tags 448372 + patch tags 447639 + patch thanks Hi, the attached patch for an NMU fixes CVE-2007-5623 and the incomplete patch for CVE-2007-5198. It will be also archived on: http://people.debian.org/~nion/nmu-diff/nagios-plugins-1.4.8-2.1_1.4.8-2.2.patch
As the patch for CVE-2007-5198 by Steffen was incomplete I will upload this as 0-day NMU to fix the incomplete patch and by doing this also fixing CVE-2007-5623. Kind regards Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
diff -u nagios-plugins-1.4.8/debian/changelog nagios-plugins-1.4.8/debian/changelog
--- nagios-plugins-1.4.8/debian/changelog
+++ nagios-plugins-1.4.8/debian/changelog
@@ -1,3 +1,12 @@
+nagios-plugins (1.4.8-2.2) unstable; urgency=high
+
+ * Non-maintainer upload by testing-security team.
+ * Fix remote DoS which can be triggered by a remote attacker
+ via crafted snmpget replies (CVE-2007-5623) (Closes: #448372).
+ * Modifying CVE-2007-5198 patch since it is incomplete (Closes: #447639).
+
+ -- Nico Golde <[EMAIL PROTECTED]> Sun, 28 Oct 2007 16:15:54 +0100
+
nagios-plugins (1.4.8-2.1) unstable; urgency=high
* Non-maintainer upload by the testing-security team
diff -u nagios-plugins-1.4.8/debian/patches/00list nagios-plugins-1.4.8/debian/patches/00list
--- nagios-plugins-1.4.8/debian/patches/00list
+++ nagios-plugins-1.4.8/debian/patches/00list
@@ -11,0 +12 @@
+CVE-2007-5623.dpatch
diff -u nagios-plugins-1.4.8/debian/patches/CVE-2007-5198.dpatch nagios-plugins-1.4.8/debian/patches/CVE-2007-5198.dpatch
--- nagios-plugins-1.4.8/debian/patches/CVE-2007-5198.dpatch
+++ nagios-plugins-1.4.8/debian/patches/CVE-2007-5198.dpatch
@@ -5,8 +5,9 @@
## DP: Fixes CVE-2007-5198
@DPATCH@
---- check_http.c.orig 2007-10-06 07:53:29.000000000 +0000
-+++ nagios-plugins-1.4.8/plugins/check_http.c 2007-10-06 08:16:02.000000000 +0000
+diff -urNad nagios-plugins-1.4.8~/plugins/check_http.c nagios-plugins-1.4.8/plugins/check_http.c
+--- nagios-plugins-1.4.8~/plugins/check_http.c 2007-03-06 23:45:57.000000000 +0100
++++ nagios-plugins-1.4.8/plugins/check_http.c 2007-10-28 16:25:01.000000000 +0100
@@ -53,7 +53,8 @@
enum {
MAX_IPV4_HOSTLENGTH = 255,
@@ -56,6 +57,15 @@
char *url;
addr = malloc (MAX_IPV4_HOSTLENGTH + 1);
+@@ -1087,7 +1087,7 @@
+ die (STATE_UNKNOWN, _("Could not allocate url\n"));
+
+ while (pos) {
+- sscanf (pos, "%[Ll]%*[Oo]%*[Cc]%*[Aa]%*[Tt]%*[Ii]%*[Oo]%*[Nn]:%n", xx, &i);
++ sscanf (pos, "%1[Ll]%*[Oo]%*[Cc]%*[Aa]%*[Tt]%*[Ii]%*[Oo]%*[Nn]:%n", xx, &i);
+ if (i == 0) {
+ pos += (size_t) strcspn (pos, "\r\n");
+ pos += (size_t) strspn (pos, "\r\n");
@@ -1099,17 +1099,21 @@
}
only in patch2:
unchanged:
--- nagios-plugins-1.4.8.orig/debian/patches/CVE-2007-5623.dpatch
+++ nagios-plugins-1.4.8/debian/patches/CVE-2007-5623.dpatch
@@ -0,0 +1,45 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## CVE-2007-5623.dpatch by Nico Golde <[EMAIL PROTECTED]>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: No description.
+
[EMAIL PROTECTED]@
+diff -urNad nagios-plugins-1.4.8~/plugins/check_snmp.c nagios-plugins-1.4.8/plugins/check_snmp.c
+--- nagios-plugins-1.4.8~/plugins/check_snmp.c 2007-02-02 10:10:22.000000000 +0100
++++ nagios-plugins-1.4.8/plugins/check_snmp.c 2007-10-28 16:14:48.000000000 +0100
+@@ -217,12 +217,16 @@
+
+ ptr = output;
+
+- strcat(perfstr, "| ");
++ strncat(perfstr, "| ", sizeof(perfstr)-strlen(perfstr)-1);
+ while (ptr) {
+ char *foo;
++ unsigned int copylen;
+
+ foo = strstr (ptr, delimiter);
+- strncat(perfstr, ptr, foo-ptr);
++ copylen = foo-ptr;
++ if (copylen > sizeof(perfstr)-strlen(perfstr)-1)
++ copylen = sizeof(perfstr)-strlen(perfstr)-1;
++ strncat(perfstr, ptr, copylen);
+ ptr = foo;
+
+ if (ptr == NULL)
+@@ -351,11 +355,11 @@
+
+ i++;
+
+- strcat(perfstr, "=");
+- strcat(perfstr, show);
++ strncat(perfstr, "=", sizeof(perfstr)-strlen(perfstr)-1);
++ strncat(perfstr, show, sizeof(perfstr)-strlen(perfstr)-1);
+ if (type)
+- strcat(perfstr, type);
+- strcat(perfstr, " ");
++ strncat(perfstr, type, sizeof(perfstr)-strlen(perfstr)-1);
++ strncat(perfstr, " ", sizeof(perfstr)-strlen(perfstr)-1);
+
+ } /* end while (ptr) */
+
pgplMxeAzH0RI.pgp
Description: PGP signature
