main/nagios: security fix for CVE-2013-7108, CVE-2013-7205

fixes #2619

(cherry picked from commit 0fc285b2ea702c82941928cdfa4e521addba1705)

Conflicts:

	main/nagios/APKBUILD

2 files changed, 205 insertions, 2 deletions

diff --git a/main/nagios/APKBUILD b/main/nagios/APKBUILD
index f4d77062f4..e57344a0da 100644
--- a/main/nagios/APKBUILD
+++ b/main/nagios/APKBUILD
@@ -2,7 +2,7 @@
 # Maintainer: Carlo Landmeter <clandmeter@gmail.com>
 pkgname=nagios
 pkgver=3.4.4
-pkgrel=0
+pkgrel=1
 pkgdesc="Popular monitoring tool"
 url="http://www.nagios.org/"
 arch="all"
@@ -14,6 +14,7 @@ source="http://downloads.sourceforge.net/$pkgname/$pkgname-$pkgver.tar.gz
 	nagios.confd
 	nagios.initd
 	lighttpd-nagios.conf
+	CVE-2013-7108-CVE-2013-7205.patch
 	"
 subpackages="${pkgname}-web"
 pkgusers="nagios"
@@ -30,6 +31,15 @@ prepare() {
 }
 
 
+prepare() {
+	cd "$_builddir"
+	for i in $source; do
+		case $i in
+		*.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;;
+		esac
+	done
+}
+
 build() {
 	cd "$_builddir"
 	./configure --prefix=/usr \
@@ -73,4 +83,4 @@ md5sums="e001ce47fa5b20985d14d539715ba13b  nagios-3.4.4.tar.gz
 431dfe7403323e247a88b97beade5d78  nagios.confd
 2ead8695b32222abe922692664aa9de1  nagios.initd
 d63c36f47d26f1f71ae2faf272eec640  lighttpd-nagios.conf
-507cb7a3143b91d17af7b3013b488d7b  CVE-2012-6096.patch"
+b095b0e14de61a956af41c6969675e35  CVE-2013-7108-CVE-2013-7205.patch"
diff --git a/main/nagios/CVE-2013-7108-CVE-2013-7205.patch b/main/nagios/CVE-2013-7108-CVE-2013-7205.patch
new file mode 100644
index 0000000000..119e80a122
--- /dev/null
+++ b/main/nagios/CVE-2013-7108-CVE-2013-7205.patch
@@ -0,0 +1,193 @@
+From d97e03f32741a7d851826b03ed73ff4c9612a866 Mon Sep 17 00:00:00 2001
+From: Eric Stanley <estanley@nagios.com>
+Date: Fri, 20 Dec 2013 13:14:30 -0600
+Subject: [PATCH] CGIs: Fixed minor vulnerability where a custom query could
+ crash the CGI.
+
+Most CGIs previously incremented the input variable counter twice when
+it encountered a long key value. This could cause the CGI to read past
+the end of the list of CGI variables. This commit removes the second
+increment, removing the possibility of reading past the end of the list
+of CGI variables.
+---
+ cgi/avail.c         | 1 -
+ cgi/cmd.c           | 1 -
+ cgi/config.c        | 1 -
+ cgi/extinfo.c       | 1 -
+ cgi/histogram.c     | 1 -
+ cgi/notifications.c | 1 -
+ cgi/outages.c       | 1 -
+ cgi/status.c        | 1 -
+ cgi/statusmap.c     | 1 -
+ cgi/statuswml.c     | 7 ++++++-
+ cgi/summary.c       | 1 -
+ cgi/trends.c        | 1 -
+ contrib/daemonchk.c | 1 -
+ 13 files changed, 6 insertions(+), 13 deletions(-)
+
+diff --git a/cgi/avail.c b/cgi/avail.c
+index 76afd86..64eaadc 100644
+--- a/cgi/avail.c
++++ b/cgi/avail.c
+@@ -1096,7 +1096,6 @@ int process_cgivars(void) {
+ 
+ 		/* do some basic length checking on the variable identifier to prevent buffer overflows */
+ 		if(strlen(variables[x]) >= MAX_INPUT_BUFFER - 1) {
+-			x++;
+ 			continue;
+ 			}
+ 
+diff --git a/cgi/cmd.c b/cgi/cmd.c
+index fa6cf5a..50504eb 100644
+--- a/cgi/cmd.c
++++ b/cgi/cmd.c
+@@ -311,7 +311,6 @@ int process_cgivars(void) {
+ 
+ 		/* do some basic length checking on the variable identifier to prevent buffer overflows */
+ 		if(strlen(variables[x]) >= MAX_INPUT_BUFFER - 1) {
+-			x++;
+ 			continue;
+ 			}
+ 
+diff --git a/cgi/config.c b/cgi/config.c
+index f061b0f..3360e70 100644
+--- a/cgi/config.c
++++ b/cgi/config.c
+@@ -344,7 +344,6 @@ int process_cgivars(void) {
+ 
+ 		/* do some basic length checking on the variable identifier to prevent buffer overflows */
+ 		if(strlen(variables[x]) >= MAX_INPUT_BUFFER - 1) {
+-			x++;
+ 			continue;
+ 			}
+ 
+diff --git a/cgi/extinfo.c b/cgi/extinfo.c
+index 62a1b18..5113df4 100644
+--- a/cgi/extinfo.c
++++ b/cgi/extinfo.c
