintf(match1, sizeof( match1), ++ " HOST DOWNTIME ALERT: %s;", host_name); ++ snprintf(match2, sizeof( match2), ++ " SERVICE DOWNTIME ALERT: %s;", host_name); + } + + if(show_all_hosts==TRUE) +@@ -853,11 +859,11 @@ + else if(display_type==DISPLAY_SERVICES){ + + if(history_type==SERVICE_HISTORY) +- sprintf(match1," SERVICE ALERT: %s;%s;",host_name,svc_description); ++ snprintf(match1, sizeof( match1), " SERVICE ALERT: %s;%s;", host_name, svc_description); + else if(history_type==SERVICE_FLAPPING_HISTORY) +- sprintf(match1," SERVICE FLAPPING ALERT: %s;%s;",host_name,svc_description); ++ snprintf(match1, sizeof( match1), " SERVICE FLAPPING ALERT: %s;%s;", host_name, svc_description); + else if(history_type==SERVICE_DOWNTIME_HISTORY) +- sprintf(match1," SERVICE DOWNTIME ALERT: %s;%s;",host_name,svc_description); ++ snprintf(match1, sizeof( match1), " SERVICE DOWNTIME ALERT: %s;%s;", host_name, svc_description); + + if(strstr(temp_buffer,match1) && (history_type==SERVICE_HISTORY || history_type==SERVICE_FLAPPING_HISTORY || history_type==SERVICE_DOWNTIME_HISTORY)) + display_line=TRUE;
From: Jonathan Wiltshire <j...@debian.org> To: debian-security-annou...@lists.debian.org Subject: [DSA 2616-1] nagios3 security update ------------------------------------------------------------------------- Debian Security Advisory DSA-2616-1 secur...@debian.org http://www.debian.org/security/ Jonathan Wiltshire February 01, 2013 http://www.debian.org/security/faq ------------------------------------------------------------------------- Package : nagios3 Vulnerability : buffer overflow in CGI scripts Problem type : remote Debian-specific: no CVE ID : CVE-2012-6096 Debian Bug : 697930 A buffer overflow problem has been found in nagios3, a host/service/network monitoring and management system. A mailicious client could craft a request to history.cgi and cause application crashes. For the stable distribution (squeeze), this problem has been fixed in version 3.2.1-2+squeeze1. For the testing distribution (wheezy), this problem will be fixed soon. For the unstable distribution (sid), this problem has been fixed in version 3.4.1-3. We recommend that you upgrade your nagios3 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org
signature.asc
Description: Digital signature
