Hello,
Am 2013-07-03 13:55, schrieb Alexander Wirt:
Jonas Meurer schrieb am Wednesday, den 03. July 2013:
Am 2013-06-27 07:51, schrieb [email protected]:
>Source: nagios3
>Source-Version: 3.4.1-4
>
>We believe that the bug you reported is fixed in the latest version of
>nagios3, which is due to be installed in the Debian FTP archive.
Thanks for fixing. Do you intend to backport that fix for squeeze
and wheezy? I would recommend to do so. If you like, I can prepare a
debdiff for both.
I am currently very short on time, so yes: that would be appreciated.
I just prepared packages for squeeze-security (3.2.1-2+squeeze2 just
fixing #714171) and wheezy-security (3.4.1-3+wheezy1, fixing #714171 and
#710356).
Debdiffs are attached. Full package sources and binaries for amd64 can
be found at http://people.freesources.org/~mejo/nagios3/
I'll happily upload as soon as I've the ok from security team.
Kind regards,
jonas
diff -u nagios3-3.2.1/debian/changelog nagios3-3.2.1/debian/changelog
--- nagios3-3.2.1/debian/changelog
+++ nagios3-3.2.1/debian/changelog
@@ -1,3 +1,11 @@
+nagios3 (3.2.1-2+squeeze2) squeeze-security; urgency=high
+
+ * Non-maintainer upload.
+ * Stop status.cgi from listing unauthorized hosts and services in
+ servicegroup view (CVE-2013-2214). (closes: #714171)
+
+ -- Jonas Meurer <[email protected]> Mon, 08 Jul 2013 15:38:34 +0200
+
nagios3 (3.2.1-2+squeeze1) squeeze-security; urgency=low
* Non-maintainer upload.
diff -u nagios3-3.2.1/debian/patches/00list nagios3-3.2.1/debian/patches/00list
--- nagios3-3.2.1/debian/patches/00list
+++ nagios3-3.2.1/debian/patches/00list
@@ -8,2 +8,3 @@
70_fix_eventhandler_paths.dpatch
+99_security_status_cgi_servicegroup.dpatch
99_security_cve_2012_6096.dpatch
only in patch2:
unchanged:
--- nagios3-3.2.1.orig/debian/patches/99_security_status_cgi_servicegroup.dpatch
+++ nagios3-3.2.1/debian/patches/99_security_status_cgi_servicegroup.dpatch
@@ -0,0 +1,56 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 99_security_status_cgi_servicegroup.dpatch by Jonas Meurer <[email protected]>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Stop cgi-bin/status.c from listing unauthorized hosts and
+## DP: services in servicegroup view
+## DP: Upstream bugreport: http://tracker.nagios.org/view.php?id=456
+
+@DPATCH@
+diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' nagios3-3.2.1~/cgi/status.c nagios3-3.2.1/cgi/status.c
+--- nagios3-3.2.1~/cgi/status.c 2009-09-12 01:55:30.000000000 +0200
++++ nagios3-3.2.1/cgi/status.c 2013-07-08 17:11:10.700131286 +0200
+@@ -2395,6 +2395,10 @@
+ if(temp_host==NULL)
+ continue;
+
++ /* make sure user has rights to view this host */
++ if(is_authorized_for_host(temp_host, ¤t_authdata) == FALSE)
++ continue;
++
+ /* skip this if it isn't a new host... */
+ if(temp_host==last_host)
+ continue;
+@@ -2600,6 +2604,10 @@
+ if(temp_host==NULL)
+ continue;
+
++ /* make sure user has rights to view this host */
++ if(is_authorized_for_host(temp_host, ¤t_authdata) == FALSE)
++ continue;
++
+ /* skip this if it isn't a new host... */
+ if(temp_host==last_host)
+ continue;
+@@ -2779,6 +2787,10 @@
+ if(temp_service==NULL)
+ continue;
+
++ /* make sure user has rights to view this service */
++ if(is_authorized_for_service(temp_service, ¤t_authdata) == FALSE)
++ continue;
++
+ /* find the service status */
+ temp_servicestatus=find_servicestatus(temp_service->host_name,temp_service->description);
+ if(temp_servicestatus==NULL)
+@@ -3131,6 +3143,10 @@
+ if(temp_host==NULL)
+ continue;
+
++ /* make sure user has rights to view this host */
++ if(is_authorized_for_host(temp_host, ¤t_authdata) == FALSE)
++ continue;
++
+ /* get the status of the host */
+ temp_hoststatus=find_hoststatus(temp_host->name);
+ if(temp_hoststatus==NULL)
diff -u nagios3-3.4.1/debian/changelog nagios3-3.4.1/debian/changelog
--- nagios3-3.4.1/debian/changelog
+++ nagios3-3.4.1/debian/changelog
@@ -1,3 +1,13 @@
+nagios3 (3.4.1-3+wheezy1) wheezy-security; urgency=high
+
+ * Non-maintainer upload.
