Package: icinga-idoutils Version: 1.5.1-1 Severity: normal IDO utils is incorrectly escaping characters such as ' for postgresql.
>From the postgresql logs (running 9.1): 2011-09-15 17:12:18 EST ERROR: syntax error at or near "5" at character 184 2011-09-15 17:12:18 EST STATEMENT: UPDATE icinga_servicestatus SET instance_id=1, service_object_id=201, status_update_time=FROM_UNIXTIME(1316070738), output='CPU Load 22% (5 min average)', long_output='', perfdata='\'5 min avg Load\'=22%;80;90;0;100', current_state=0, has_been_checked=1, should_be_scheduled=1, current_check_attempt=1, max_check_attempts=4, last_check=FROM_UNIXTIME(1316070728), next_check=FROM_UNIXTIME(1316071028), check_type=0, last_state_change=FROM_UNIXTIME(1315926986), last_hard_state_change=FROM_UNIXTIME(1315816267), last_hard_state=0, last_time_ok=FROM_UNIXTIME(1316070728), last_time_warning=FROM_UNIXTIME(1315926926), last_time_unknown=FROM_UNIXTIME(0), last_time_critical=FROM_UNIXTIME(1315815967), state_type=1, last_notification=FROM_UNIXTIME(0), next_notification=FROM_UNIXTIME(0), no_more_notifications=0, notifications_enabled=1, problem_has_been_acknowledged=0, acknowledgement_type=0, current_notification_number=0, passive_checks_enabled=1, active_checks_enabled=1, event_handler_enabled=1, flap_detection_enabled=1, is_flapping=0, percent_state_change='0.000000', latency='0.816000', execution_time='0.190820', scheduled_downtime_depth=0, failure_prediction_enabled=1, process_performance_data=1, obsess_over_service=1, modified_service_attributes=0, event_handler='', check_command='my_check_nt!CPULOAD!-l 5,80,90', normal_check_interval='5.000000', retry_check_interval='1.000000', check_timeperiod_object_id=174 WHERE service_object_id=201 Running the command manually, sanitized and a few minutes after the logged run: > /usr/lib/nagios/plugins/check_nt -H ###.###.###.### -v CPULOAD -l 5,80,90 -s > XXXX -p 12489 CPU Load 21% (5 min average) | '5 min avg Load'=21%;80;90;0;100 Browsing the source it looks like escaping is done in db.c:2335 ido2db_db_escape_string() by adding a \ in front of a ' character. Which is causing the problems, I believe postgresql wants a '' instead of a \'. It should however be done properly using libpq's PQescapeLiteral. It also protects against multibyte SQL injection attacks that the previous method doesn't. Chris Shiflett did a decent writeup of this problem several years ago [1], the vulnerability looks to extend to all the databases in use. [1]: http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string David -- System Information: Debian Release: wheezy/sid APT prefers stable APT policy: (800, 'stable'), (750, 'testing'), (600, 'unstable'), (500, 'oldstable'), (150, 'experimental') Architecture: i386 (i686) Kernel: Linux 2.6.39+ (SMP w/2 CPU cores) Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages icinga-idoutils depends on: ii dbconfig-common 1.8.47 common framework for packaging dat ii debconf [debconf-2.0] 1.5.36.1 Debian configuration management sy ii icinga-common 1.5.1-1 host and network monitoring system ii libc6 2.13-18 Embedded GNU C Library: Shared lib ii libdbd-mysql 0.8.3-1+s-2.1 MySQL database server driver for l ii libdbd-pgsql 0.8.3-1+s-2.1 PostgreSQL database server driver ii libdbi1 0.8.4-5.1 DB Independent Abstraction Layer f ii lsb-base 3.2-28 Linux Standard Base 3.2 init scrip ii ucf 3.0025+nmu2 Update Configuration File: preserv Versions of packages icinga-idoutils recommends: ii mysql-client-5.1 [mysql-clien 5.1.49-3 MySQL database client binaries ii postgresql-client 9.1+121 front-end programs for PostgreSQL ii postgresql-client-9.0 [postgr 9.0.4-2 front-end programs for PostgreSQL ii postgresql-client-9.1 [postgr 9.1~rc1-3 front-end programs for PostgreSQL icinga-idoutils suggests no packages. -- debconf information: icinga-idoutils/dbconfig-upgrade: true icinga-idoutils/mysql/method: unix socket icinga-idoutils/db/dbname: icinga icinga-idoutils/dbconfig-remove: icinga-idoutils/missing-db-package-error: abort icinga-idoutils/install-error: retry icinga-idoutils/pgsql/authmethod-admin: ident icinga-idoutils/pgsql/admin-user: postgres icinga-idoutils/internal/reconfiguring: false icinga-idoutils/purge: false icinga-idoutils/pgsql/changeconf: false icinga-idoutils/db/basepath: icinga-idoutils/database-type: pgsql icinga-idoutils/upgrade-error: abort icinga-idoutils/pgsql/method: unix socket icinga-idoutils/remote/port: icinga-idoutils/internal/skip-preseed: true icinga-idoutils/dbconfig-reinstall: false icinga-idoutils/upgrade-backup: true icinga-idoutils/remove-error: abort * icinga-idoutils/dbconfig-install: false icinga-idoutils/pgsql/manualconf: icinga-idoutils/passwords-do-not-match: icinga-idoutils/pgsql/authmethod-user: password icinga-idoutils/pgsql/no-empty-passwords: icinga-idoutils/db/app-user: icingaidoutils icinga-idoutils/remote/host: icinga-idoutils/mysql/admin-user: root icinga-idoutils/remote/newhost: -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
