diff options
author | Natanael Copa <ncopa@alpinelinux.org> | 2013-04-12 09:56:31 +0000 |
---|---|---|
committer | Natanael Copa <ncopa@alpinelinux.org> | 2013-04-12 09:56:31 +0000 |
commit | 6c450cd99f50bc642856c90bc1eb74c65b534e36 (patch) | |
tree | 106ba4d188ba6eb5947411eb33b1f204ce7e4f17 | |
parent | 439d36cfdd6ea8973f92ef61838fcfe55d82a897 (diff) | |
download | aports-6c450cd99f50bc642856c90bc1eb74c65b534e36.tar.bz2 aports-6c450cd99f50bc642856c90bc1eb74c65b534e36.tar.xz |
main/smokeping: security fix (CVE-2012-0790)
fixes #1713
-rw-r--r-- | main/smokeping/APKBUILD | 14 | ||||
-rw-r--r-- | main/smokeping/CVE-2012-0790.patch | 94 |
2 files changed, 105 insertions, 3 deletions
diff --git a/main/smokeping/APKBUILD b/main/smokeping/APKBUILD index 827da56bf9..fdd63c97bc 100644 --- a/main/smokeping/APKBUILD +++ b/main/smokeping/APKBUILD @@ -2,14 +2,16 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=smokeping pkgver=2.4.2 -pkgrel=2 +pkgrel=3 pkgdesc="Smokeping network latency monitoring" pkgusers="smokeping" pkggroups="smokeping" install="$pkgname.pre-install" url="http://oss.oetiker.ch/smokeping/" source="http://oss.oetiker.ch/smokeping/pub/smokeping-$pkgver.tar.gz - smokeping.initd" + smokeping.initd + CVE-2012-0790.patch + " depends="perl fping rrdtool perl-rrd perl-uri-escape perl-digest-hmac @@ -26,6 +28,11 @@ _vendorlib=/usr/share/perl5/vendor_perl prepare() { cd "$_builddir" + for i in $source; do + case $i in + *.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;; + esac + done # provided by perl-digest-hmac rm -rf lib/Digest # provided by perl-cgi-session @@ -109,4 +116,5 @@ package() { } md5sums="eb8e7679fcad35e59d7c51f2328250a2 smokeping-2.4.2.tar.gz -550979e008f49299bf404aceeb81fe61 smokeping.initd" +550979e008f49299bf404aceeb81fe61 smokeping.initd +80aa1a15ae94034520336a2c1605ca51 CVE-2012-0790.patch" diff --git a/main/smokeping/CVE-2012-0790.patch b/main/smokeping/CVE-2012-0790.patch new file mode 100644 index 0000000000..dd5f9f8129 --- /dev/null +++ b/main/smokeping/CVE-2012-0790.patch @@ -0,0 +1,94 @@ +diff --git a/lib/Smokeping.pm b/lib/Smokeping.pm +index 2b680a7..670673c 100644 +--- a/lib/Smokeping.pm ++++ b/lib/Smokeping.pm +@@ -26,6 +26,8 @@ setlogsock('unix') + # make sure we do not end up with , in odd places where one would expect a '.' + # we set the environment variable so that our 'kids' get the benefit too + ++my $xssBadRx = qr/[<>%&'";]/; ++ + $ENV{LC_NUMERIC}='C'; + if (POSIX::setlocale(&POSIX::LC_NUMERIC,"") ne "C") { + die("Resetting LC_NUMERIC failed - try removing LC_ALL from the environment"); +@@ -138,8 +140,10 @@ sub cgiurl { + sub hierarchy ($){ + my $q = shift; + my $hierarchy = ''; ++ my $h = $q->param('hierarchy'); + if ($q->param('hierarchy')){ +- $hierarchy = 'hierarchy='.