+ * Stop status.cgi from listing unauthorized hosts and services in
+ servicegroup view (CVE-2013-2214). (closes: #714171)
+ * Backport upstream r1953 to fix downtime retention across restarts.
+ Thanks to Didier 'OdyX' Raboud for the patch (Closes: #710356)
+
+ -- Jonas Meurer <[email protected]> Mon, 08 Jul 2013 15:24:56 +0200
+
nagios3 (3.4.1-3) unstable; urgency=low
* Fix several overflows in getcgi.cgi and history.cgi
diff -u nagios3-3.4.1/debian/patches/00list nagios3-3.4.1/debian/patches/00list
--- nagios3-3.4.1/debian/patches/00list
+++ nagios3-3.4.1/debian/patches/00list
@@ -11 +11,3 @@
+99_security_status_cgi_servicegroup.dpatch
99_security_cve_2012_6096.dpatch
+999_daemon-downtime-Handle-loading-effective-downtime-fr.dpatch
only in patch2:
unchanged:
--- nagios3-3.4.1.orig/debian/patches/99_security_status_cgi_servicegroup.dpatch
+++ nagios3-3.4.1/debian/patches/99_security_status_cgi_servicegroup.dpatch
@@ -0,0 +1,56 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 99_security_status_cgi_servicegroup.dpatch by Jonas Meurer <[email protected]>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Stop cgi-bin/status.c from listing unauthorized hosts and
+## DP: services in servicegroup view
+## DP: Upstream bugreport: http://tracker.nagios.org/view.php?id=456
+
+@DPATCH@
+diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' nagios3-3.4.1~/cgi/status.c nagios3-3.4.1/cgi/status.c
+--- nagios3-3.4.1~/cgi/status.c 2012-02-13 21:40:42.000000000 +0100
++++ nagios3-3.4.1/cgi/status.c 2013-06-26 16:52:37.668132234 +0200
+@@ -2534,6 +2534,10 @@
+ if(temp_host == NULL)
+ continue;
+
++ /* make sure user has rights to view this host */
++ if(is_authorized_for_host(temp_host, ¤t_authdata) == FALSE)
++ continue;
++
+ /* skip this if it isn't a new host... */
+ if(temp_host == last_host)
+ continue;
+@@ -2739,6 +2743,10 @@
+ if(temp_host == NULL)
+ continue;
+
++ /* make sure user has rights to view this host */
++ if(is_authorized_for_host(temp_host, ¤t_authdata) == FALSE)
++ continue;
++
+ /* skip this if it isn't a new host... */
+ if(temp_host == last_host)
+ continue;
+@@ -2918,6 +2926,10 @@
+ if(temp_service == NULL)
+ continue;
+
++ /* make sure user has rights to view this service */
++ if(is_authorized_for_service(temp_service, ¤t_authdata) == FALSE)
++ continue;
++
+ /* find the service status */
+ temp_servicestatus = find_servicestatus(temp_service->host_name, temp_service->description);
+ if(temp_servicestatus == NULL)
+@@ -3270,6 +3282,10 @@
+ if(temp_host == NULL)
+ continue;
+
++ /* make sure user has rights to view this host */
++ if(is_authorized_for_host(temp_host, ¤t_authdata) == FALSE)
++ continue;
++
+ /* get the status of the host */
+ temp_hoststatus = find_hoststatus(temp_host->name);
+ if(temp_hoststatus == NULL)
only in patch2:
unchanged:
--- nagios3-3.4.1.orig/debian/patches/999_daemon-downtime-Handle-loading-effective-downtime-fr.dpatch
+++ nagios3-3.4.1/debian/patches/999_daemon-downtime-Handle-loading-effective-downtime-fr.dpatch
@@ -0,0 +1,74 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## daemon downtime: Handle loading effective downtime from retention
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: From 9f18395268dda948265722984097735d48d72197 Mon Sep 17 00:00:00 2001
+## DP: From: Andreas Ericsson <[email protected]>
+## DP: Date: Wed, 6 Jun 2012 09:38:06 +0000
+## DP: Subject: [PATCH] daemon downtime: Handle loading effective downtime from
+## DP: retention
+## DP:
+## DP: Without this patch, Nagios would forget about downtime that starts
+## DP: before the core is stopped and ends after the core is restarted.
