mirror of
https://git.FreeBSD.org/ports.git
synced 2024-12-24 04:33:24 +00:00
* Add a patch from upstream fixing a cgi vulnerability[1]
* Cleanup COMMENT * Rename patches to follow make makepatch naming * Incorporate a sed into already patched files. Poked by: ohauer [1] Security: CVE-2013-7108 CVE-2013-7205
This commit is contained in:
parent
115233d891
commit
121dea5a9c
Notes:
svn2git
2021-03-31 03:12:20 +00:00
svn path=/head/; revision=339689
@ -3,12 +3,12 @@
|
||||
|
||||
PORTNAME= nagios
|
||||
PORTVERSION= 3.5.1
|
||||
PORTREVISION= 2
|
||||
PORTREVISION= 3
|
||||
CATEGORIES= net-mgmt
|
||||
MASTER_SITES= SF/${PORTNAME}/${PORTNAME}-3.x/${PORTNAME}-${PORTVERSION}
|
||||
|
||||
MAINTAINER= mat@FreeBSD.org
|
||||
COMMENT= Extremely powerful network monitoring system
|
||||
COMMENT= Powerful network monitoring system
|
||||
|
||||
LICENSE= GPLv2
|
||||
|
||||
@ -98,7 +98,6 @@ post-extract:
|
||||
.include <bsd.port.options.mk>
|
||||
|
||||
post-patch:
|
||||
@${REINPLACE_CMD} -e '/^INSTALL_OPTS=/d;/^COMMAND_OPTS=/d' `${FIND} ${WRKSRC} -name Makefile.in`
|
||||
.if ${PORT_OPTIONS:MUNHANDLED_HACK}
|
||||
@${REINPLACE_CMD} -e 's#;serviceprops=42\&#;serviceprops=10\&#g' \
|
||||
-e 's#;hostprops=42\"#;hostprops=10\"#g' ${WRKSRC}/html/side.php
|
||||
|
@ -1,6 +1,15 @@
|
||||
--- Makefile.in.orig Sun Aug 5 08:43:17 2007
|
||||
+++ Makefile.in Thu Aug 30 18:12:04 2007
|
||||
@@ -185,12 +185,12 @@
|
||||
--- ./Makefile.in.orig 2013-08-30 19:46:14.000000000 +0200
|
||||
+++ ./Makefile.in 2014-01-14 13:57:06.000000000 +0100
|
||||
@@ -30,8 +30,6 @@
|
||||
LIBEXECDIR=@libexecdir@
|
||||
HTMLDIR=@datadir@
|
||||
INSTALL=@INSTALL@
|
||||
-INSTALL_OPTS=@INSTALL_OPTS@
|
||||
-COMMAND_OPTS=@COMMAND_OPTS@
|
||||
HTTPD_CONF=@HTTPD_CONF@
|
||||
INIT_DIR=@init_dir@
|
||||
INIT_OPTS=-o root -g root
|
||||
@@ -234,12 +232,12 @@
|
||||
$(MAKE) install-basic
|
||||
|
||||
install-basic:
|
||||
@ -15,7 +24,7 @@
|
||||
fi;
|
||||
|
||||
@echo ""
|
||||
@@ -212,19 +212,18 @@
|
||||
@@ -261,19 +259,18 @@
|
||||
|
||||
|
||||
install-config:
|
||||
@ -46,8 +55,8 @@
|
||||
+ $(INSTALL) -m 644 $(INSTALL_OPTS) sample-config/template-object/switch.cfg $(DESTDIR)$(CFGDIR)/objects/switch.cfg-sample
|
||||
|
||||
@echo ""
|
||||
@echo "*** Sample config files installed ***"
|
||||
@@ -254,7 +253,6 @@
|
||||
@echo "*** Config files installed ***"
|
||||
@@ -321,7 +318,6 @@
|
||||
|
||||
install-commandmode:
|
||||
$(INSTALL) -m 775 $(COMMAND_OPTS) -d $(DESTDIR)$(LOGDIR)/rw
|
||||
|
@ -1,6 +1,15 @@
|
||||
--- base/Makefile.in.orig Wed Jan 24 04:58:34 2007
|
||||
+++ base/Makefile.in Fri Jul 20 13:34:45 2007
|
||||
@@ -193,9 +193,9 @@
|
||||
--- ./base/Makefile.in.orig 2013-08-30 19:46:14.000000000 +0200
|
||||