$q->param('hierarchy').';'; ++ $h =~ s/$xssBadRx/_/g; ++ $hierarchy = 'hierarchy='.$h.';'; + }; + return $hierarchy; + } +@@ -180,6 +184,7 @@ sub update_dynaddr ($$){ + my $address = $ENV{REMOTE_ADDR}; + my $targetptr = $cfg->{Targets}; + foreach my $step (@target){ ++ $step =~ s/$xssBadRx/_/g; + return "Error: Unknown target $step" + unless defined $targetptr->{$step}; + $targetptr = $targetptr->{$step}; +@@ -976,8 +981,9 @@ sub smokecol ($) { + + sub parse_datetime($){ + my $in = shift; +- for ($in){ +- /^(\d+)$/ && do { my $value = $1; $value = time if $value > 2**32; return $value}; ++ for ($in){ ++ $in =~ s/$xssBadRx/_/g; ++ /^(\d+)$/ && do { my $value = $1; $value = time if $value > 2**32; return $value}; + /^\s*(\d{4})-(\d{1,2})-(\d{1,2})(?:\s+(\d{1,2}):(\d{2})(?::(\d{2}))?)?\s*$/ && + return POSIX::mktime($6||0,$5||0,$4||0,$3,$2-1,$1-1900,0,0,-1); + /^now$/ && return time; +@@ -1000,7 +1006,7 @@ sub get_detail ($$$$;$){ + my $tree = shift; + my $open = shift; + my $mode = shift || $q->param('displaymode') || 's'; +- ++ $mode =~ s/$xssBadRx/_/g; + my $phys_tree = $tree; + my $phys_open = $open; + if ($tree->{__tree_link}){ +@@ -1398,13 +1404,15 @@ sub get_detail ($$$$;$){ + } elsif ($mode eq 's') { # classic mode + $startstr =~ s/\s/%20/g; + $endstr =~ s/\s/%20/g; ++ my $t = $q->param('target'); ++ $t =~ s/$xssBadRx/_/g; + for my $slave (@slaves){ + my $s = $slave ? "~$slave" : ""; + $page .= "<div>"; + # $page .= (time-$timer_start)."<br/>"; + # $page .= join " ",map {"'$_'"} @task; + $page .= "<br/>"; +- $page .= ( qq{<a href="}.cgiurl($q,$cfg)."?".hierarchy($q).qq{displaymode=n;start=$startstr;end=now;}."target=".$q->param('target').$s.'">' ++ $page .= ( qq{<a href="}.cgiurl($q,$cfg)."?".hierarchy($q).qq{displaymode=n;start=$startstr;end=now;}."target=".$t.$s.'">' + . qq{<IMG BORDER="0" SRC="${imghref}${s}_${end}_${start}.png">}."</a>" ); #" + $page .= "</div>"; + } +@@ -1548,8 +1556,10 @@ sub display_webpage($$){ + my $cfg = shift; + my $q = shift; + my $targ = ''; +- if ( $q->param('target') and $q->param('target') !~ /\.\./ and $q->param('target') =~ /(\S+)/){ ++ my $t = $q->param('target'); ++ if ( $t and $t !~ /\.\./ and $t =~ /(\S+)/){ + $targ = $1; ++ $targ =~ s/$xssBadRx/_/g; + } + my ($path,$slave) = split(/~/,$targ); + if ($slave and $slave =~ /(\S+)/){ +@@ -1558,8 +1568,9 @@ sub display_webpage($$){ + $slave = $1; + } + my $hierarchy = $q->param('hierarchy'); ++ $hierarchy =~ s/$xssBadRx/_/g; + die "ERROR: unknown hierarchy $hierarchy\n" +- if $hierarchy and not $cfg->{Presentation}{hierarchies}{$hierarchy}; ++ if $hierarchy and not $cfg->{Presentation}{hierarchies}{$hierarchy}; + my $open = [ (split /\./,$path||'') ]; + my $open_orig = [@$open]; + $open_orig->[-1] .= '~'.$slave if $slave; |