ports/175196: [maintainer-update] net-mgmt/nagios: CVE-2012-6096 Remote Command Execution Vulnerability

Fri Jan 11 07:10:01 UTC 2013

>Number:         175196
>Category:       ports
>Synopsis:       [maintainer-update] net-mgmt/nagios: CVE-2012-6096 Remote Command Execution Vulnerability
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          maintainer-update
>Submitter-Id:   current-users
>Arrival-Date:   Fri Jan 11 07:10:00 UTC 2013
>Closed-Date:
>Last-Modified:
>Originator:     Jarrod Sayers
>Release:        FreeBSD 9.0-RELEASE-p5 i386
>Organization:
>Environment:
System: FreeBSD mail.downtools.com.au 9.0-RELEASE-p5 FreeBSD 9.0-RELEASE-p5 #23: Sat Dec 15 08:56:43 CST 2012 root at burbank.downtools.com.au:/usr/obj/usr/src/sys/BURBANK i386
>Description:
CVE-2012-6096 Remote Command Execution Vulnerability

Apply two manual patches as per revision 2547 from the Nagios source code
repository.  Both patches obtained 5:00pm Australian Central Daylight Time
from upstream source [1,2].  Also, bump port revision to 3.4.3_1.

The patch should have the following SHA1 checksum:
SHA1 (net-mgmt-nagios-3.4.3_1.diff) = 86912497401865efdeab6602f6fcf7631c073755

Files modified:
- ports/net-mgmt/nagios/Makefile

Files added:
- ports/net-mgmt/nagios/files/patch-CVE-2012-6096

[1] http://nagios.svn.sourceforge.net/viewvc/nagios/nagioscore/trunk/cgi/getcgi.c?view=patch&r1=2547&r2=2546&pathrev=2547
[2] http://nagios.svn.sourceforge.net/viewvc/nagios/nagioscore/trunk/cgi/history.c?view=patch&r1=2547&r2=2546&pathrev=2547
>How-To-Repeat:
>Fix:
Like always, the patch can also be obtained from:
http://www.downtools.com.au/~jarrod/FreeBSD/net-mgmt-nagios-3.4.3_1.diff

--- net-mgmt-nagios-3.4.3_1.diff begins here ---
diff -ruN ports/net-mgmt/nagios.orig/Makefile ports/net-mgmt/nagios/Makefile
--- ports/net-mgmt/nagios.orig/Makefile	2013-01-11 05:42:02.403593000 +1030
+++ ports/net-mgmt/nagios/Makefile	2013-01-11 17:10:30.000000000 +1030
@@ -3,6 +3,7 @@
 
 PORTNAME=	nagios
 PORTVERSION=	3.4.3
+PORTREVISION=	1
 CATEGORIES=	net-mgmt
 MASTER_SITES=	SF/${PORTNAME}/${PORTNAME}-3.x/${PORTNAME}-${PORTVERSION}
 