+++ ./base/Makefile.in 2014-01-14 13:57:06.000000000 +0100
|
||||
@@ -39,8 +39,6 @@
|
||||
CGIDIR=@sbindir@
|
||||
HTMLDIR=@datarootdir@
|
||||
INSTALL=@INSTALL@
|
||||
-INSTALL_OPTS=@INSTALL_OPTS@
|
||||
-COMMAND_OPTS=@COMMAND_OPTS@
|
||||
STRIP=@STRIP@
|
||||
|
||||
CGIURL=@cgiurl@
|
||||
@@ -204,9 +202,9 @@
|
||||
$(MAKE) install-basic
|
||||
|
||||
install-basic:
|
@ -1,6 +1,15 @@
|
||||
--- cgi/Makefile.in.orig Wed Dec 13 02:57:57 2006
|
||||
+++ cgi/Makefile.in Fri Jul 20 13:35:18 2007
|
||||
@@ -190,9 +190,9 @@
|
||||
--- ./cgi/Makefile.in.orig 2013-08-30 19:46:14.000000000 +0200
|
||||
+++ ./cgi/Makefile.in 2014-01-14 13:57:06.000000000 +0100
|
||||
@@ -18,8 +18,6 @@
|
||||
CGIDIR=@sbindir@
|
||||
HTMLDIR=@datarootdir@
|
||||
INSTALL=@INSTALL@
|
||||
-INSTALL_OPTS=@INSTALL_OPTS@
|
||||
-COMMAND_OPTS=@COMMAND_OPTS@
|
||||
STRIP=@STRIP@
|
||||
|
||||
CGIEXTRAS=@CGIEXTRAS@
|
||||
@@ -201,9 +199,9 @@
|
||||
$(MAKE) install-basic
|
||||
|
||||
install-basic:
|
@ -1,5 +1,5 @@
|
||||
--- configure.in.orig 2010-03-09 19:39:59.000000000 +0100
|
||||
+++ configure.in 2010-04-07 20:18:58.585012048 +0200
|
||||
--- ./configure.in.orig 2013-08-30 19:46:14.000000000 +0200
|
||||
+++ ./configure.in 2014-01-14 13:57:06.000000000 +0100
|
||||
@@ -6,7 +6,6 @@
|
||||
|
||||
AC_INIT(base/nagios.c)
|
||||
@ -7,7 +7,7 @@
|
||||
-AC_PREFIX_DEFAULT(/usr/local/nagios)
|
||||
|
||||
PKG_NAME=nagios
|
||||
PKG_VERSION="3.2.1"
|
||||
PKG_VERSION="3.5.1"
|
||||
@@ -125,7 +124,15 @@
|
||||
dnl Test for pthreads support - taken from ICU FreeBSD Port configure script
|
||||
THREADLIBS=""
|
||||
|
@ -1,6 +1,14 @@
|
||||
--- contrib/Makefile.in.orig Tue Nov 15 12:19:36 2005
|
||||
+++ contrib/Makefile.in Wed Dec 28 17:49:25 2005
|
||||
@@ -46,10 +46,10 @@
|
||||
--- ./contrib/Makefile.in.orig 2013-08-30 19:46:14.000000000 +0200
|
||||
+++ ./contrib/Makefile.in 2014-01-14 13:57:06.000000000 +0100
|
||||
@@ -16,7 +16,6 @@
|
||||
# Generated automatically from configure script
|
||||
SNPRINTF_O=@SNPRINTF_O@
|
||||
INSTALL=@INSTALL@
|
||||
-INSTALL_OPTS=@INSTALL_OPTS@
|
||||
|
||||
|
||||
prefix=@prefix@
|
||||
@@ -51,10 +50,10 @@
|
||||
devclean: distclean
|
||||
|
||||
install:
|
@ -0,0 +1,175 @@
|
||||
commit d97e03f32741a7d851826b03ed73ff4c9612a866
|
||||
Author: Eric Stanley <estanley@nagios.com>
|
||||
Date: 2013-12-20 13:14:30 -0600
|
||||
|
||||
CGIs: Fixed minor vulnerability where a custom query could crash the CGI.
|
||||
|
||||
Most CGIs previously incremented the input variable counter twice when
|
||||
it encountered a long key value. This could cause the CGI to read past
|
||||
the end of the list of CGI variables. This commit removes the second
|
||||
increment, removing the possibility of reading past the end of the list
|
||||
of CGI variables.
|
||||
|
||||
diff --git ./cgi/avail.c ./cgi/avail.c
|
||||
index 76afd86..64eaadc 100644
|
||||
--- ./cgi/avail.c
|
||||
+++ ./cgi/avail.c
|
||||
@@ -1096,7 +1096,6 @@ int process_cgivars(void) {
|
||||
|
||||
/* do some basic length checking on the variable identifier to prevent buffer overflows */
|
||||
if(strlen(variables[x]) >= MAX_INPUT_BUFFER - 1) {
|
||||
- x++;
|
||||
continue;
|
||||
}
|
||||
|
||||
diff --git ./cgi/cmd.c ./cgi/cmd.c
|
||||
index fa6cf5a..50504eb 100644
|
||||
--- ./cgi/cmd.c
|
||||
+++ ./cgi/cmd.c
|
||||
@@ -311,7 +311,6 @@ int process_cgivars(void) {
|
||||
|
||||
/* do some basic length checking on the variable identifier to prevent buffer overflows */
|
||||
if(strlen(variables[x]) >= MAX_INPUT_BUFFER - 1) {
|
||||
- x++;
|
||||
continue;
|
||||
}
|
||||
|
||||
diff --git ./cgi/config.c ./cgi/config.c
|
||||
index f061b0f..3360e70 100644
|
||||
--- ./cgi/config.c
|
||||
+++ ./cgi/config.c
|
||||
@@ -344,7 +344,6 @@ int process_cgivars(void) {
|
||||
|
||||
/* do some basic length checking on the variable identifier to prevent buffer overflows */
|
||||
if(strlen(variables[x]) >= MAX_INPUT_BUFFER - 1) {
|
||||
- x++;
|
||||
continue;
|
||||
}
|
||||
|
||||
diff --git ./cgi/extinfo.c ./cgi/extinfo.c
|
||||
index 62a1b18..5113df4 100644
|
||||
--- ./cgi/extinfo.c
|
||||
+++ ./cgi/extinfo.c
|
||||
@@ -591,7 +591,6 @@ int process_cgivars(void) {
|
||||
|
||||
/* do some basic length checking on the variable identifier to prevent buffer overflows */
|
||||
if(strlen(variables[x]) >= MAX_INPUT_BUFFER - 1) {
|
||||
- x++;
|
||||
continue;
|
||||
}
|
||||
|
||||
diff --git ./cgi/histogram.c ./cgi/histogram.c
|
||||
index 4616541..f6934d0 100644
|
||||
--- ./cgi/histogram.c
|
||||
+++ ./cgi/histogram.c
|
||||
@@ -1060,7 +1060,6 @@ int process_cgivars(void) {
|
||||
|
||||
/* do some basic length checking on the variable identifier to prevent buffer overflows */
|
||||
if(strlen(variables[x]) >= MAX_INPUT_BUFFER - 1) {
|
||||
- x++;
|
||||
continue;
|
||||
}
|
||||
|
||||
diff --git ./cgi/notifications.c ./cgi/notifications.c
|
||||
index 8ba11c1..461ae84 100644
|
||||
--- ./cgi/notifications.c
|
||||
+++ ./cgi/notifications.c
|
||||
@@ -327,7 +327,6 @@ int process_cgivars(void) {
|
||||
|
||||
/* do some basic length checking on the variable identifier to prevent buffer overflows */
|
||||
if(strlen(variables[x]) >= MAX_INPUT_BUFFER - 1) {
|
||||
- x++;
|
||||
continue;
|
||||
}
|
||||
|
||||
diff --git ./cgi/outages.c ./cgi/outages.c
|
||||
index 426ede6..cb58dee 100644
|
||||
--- ./cgi/outages.c
|
||||
+++ ./cgi/outages.c
|
||||
@@ -225,7 +225,6 @@ int process_cgivars(void) {
|
||||
|
||||
/* do some basic length checking on the variable identifier to prevent buffer overflows */
|
||||
if(strlen(variables[x]) >= MAX_INPUT_BUFFER - 1) {
|
||||
- x++;
|
||||
continue;
|
||||
}
|
||||
|
||||
diff --git ./cgi/status.c ./cgi/status.c
|
||||
index 3253340..4ec1c92 100644
|
||||
--- ./cgi/status.c
|
||||
+++ ./cgi/status.c
|
||||
@@ -567,7 +567,6 @@ int process_cgivars(void) {
|
||||
|
||||
/* do some basic length checking on the variable identifier to prevent buffer overflows */
|
||||
if(strlen(variables[x]) >= MAX_INPUT_BUFFER - 1) {
|
||||
- x++;
|
||||
continue;
|
||||
}
|
||||
|
||||
diff --git ./cgi/statusmap.c ./cgi/statusmap.c
|
||||
index ea48368..2580ae5 100644
|
||||
--- ./cgi/statusmap.c
|
||||
+++ ./cgi/statusmap.c
|
||||
@@ -400,7 +400,6 @@ int process_cgivars(void) {
|
||||
|
||||
/* do some basic length checking on the variable identifier to prevent buffer overflows */
|
||||
if(strlen(variables[x]) >= MAX_INPUT_BUFFER - 1) {
|
||||
- x++;
|
||||
continue;
|
||||
}
|
||||
|
||||
diff --git ./cgi/statuswml.c ./cgi/statuswml.c
|
||||
index bd8cea2..d25abef 100644
|
||||
--- ./cgi/statuswml.c
|
||||
+++ ./cgi/statuswml.c
|
||||
@@ -226,8 +226,13 @@ int process_cgivars(void) {
|
||||
|
||||
for(x = 0; variables[x] != NULL; x++) {
|
||||
|
||||
+ /* do some basic length checking on the variable identifier to prevent buffer overflows */
|
||||
+ if(strlen(variables[x]) >= MAX_INPUT_BUFFER - 1) {
|
||||
+ continue;
|
||||
+ }
|
||||
+
|
||||
/* we found the hostgroup argument */
|
||||
- if(!strcmp(variables[x], "hostgroup")) {
|
||||
+ else if(!strcmp(variables[x], "hostgroup")) {
|
||||
display_type = DISPLAY_HOSTGROUP;
|
||||
x++;
|
||||
if(variables[x] == NULL) {
|
||||
diff --git ./cgi/summary.c ./cgi/summary.c
|
||||
index 126ce5e..749a02c 100644
|
||||
--- ./cgi/summary.c
|
||||
+++ ./cgi/summary.c
|
||||
@@ -725,7 +725,6 @@ int process_cgivars(void) {
|
||||
|
||||
/* do some basic length checking on the variable identifier to prevent buffer overflows */
|
||||
if(strlen(variables[x]) >= MAX_INPUT_BUFFER - 1) {
|
||||
- x++;
|
||||
continue;
|
||||
}
|
||||
|
||||
diff --git ./cgi/trends.c ./cgi/trends.c
|
||||
index b35c18e..895db01 100644
|
||||
--- ./cgi/trends.c
|
||||
+++ ./cgi/trends.c
|
||||
@@ -1263,7 +1263,6 @@ int process_cgivars(void) {
|
||||
|
||||
/* do some basic length checking on the variable identifier to prevent buffer overflows */
|
||||
if(strlen(variables[x]) >= MAX_INPUT_BUFFER - 1) {
|
||||
- x++;
|
||||
continue;
|
||||
}
|
||||
|
||||
diff --git ./contrib/daemonchk.c ./contrib/daemonchk.c
|
||||
index 78716e5..9bb6c4b 100644
|
||||
--- ./contrib/daemonchk.c
|
||||
+++ ./contrib/daemonchk.c
|
||||
@@ -174,7 +174,6 @@ static int process_cgivars(void) {
|
||||
|
||||
/* do some basic length checking on the variable identifier to prevent buffer overflows */
|
||||
if(strlen(variables[x]) >= MAX_INPUT_BUFFER - 1) {
|
||||
- x++;
|
||||
continue;
|
||||
}
|
||||
}
|
@ -1,6 +1,15 @@
|
||||
--- html/Makefile.in.orig 2012-02-14 07:10:42.000000000 +1030
|
||||
+++ html/Makefile.in 2012-05-21 21:34:09.000000000 +0930
|
||||
@@ -34,55 +34,55 @@
|
||||
--- ./html/Makefile.in.orig 2013-08-30 19:46:14.000000000 +0200
|
||||
+++ ./html/Makefile.in 2014-01-14 13:57:06.000000000 +0100
|
||||
@@ -10,8 +10,6 @@
|
||||
CGIDIR=@sbindir@
|
||||
HTMLDIR=@datadir@
|
||||
INSTALL=@INSTALL@
|
||||
-INSTALL_OPTS=@INSTALL_OPTS@
|
||||
-COMMAND_OPTS=@COMMAND_OPTS@
|
||||
|
||||
CP=@CP@
|
||||
|
||||
@@ -34,55 +32,55 @@
|
||||
devclean: distclean
|
||||
|
||||
install:
|
@ -1,6 +1,6 @@