+@@ -591,7 +591,6 @@ int process_cgivars(void) {
+ 
+ 		/* do some basic length checking on the variable identifier to prevent buffer overflows */
+ 		if(strlen(variables[x]) >= MAX_INPUT_BUFFER - 1) {
+-			x++;
+ 			continue;
+ 			}
+ 
+diff --git a/cgi/histogram.c b/cgi/histogram.c
+index 4616541..f6934d0 100644
+--- a/cgi/histogram.c
++++ b/cgi/histogram.c
+@@ -1060,7 +1060,6 @@ int process_cgivars(void) {
+ 
+ 		/* do some basic length checking on the variable identifier to prevent buffer overflows */
+ 		if(strlen(variables[x]) >= MAX_INPUT_BUFFER - 1) {
+-			x++;
+ 			continue;
+ 			}
+ 
+diff --git a/cgi/notifications.c b/cgi/notifications.c
+index 8ba11c1..461ae84 100644
+--- a/cgi/notifications.c
++++ b/cgi/notifications.c
+@@ -327,7 +327,6 @@ int process_cgivars(void) {
+ 
+ 		/* do some basic length checking on the variable identifier to prevent buffer overflows */
+ 		if(strlen(variables[x]) >= MAX_INPUT_BUFFER - 1) {
+-			x++;
+ 			continue;
+ 			}
+ 
+diff --git a/cgi/outages.c b/cgi/outages.c
+index 426ede6..cb58dee 100644
+--- a/cgi/outages.c
++++ b/cgi/outages.c
+@@ -225,7 +225,6 @@ int process_cgivars(void) {
+ 
+ 		/* do some basic length checking on the variable identifier to prevent buffer overflows */
+ 		if(strlen(variables[x]) >= MAX_INPUT_BUFFER - 1) {
+-			x++;
+ 			continue;
+ 			}
+ 
+diff --git a/cgi/status.c b/cgi/status.c
+index 3253340..4ec1c92 100644
+--- a/cgi/status.c
++++ b/cgi/status.c
+@@ -567,7 +567,6 @@ int process_cgivars(void) {
+ 
+ 		/* do some basic length checking on the variable identifier to prevent buffer overflows */
+ 		if(strlen(variables[x]) >= MAX_INPUT_BUFFER - 1) {
+-			x++;
+ 			continue;
+ 			}
+ 
+diff --git a/cgi/statusmap.c b/cgi/statusmap.c
+index ea48368..2580ae5 100644
+--- a/cgi/statusmap.c
++++ b/cgi/statusmap.c
+@@ -400,7 +400,6 @@ int process_cgivars(void) {
+ 
+ 		/* do some basic length checking on the variable identifier to prevent buffer overflows */
+ 		if(strlen(variables[x]) >= MAX_INPUT_BUFFER - 1) {
+-			x++;
+ 			continue;
+ 			}
+ 
+diff --git a/cgi/statuswml.c b/cgi/statuswml.c
+index bd8cea2..d25abef 100644
+--- a/cgi/statuswml.c
++++ b/cgi/statuswml.c
+@@ -226,8 +226,13 @@ int process_cgivars(void) {
+ 
+ 	for(x = 0; variables[x] != NULL; x++) {
+ 
++		/* do some basic length checking on the variable identifier to prevent buffer overflows */
++		if(strlen(variables[x]) >= MAX_INPUT_BUFFER - 1) {
++			continue;
++			}
++
+ 		/* we found the hostgroup argument */
+-		if(!strcmp(variables[x], "hostgroup")) {
++		else if(!strcmp(variables[x], "hostgroup")) {
+ 			display_type = DISPLAY_HOSTGROUP;
+ 			x++;
+ 			if(variables[x] == NULL) {
+diff --git a/cgi/summary.c b/cgi/summary.c
+index 126ce5e..749a02c 100644
+--- a/cgi/summary.c
++++ b/cgi/summary.c
+@@ -725,7 +725,6 @@ int process_cgivars(void) {
+ 
+ 		/* do some basic length checking on the variable identifier to prevent buffer overflows */
+ 		if(strlen(variables[x]) >= MAX_INPUT_BUFFER - 1) {
+-			x++;
+ 			continue;
+ 			}
+ 
+diff --git a/cgi/trends.c b/cgi/trends.c
+index b35c18e..895db01 100644
+--- a/cgi/trends.c
++++ b/cgi/trends.c
+@@ -1263,7 +1263,6 @@ int process_cgivars(void) {
+ 
+ 		/* do some basic length checking on the variable identifier to prevent buffer overflows */
+ 		if(strlen(variables[x]) >= MAX_INPUT_BUFFER - 1) {
+-			x++;
+ 			continue;
+ 			}
+ 
+diff --git a/contrib/daemonchk.c b/contrib/daemonchk.c
+index 78716e5..9bb6c4b 100644
+--- a/contrib/daemonchk.c
++++ b/contrib/daemonchk.c
+@@ -174,7 +174,6 @@ static int process_cgivars(void) {
+ 
+ 		/* do some basic length checking on the variable identifier to prevent buffer overflows */
+ 		if(strlen(variables[x]) >= MAX_INPUT_BUFFER - 1) {
+-			x++;
+ 			continue;
+ 			}
+ 		}
+-- 
+1.8.4.3
+