diff -ruN ports/net-mgmt/nagios.orig/files/patch-CVE-2012-6096 ports/net-mgmt/nagios/files/patch-CVE-2012-6096
--- ports/net-mgmt/nagios.orig/files/patch-CVE-2012-6096	1970-01-01 09:30:00.000000000 +0930
+++ ports/net-mgmt/nagios/files/patch-CVE-2012-6096	2013-01-11 17:05:56.000000000 +1030
@@ -0,0 +1,117 @@
+--- cgi/getcgi.c.orig	2011-08-17 17:06:27.000000000 +0930
++++ cgi/getcgi.c	2013-01-11 17:02:53.000000000 +1030
+@@ -137,14 +137,15 @@
+ 		/* check for NULL query string environment variable - 04/28/00 (Ludo Bosmans) */
+ 		if(getenv("QUERY_STRING") == NULL) {
+ 			cgiinput = (char *)malloc(1);
+-			if(cgiinput == NULL) {
+-				printf("getcgivars(): Could not allocate memory for CGI input.\n");
+-				exit(1);
+-				}
+-			cgiinput[0] = '\x0';
++			if(cgiinput != NULL) 
++				cgiinput[0] = '\x0';
+ 			}
+ 		else
+ 			cgiinput = strdup(getenv("QUERY_STRING"));
++		if(cgiinput == NULL) {
++			printf("getcgivars(): Could not allocate memory for CGI input.\n");
++			exit(1);
++			}
+ 		}
+ 
+ 	else if(!strcmp(request_method, "POST") || !strcmp(request_method, "PUT")) {
+@@ -220,7 +221,12 @@
+ 	paircount = 0;
+ 	nvpair = strtok(cgiinput, "&");
+ 	while(nvpair) {
+-		pairlist[paircount++] = strdup(nvpair);
++		pairlist[paircount] = strdup(nvpair);
++		if( NULL == pairlist[paircount]) {
++			printf("getcgivars(): Could not allocate memory for name-value pair #%d.\n", paircount);
++			exit(1);
++			}
++		paircount++;
+ 		if(!(paircount % 256)) {
+ 			pairlist = (char **)realloc(pairlist, (paircount + 256) * sizeof(char **));
+ 			if(pairlist == NULL) {
+@@ -245,13 +251,29 @@
+ 		/* get the variable name preceding the equal (=) sign */
+ 		if((eqpos = strchr(pairlist[i], '=')) != NULL) {
+ 			*eqpos = '\0';
+-			unescape_cgi_input(cgivars[i * 2 + 1] = strdup(eqpos + 1));
++			cgivars[i * 2 + 1] = strdup(eqpos + 1);
++			if( NULL == cgivars[ i * 2 + 1]) {
++				printf("getcgivars(): Could not allocate memory for cgi value #%d.\n", i);
++				exit(1);
++				}
++			unescape_cgi_input(cgivars[i * 2 + 1]);
++			}
++		else {
++			cgivars[i * 2 + 1] = strdup("");
++			if( NULL == cgivars[ i * 2 + 1]) {
++				printf("getcgivars(): Could not allocate memory for empty stringfor variable value #%d.\n", i);
++				exit(1);
++				}
++			unescape_cgi_input(cgivars[i * 2 + 1]);
+ 			}
+-		else
+-			unescape_cgi_input(cgivars[i * 2 + 1] = strdup(""));
+ 
+ 		/* get the variable value (or name/value of there was no real "pair" in the first place) */
+-		unescape_cgi_input(cgivars[i * 2] = strdup(pairlist[i]));
++		cgivars[i * 2] = strdup(pairlist[i]);
++		if( NULL == cgivars[ i * 2]) {
++			printf("getcgivars(): Could not allocate memory for cgi name #%d.\n", i);
++			exit(1);
++			}
++		unescape_cgi_input(cgivars[i * 2]);
+ 		}
+ 
+ 	/* terminate the name-value list */
+--- cgi/history.c.orig	2011-08-17 17:06:27.000000000 +0930
++++ cgi/history.c	2013-01-11 17:03:18.000000000 +1030
+@@ -805,16 +805,22 @@
+ 			else if(display_type == DISPLAY_HOSTS) {
+ 
+ 				if(history_type == HOST_HISTORY || history_type == SERVICE_HISTORY) {
+-					sprintf(match1, " HOST ALERT: %s;", host_name);
+-					sprintf(match2, " SERVICE ALERT: %s;", host_name);
++					snprintf(match1, sizeof( match1), 
++							" HOST ALERT: %s;", host_name);
++					snprintf(match2, sizeof( match2), 
++							" SERVICE ALERT: %s;", host_name);
+ 					}
+ 				else if(history_type == HOST_FLAPPING_HISTORY || history_type == SERVICE_FLAPPING_HISTORY) {
+-					sprintf(match1, " HOST FLAPPING ALERT: %s;", host_name);
+-					sprintf(match2, " SERVICE FLAPPING ALERT: %s;", host_name);
++					snprintf(match1, sizeof( match1), 
++							" HOST FLAPPING ALERT: %s;", host_name);
++					snprintf(match2, sizeof( match2), 
++							" SERVICE FLAPPING ALERT: %s;", host_name);
+ 					}
+ 				else if(history_type == HOST_DOWNTIME_HISTORY || history_type == SERVICE_DOWNTIME_HISTORY) {
+-					sprintf(match1, " HOST DOWNTIME ALERT: %s;", host_name);
+-					sprintf(match2, " SERVICE DOWNTIME ALERT: %s;", host_name);
++					snprintf(match1, sizeof( match1), 
++							" HOST DOWNTIME ALERT: %s;", host_name);
++					snprintf(match2, sizeof( match2), 
++							" SERVICE DOWNTIME ALERT: %s;", host_name);
+ 					}
+ 
+ 				if(show_all_hosts == TRUE)
+@@ -853,11 +859,11 @@
+ 			else if(display_type == DISPLAY_SERVICES) {
+ 
+ 				if(history_type == SERVICE_HISTORY)
+-					sprintf(match1, " SERVICE ALERT: %s;%s;", host_name, svc_description);
++					snprintf(match1, sizeof( match1), " SERVICE ALERT: %s;%s;", host_name, svc_description);
+ 				else if(history_type == SERVICE_FLAPPING_HISTORY)
+-					sprintf(match1, " SERVICE FLAPPING ALERT: %s;%s;", host_name, svc_description);
++					snprintf(match1, sizeof( match1), " SERVICE FLAPPING ALERT: %s;%s;", host_name, svc_description);
+ 				else if(history_type == SERVICE_DOWNTIME_HISTORY)
+-					sprintf(match1, " SERVICE DOWNTIME ALERT: %s;%s;", host_name, svc_description);
++					snprintf(match1, sizeof( match1), " SERVICE DOWNTIME ALERT: %s;%s;", host_name, svc_description);
+ 
+ 				if(strstr(temp_buffer, match1) && (history_type == SERVICE_HISTORY || history_type == SERVICE_FLAPPING_HISTORY || history_type == SERVICE_DOWNTIME_HISTORY))
+ 					display_line = TRUE;
--- net-mgmt-nagios-3.4.3_1.diff ends here ---


>Release-Note:
>Audit-Trail:
>Unformatted:
