From 8ae19acb1269f568cc856f52a50234227872b0bd Mon Sep 17 00:00:00 2001
From: Leonardo Arena <rnalrd@alpinelinux.org>
Date: Wed, 5 Jun 2019 13:39:23 +0000
Subject: main/monit: upgrade to 5.25.2, security fixes

CVE-2019-11454, CVE-2019-11455

Fixes #10493
---
 main/monit/APKBUILD             | 20 +++++++++----
 main/monit/CVE-2019-11454.patch | 26 +++++++++++++++++
 main/monit/CVE-2019-11455.patch | 64 +++++++++++++++++++++++++++++++++++++++++
 3 files changed, 105 insertions(+), 5 deletions(-)
 create mode 100644 main/monit/CVE-2019-11454.patch
 create mode 100644 main/monit/CVE-2019-11455.patch

(limited to 'main/monit')

diff --git a/main/monit/APKBUILD b/main/monit/APKBUILD
index 876c633e41..3ee6e93fab 100644
--- a/main/monit/APKBUILD
+++ b/main/monit/APKBUILD
@@ -2,8 +2,8 @@
 # Contributor: Carlo Landmeter <clandmeter@gmail.com>
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=monit
-pkgver=5.25.1
-pkgrel=1
+pkgver=5.25.2
+pkgrel=0
 pkgdesc="Managing and monitoring on a UNIX system"
 url="http://mmonit.com/monit/"
 arch="all"
@@ -11,9 +11,17 @@ license="AGPL"
 makedepends="libressl-dev zlib-dev"
 subpackages="$pkgname-doc"
 source="http://mmonit.com/monit/dist/monit-$pkgver.tar.gz
-	$pkgname.initd"
+	$pkgname.initd
+	CVE-2019-11454.patch
+	CVE-2019-11455.patch
+	"
 builddir="$srcdir"/$pkgname-$pkgver
 
+# secfixes:
+#   5.25.2-r0:
+#     - CVE-2019-11454
+#     - CVE-2019-11455
+
 check() {
 	cd "$builddir"
 	make check
@@ -48,5 +56,7 @@ package() {
 	chmod 600 "$pkgdir"/etc/monitrc
 }
 