+## DP:
+## DP: According to testers, the original problem with notifications being
+## DP: re-sent does not crop up again when this patch is applied.
+## DP:
+## DP: Tested-by: Mark Elsen <[email protected]>
+## DP: Tested-by: Phil Randal <[email protected]>
+## DP: Patched-by: Carlos Velasco <[email protected]>
+## DP: Signed-off-by: Andreas Ericsson <[email protected]>
+## DP:
+## DP: git-svn-id: https://nagios.svn.sourceforge.net/svnroot/nagios/nagioscore/trunk@1953 5f96b256-904b-4d8d-8c98-d829582c6739
+## DP: ---
+## DP: THANKS | 1 +
+## DP: common/downtime.c | 31 +++++++++++++++++++++++++++----
+## DP: 2 files changed, 28 insertions(+), 4 deletions(-)
+
+@DPATCH@
+diff --git a/common/downtime.c b/common/downtime.c
+index 09a0333..0193c50 100644
+--- a/common/downtime.c
++++ b/common/downtime.c
+@@ -401,11 +401,34 @@ int handle_scheduled_downtime(scheduled_downtime *temp_downtime) {
+ }
+
+ /* if downtime handler gets triggerd in between then there seems to be a restart */
+- /* Don't do anything just return */
+- time( ¤t_time);
+- if( temp_downtime->start_time < current_time && current_time < temp_downtime->end_time && temp_downtime->is_in_effect == TRUE)
+- return OK;
++ time(¤t_time);
++ if(temp_downtime->start_time < current_time && current_time < temp_downtime->end_time && temp_downtime->is_in_effect == TRUE) {
++#ifdef USE_EVENT_BROKER
++ /* send data to event broker */
++ broker_downtime_data(NEBTYPE_DOWNTIME_START, NEBFLAG_NONE, NEBATTR_NONE, temp_downtime->type, temp_downtime->host_name, temp_downtime->service_description, temp_downtime->entry_time, temp_downtime->author, temp_downtime->comment, temp_downtime->start_time, temp_downtime->end_time, temp_downtime->fixed, temp_downtime->triggered_by, temp_downtime->duration, temp_downtime->downtime_id, NULL);
++#endif
++
++ /* increment the downtime depth variable */
++ if(temp_downtime->type == HOST_DOWNTIME) {
++ hst->scheduled_downtime_depth++;
++ update_host_status(hst, FALSE);
++ }
++ else {
++ svc->scheduled_downtime_depth++;
++ update_service_status(svc, FALSE);
++ }
+
++ /* schedule an event */
++ if(temp_downtime->fixed == FALSE)
++ event_time = (time_t)((unsigned long)time(NULL) + temp_downtime->duration);
++ else
++ event_time = temp_downtime->end_time;
++ if((new_downtime_id = (unsigned long *)malloc(sizeof(unsigned long)))) {
++ *new_downtime_id = temp_downtime->downtime_id;
++ schedule_new_event(EVENT_SCHEDULED_DOWNTIME, TRUE, event_time, FALSE, 0, NULL, FALSE, (void *)new_downtime_id, NULL, 0);
++ }
++ return OK;
++ }
+
+ /* have we come to the end of the scheduled downtime? */
+ if(temp_downtime->is_in_effect == TRUE) {
+--
+1.8.2
+