|
||||
--- html/index.php.orig 2013-08-30 21:46:14.000000000 +0400
|
||||
+++ html/index.php 2013-12-27 15:56:06.000000000 +0400
|
||||
@@ -8,6 +8,7 @@
|
||||
--- ./html/index.php.orig 2013-08-30 19:46:14.000000000 +0200
|
||||
+++ ./html/index.php 2014-01-14 13:57:06.000000000 +0100
|
||||
@@ -8,8 +8,9 @@
|
||||
</head>
|
||||
|
||||
<?php
|
@ -1,5 +1,5 @@
|
||||
--- html/main.php.orig 2013-08-30 21:46:14.000000000 +0400
|
||||
+++ html/main.php 2013-09-16 17:35:29.000000000 +0400
|
||||
--- ./html/main.php.orig 2013-08-30 19:46:14.000000000 +0200
|
||||
+++ ./html/main.php 2014-01-14 13:57:06.000000000 +0100
|
||||
@@ -40,36 +40,10 @@
|
||||
<div class="product">Nagios<sup><span style="font-size: small;">®</span></sup> Core<sup><span style="font-size: small;">™</span></sup></div>
|
||||
<div class="version">Version 3.5.1</div>
|
@ -1,5 +1,5 @@
|
||||
--- include/locations.h.in.orig Tue May 1 08:15:57 2007
|
||||
+++ include/locations.h.in Fri Jul 20 15:52:49 2007
|
||||
--- ./include/locations.h.in.orig 2013-08-30 19:46:14.000000000 +0200
|
||||
+++ ./include/locations.h.in 2014-01-14 13:57:06.000000000 +0100
|
||||
@@ -20,7 +20,7 @@
|
||||
|
||||
#define DEFAULT_TEMP_FILE "@localstatedir@/tempfile"
|
@ -1,6 +1,6 @@
|
||||
--- sample-config/cgi.cfg.in.orig 2007-10-08 05:12:52.000000000 +0930
|
||||
+++ sample-config/cgi.cfg.in 2008-10-23 10:31:31.000000000 +1030
|
||||
@@ -229,7 +229,7 @@
|
||||
--- ./sample-config/cgi.cfg.in.orig 2013-08-30 19:46:14.000000000 +0200
|
||||
+++ ./sample-config/cgi.cfg.in 2014-01-14 13:57:06.000000000 +0100
|
||||
@@ -264,7 +264,7 @@
|
||||
# OS and distribution, so you may have to tweak this to
|
||||
# work on your system.
|
||||
|
@ -1,5 +1,5 @@
|
||||
--- sample-config/nagios.cfg.in.orig 2008-11-03 05:21:30.000000000 +1030
|
||||
+++ sample-config/nagios.cfg.in 2008-11-05 15:17:25.000000000 +1030
|
||||
--- ./sample-config/nagios.cfg.in.orig 2013-08-30 19:46:14.000000000 +0200
|
||||
+++ ./sample-config/nagios.cfg.in 2014-01-14 13:57:06.000000000 +0100
|
||||
@@ -32,7 +32,7 @@
|
||||
cfg_file=@sysconfdir@/objects/timeperiods.cfg
|
||||
cfg_file=@sysconfdir@/objects/templates.cfg
|
@ -1,5 +1,5 @@
|
||||
--- sample-config/template-object/localhost.cfg.in.orig Sun Jun 10 02:13:05 2007
|
||||
+++ sample-config/template-object/localhost.cfg.in Fri Jul 20 13:46:46 2007
|
||||
--- ./sample-config/template-object/localhost.cfg.in.orig 2013-08-30 19:46:14.000000000 +0200
|
||||
+++ ./sample-config/template-object/localhost.cfg.in 2014-01-14 13:57:06.000000000 +0100
|
||||
@@ -5,7 +5,7 @@
|
||||
#
|
||||
# NOTE: This config file is intended to serve as an *extremely* simple
|
@ -1,5 +1,5 @@
|
||||
--- sample-config/template-object/templates.cfg.in.orig Fri Jul 20 13:46:57 2007
|
||||
+++ sample-config/template-object/templates.cfg.in Fri Jul 20 13:47:52 2007
|
||||
--- ./sample-config/template-object/templates.cfg.in.orig 2013-08-30 19:46:14.000000000 +0200
|
||||
+++ ./sample-config/template-object/templates.cfg.in 2014-01-14 13:57:06.000000000 +0100
|
||||
@@ -63,17 +63,17 @@
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user