-sha512sums="b21b18302aed602f9371f7dee29f7306dbccd355df333bc6d868acdb6c054cef877dee72e261383938fe1d10121cd07e820e040ea80ed70260fdda8b451f6ab1  monit-5.25.1.tar.gz
-94d67a995c6028d48cb729a60157ab42f2a3c15d59284f1de56c35b44bf83929ba9c42a5cbfe3bb4df0def70465cf3dff0ad6e532b6a02805840dc57785e1cc9  monit.initd"
+sha512sums="e9b6ce60bf82c2564a084fc42b65ef432ee35855cad038fe6ae209047abaa1c54cabb4cd75c8a85c1102844a1b90c3c5f8ddbbd56711665b9bea616bcc02ec86  monit-5.25.2.tar.gz
+94d67a995c6028d48cb729a60157ab42f2a3c15d59284f1de56c35b44bf83929ba9c42a5cbfe3bb4df0def70465cf3dff0ad6e532b6a02805840dc57785e1cc9  monit.initd
+8325384c70e47a7f1da75998c0f86f23578592d43469bdff7823e2be5eb8de75eb2b7234edd1bacbd0d28aa0fdb264aafbf437aceb0c8718d2dbac1c41892a7f  CVE-2019-11454.patch
+86050e4ec84100e15220ef3b4b821f67109b8db3410dc695ce2d1977b9442d2d273e9c44093ba5426dc7465cfc39fc872edc3c2b33c70b82df0b926744056b2e  CVE-2019-11455.patch"
diff --git a/main/monit/CVE-2019-11454.patch b/main/monit/CVE-2019-11454.patch
new file mode 100644
index 0000000000..bae12581a9
--- /dev/null
+++ b/main/monit/CVE-2019-11454.patch
@@ -0,0 +1,26 @@
+From 328f60773057641c4b2075fab9820145e95b728c Mon Sep 17 00:00:00 2001
+From: tildeslash <info@tildeslash.com>
+Date: Mon, 4 Mar 2019 14:13:42 +0100
+Subject: [PATCH] Fixed: HTML escape the log file content when viewed via Monit
+ GUI.
+
+---
+ src/http/cervlet.c | 2 +-
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/http/cervlet.c b/src/http/cervlet.c
+index 9e3cd9c..afba84b 100644
+--- a/src/http/cervlet.c
++++ b/src/http/cervlet.c
+@@ -907,7 +907,7 @@ static void do_viewlog(HttpRequest req, HttpResponse res) {
+                         StringBuffer_append(res->outputbuffer, "<br><p><form><textarea cols=120 rows=30 readonly>");
+                         while ((n = fread(buf, sizeof(char), sizeof(buf) - 1, f)) > 0) {
+                                 buf[n] = 0;
+-                                StringBuffer_append(res->outputbuffer, "%s", buf);
++                                escapeHTML(res->outputbuffer, buf);
+                         }
+                         fclose(f);
+                         StringBuffer_append(res->outputbuffer, "</textarea></form>");
+-- 
+2.10.5
+
diff --git a/main/monit/CVE-2019-11455.patch b/main/monit/CVE-2019-11455.patch
new file mode 100644
index 0000000000..65d32b2a91
--- /dev/null
+++ b/main/monit/CVE-2019-11455.patch
@@ -0,0 +1,64 @@
+From f12d0cdb42d4e74dffe1525d4062c815c48ac57a Mon Sep 17 00:00:00 2001
+From: tildeslash <info@tildeslash.com>
+Date: Mon, 4 Mar 2019 15:49:08 +0100
+Subject: [PATCH] Fixed: Buffer overrun vulnerability in URL decoding. Thanks
+ to Zack Flack for report.
+
+---
+ src/util.c | 16 +++++++++-------
+ 2 files changed, 11 insertions(+), 7 deletions(-)
+
+diff --git a/src/util.c b/src/util.c
+index 401a9bc..ab1b48d 100644
+--- a/src/util.c
++++ b/src/util.c
+@@ -234,7 +234,7 @@ static char *is_str_defined(char *s) {
+ /**
+  * Convert a hex char to a char
+  */
+-static char x2c(char *hex) {
++static char _x2c(char *hex) {
+         register char digit;
+         digit = ((hex[0] >= 'A') ? ((hex[0] & 0xdf) - 'A')+10 : (hex[0] - '0'));
+         digit *= 16;
+@@ -525,7 +525,7 @@ void Util_handleEscapes(char *buf) {
+                                                          */
+                                                         *(buf + insertpos) = *(buf+editpos);
+                                                 } else {
+-                                                        *(buf + insertpos) = x2c(&buf[editpos + 3]);
++                                                        *(buf + insertpos) = _x2c(&buf[editpos + 3]);
+                                                         editpos += 4;
+                                                 }
+                                         }
+@@ -561,7 +561,7 @@ int Util_handle0Escapes(char *buf) {
+                         switch (*(buf + editpos + 1)) {
+                                 case '0':
+                                         if (*(buf + editpos + 2) == 'x') {
+-                                                *(buf + insertpos) = x2c(&buf[editpos+3]);
++                                                *(buf + insertpos) = _x2c(&buf[editpos+3]);
+                                                 editpos += 4;
+                                         }
+                                         break;
+@@ -1551,13 +1551,15 @@ char *Util_urlDecode(char *url) {
+         if (url && *url) {
+                 register int x, y;
+                 for (x = 0, y = 0; url[y]; x++, y++) {
+-                        if ((url[x] = url[y]) == '+')
++                        if (url[y] == '+') {
+                                 url[x] = ' ';
+-                        else if (url[x] == '%') {
+-                                if (! (url[x + 1] && url[x + 2]))
++                        } else if (url[y] == '%') {
++                                if (! url[y + 1] || ! url[y + 2])
+                                         break;
+-                                url[x] = x2c(url + y + 1);
++                                url[x] = _x2c(url + y + 1);
+                                 y += 2;
++                        } else {
++                                url[x] = url[y];
+                         }
+                 }
+                 url[x] = 0;
+-- 
+2.10.5
+
-- 
cgit v1.2.3