From 7c1fe99804b062926b1825e4307dd737537412c3 Mon Sep 17 00:00:00 2001 From: Leonardo Arena Date: Wed, 18 Jun 2014 09:54:14 +0000 Subject: main/nagios: security fix (CVE-2014-1878). Fixes #2946 --- main/nagios/APKBUILD | 12 ++++++++---- main/nagios/CVE-2014-1878.patch | 19 +++++++++++++++++++ 2 files changed, 27 insertions(+), 4 deletions(-) create mode 100644 main/nagios/CVE-2014-1878.patch (limited to 'main/nagios') diff --git a/main/nagios/APKBUILD b/main/nagios/APKBUILD index 5686299a89..db0cb3f766 100644 --- a/main/nagios/APKBUILD +++ b/main/nagios/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: Carlo Landmeter pkgname=nagios pkgver=3.5.0 -pkgrel=1 +pkgrel=2 pkgdesc="Popular monitoring tool" url="http://www.nagios.org/" arch="all" @@ -15,6 +15,7 @@ source="http://downloads.sourceforge.net/$pkgname/$pkgname-$pkgver.tar.gz nagios.initd lighttpd-nagios.conf CVE-2013-7108-CVE-2013-7205.patch + CVE-2014-1878.patch " subpackages="${pkgname}-web" pkgusers="nagios" @@ -74,14 +75,17 @@ md5sums="aeef195d2033cc362bf6cb972bcc8f07 nagios-3.5.0.tar.gz 431dfe7403323e247a88b97beade5d78 nagios.confd 2ead8695b32222abe922692664aa9de1 nagios.initd d63c36f47d26f1f71ae2faf272eec640 lighttpd-nagios.conf -b095b0e14de61a956af41c6969675e35 CVE-2013-7108-CVE-2013-7205.patch" +b095b0e14de61a956af41c6969675e35 CVE-2013-7108-CVE-2013-7205.patch +5909307e0cd4ea7e7ac172f9ce888c7c CVE-2014-1878.patch" sha256sums="469381b2954392689c85d3db733e8da4bd43b806b3d661d1a7fbd52dacc084db nagios-3.5.0.tar.gz cfd075243bfca803f4aa254022a0a40cd4180fb4d433e16333b74e7bcef8cf0b nagios.confd e287556e9c73faf60f988a75866119596352e4fb8fe132a887f45f2930a6ae46 nagios.initd dba2583022f8d0e6c9457d3cb333f3ce872b9f1c11075bc69fccdf1bbb0e6083 lighttpd-nagios.conf -5c7d1bd5d64a3a4ac9e27e97063462e00b4c60478279f97abe2390f91ebc1ce3 CVE-2013-7108-CVE-2013-7205.patch" +5c7d1bd5d64a3a4ac9e27e97063462e00b4c60478279f97abe2390f91ebc1ce3 CVE-2013-7108-CVE-2013-7205.patch +44be9962ba771d26cbc4aecef0eafc7c56f00b08f032051b5b8cc583f40fe609 CVE-2014-1878.patch" sha512sums="80f79b85b286dcd4153bff134fd7b88a46ef130a39c17e2263c7e3614a507be0e630e62032f31500c18c920c856e2f4f4e4ebd4c94bb3024b203a9bb744584b4 nagios-3.5.0.tar.gz 8575902dcb7252f195847f9997b424c1ef9bee7dfacdd124c922fc119f583923c34847ce77c505783662d91f7290b1a85dc5e382ac50d177406bfb3876d4e40a nagios.confd 2b7c9677e15b1e33a56b6d65ce6c489e019ddf2d777c3798a7b3082e61584ca4cd2630cdf177710b38f2780873dd0f2333e3e769633e402332043a129137d50b nagios.initd 6f1448db1964e378dbc7460a6d321638f4d0f7a08bc078824edca12fb6653fb0200b3be365fa519e7b2ff566802701878975bb97e65d65dc54d3da34dae21588 lighttpd-nagios.conf -189b62e9d351dd85ec40f5a3b93e9e28c5aaf6a21c8d1682c63114d2d6d13a6d13962a1ac68250aea3f6b0f51e85ab4eb79b6d6eb9e473a5c49971b520e7fd86 CVE-2013-7108-CVE-2013-7205.patch" +189b62e9d351dd85ec40f5a3b93e9e28c5aaf6a21c8d1682c63114d2d6d13a6d13962a1ac68250aea3f6b0f51e85ab4eb79b6d6eb9e473a5c49971b520e7fd86 CVE-2013-7108-CVE-2013-7205.patch +8e9b0c534beba39d3cf02dd8934ee5e5db078fd77328c4b6a9bea04d67a5b8c5f8d2ce838444df950b59c2bf4891adfa9019f03c144c877a66cda880f2906116 CVE-2014-1878.patch" diff --git a/main/nagios/CVE-2014-1878.patch b/main/nagios/CVE-2014-1878.patch new file mode 100644 index 0000000000..77f3159f7f --- /dev/null +++ b/main/nagios/CVE-2014-1878.patch @@ -0,0 +1,19 @@ +--- a/cgi/cmd.c ++++ b/cgi/cmd.c +@@ -1922,14 +1922,14 @@ + return ERROR; + + len = snprintf(cmd, sizeof(cmd) - 1, "[%lu] %s;", time(NULL), command); +- if(len < 0) ++ if(len < 0 || len >= sizeof(cmd)) + return ERROR; + + if(fmt) { + va_start(ap, fmt); + len2 = vsnprintf(&cmd[len], sizeof(cmd) - len - 1, fmt, ap); + va_end(ap); +- if(len2 < 0) ++ if(len2 < 0 || len2 >= sizeof(cmd) - len) + return ERROR; + } + -- cgit v1.2.3