tags 445475 patch thanks Hi
Attached you will find a patch from upstream CVS for the check_http.c file. Beside the CVE, it also fixes two other minor issues (an off-by-one and NULL pointer problem). I am trying to get some testing done, please feel free to comment. If you are busy, you could also give me permission to NMU, although it is a very young bug. Cheers Steffen
diff -u nagios-plugins-1.4.8/debian/changelog nagios-plugins-1.4.8/debian/changelog
--- nagios-plugins-1.4.8/debian/changelog
+++ nagios-plugins-1.4.8/debian/changelog
@@ -1,3 +1,15 @@
+nagios-plugins (1.4.8-2.1) unstable; urgency=high
+
+ * Non-maintainer upload by the testing-security team
+ * Include CVS patch to fix buffer overflow in redir function in
+ check_http.c, which was caused by parsing HTTP redirect strings
+ using sscanf
+ Fixes: CVE-2007-5198
+ * Include fix for off-by-one error and a NULL pointer, which leads
+ to a segfault
+
+ -- Steffen Joeris <[EMAIL PROTECTED]> Sat, 06 Oct 2007 09:12:18 +0000
+
nagios-plugins (1.4.8-2) unstable; urgency=low
* fix typo in upstream configure script which caused some plugins
diff -u nagios-plugins-1.4.8/debian/patches/00list nagios-plugins-1.4.8/debian/patches/00list
--- nagios-plugins-1.4.8/debian/patches/00list
+++ nagios-plugins-1.4.8/debian/patches/00list
@@ -10,0 +11 @@
+CVE-2007-5198.dpatch
only in patch2:
unchanged:
--- nagios-plugins-1.4.8.orig/debian/patches/CVE-2007-5198.dpatch
+++ nagios-plugins-1.4.8/debian/patches/CVE-2007-5198.dpatch
@@ -0,0 +1,133 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## CVE-2007-5198.dpatch
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Fixes CVE-2007-5198
+
[EMAIL PROTECTED]@
+--- check_http.c.orig 2007-10-06 07:53:29.000000000 +0000
++++ nagios-plugins-1.4.8/plugins/check_http.c 2007-10-06 08:16:02.000000000 +0000
+@@ -53,7 +53,8 @@
+ enum {
+ MAX_IPV4_HOSTLENGTH = 255,
+ HTTP_PORT = 80,
+- HTTPS_PORT = 443
++ HTTPS_PORT = 443,
++ MAX_PORT = 65535
+ };
+
+ #ifdef HAVE_SSL
+@@ -148,7 +149,7 @@
+
+ if (display_html == TRUE)
+ printf ("<A HREF=\"%s://%s:%d%s\" target=\"_blank\">",
+- use_ssl ? "https" : "http", host_name,
++ use_ssl ? "https" : "http", server_address,
+ server_port, server_url);
+
+ /* initialize alarm signal handling, set socket timeout, start timer */
+@@ -1057,14 +1058,14 @@
+
+ /* per RFC 2396 */
+ #define HDR_LOCATION "%*[Ll]%*[Oo]%*[Cc]%*[Aa]%*[Tt]%*[Ii]%*[Oo]%*[Nn]: "
+-#define URI_HTTP "%[HTPShtps]://"
+-#define URI_HOST "%[-.abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789]"
+-#define URI_PORT ":%[0123456789]"
++#define URI_HTTP "%5[HTPShtps]"
++#define URI_HOST "%255[-.abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789]"
++#define URI_PORT "%6d" /* MAX_PORT's width is 5 chars, 6 to detect overflow */
+ #define URI_PATH "%[-_.!~*'();/?:@&=+$,%#abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789]"
+-#define HD1 URI_HTTP URI_HOST URI_PORT URI_PATH
+-#define HD2 URI_HTTP URI_HOST URI_PATH
+-#define HD3 URI_HTTP URI_HOST URI_PORT
+-#define HD4 URI_HTTP URI_HOST
++#define HD1 URI_HTTP "://" URI_HOST ":" URI_PORT "/" URI_PATH
++#define HD2 URI_HTTP "://" URI_HOST "/" URI_PATH
++#define HD3 URI_HTTP "://" URI_HOST ":" URI_PORT
++#define HD4 URI_HTTP "://" URI_HOST
+ #define HD5 URI_PATH
+
+ void
+@@ -1075,7 +1076,6 @@
+ char xx[2];
+ char type[6];
+ char *addr;
+- char port[6];
+ char *url;
+
+ addr = malloc (MAX_IPV4_HOSTLENGTH + 1);
+@@ -1099,17 +1099,21 @@
+ }
+
+ pos += i;
+- pos += strspn (pos, " \t\r\n");
++ pos += strspn (pos, " \t");
++ for (; (i = strspn (pos, "\r\n")); pos += i) {
++ pos += i;
++ if (!(i = strspn (pos, " \t"))) {
++ die (STATE_UNKNOWN, _("HTTP UNKNOWN - Empty redirect location%s\n"),display_html ? "</A>" : "");
++ }
++ }
+
+- url = realloc (url, strcspn (pos, "\r\n"));
++ url = realloc (url, strcspn (pos, "\r\n")+ 1);
+ if (url == NULL)
+ die (STATE_UNKNOWN, _("could not allocate url\n"));
+
+ /* URI_HTTP, URI_HOST, URI_PORT, URI_PATH */
+- if (sscanf (pos, HD1, type, addr, port, url) == 4) {
++ if (sscanf (pos, HD1, type, addr, &i, url) == 4)
+ use_ssl = server_type_check (type);
+- i = atoi (port);
+- }
+
+ /* URI_HTTP URI_HOST URI_PATH */
+ else if (sscanf (pos, HD2, type, addr, url) == 3 ) {
+@@ -1118,10 +1122,9 @@
+ }
+
+ /* URI_HTTP URI_HOST URI_PORT */
+- else if(sscanf (pos, HD3, type, addr, port) == 3) {
++ else if(sscanf (pos, HD3, type, addr, &i) == 3) {
+ strcpy (url, HTTP_URL);
+ use_ssl = server_type_check (type);
+- i = atoi (port);
+ }
+
+ /* URI_HTTP URI_HOST */
+@@ -1141,7 +1144,7 @@
+ }
+ i = server_port;
+ strcpy (type, server_type);
+- strcpy (addr, host_name);
++ strcpy (addr, server_address);
+ }
+
+ else {
+@@ -1167,7 +1170,6 @@
+ _("WARNING - redirection creates an infinite loop - %s://%s:%d%s%s\n"),
+ type, addr, i, url, (display_html ? "</A>" : ""));
+
+- server_port = i;
+ strcpy (server_type, type);
+
+ free (host_name);
+@@ -1177,7 +1179,18 @@
+ server_address = strdup (addr);
+
+ free (server_url);
++ if ((url[0] == '/'))
+ server_url = strdup (url);
++ else if (asprintf(&server_url, "/%s", url) == -1)
++ die (STATE_UNKNOWN, _("HTTP UNKNOWN - Could not allocate server_url%s\n"), display_html ? "</A>" : "");
++ free(url);
++
++ if ((server_port = i) > MAX_PORT)
++ die (STATE_UNKNOWN, _("HTTP UNKNOWN - Redirection to port above %d - %s://%s:%d%s%s\n"),
++ MAX_PORT, server_type, server_address, server_port, server_url, display_html ? "</A>" : "");
++
++ if (verbose)
++ printf ("Redirection to %s://%s:%d%s\n", server_type, server_address, server_port, server_url);
+
+ check_http ();
+ }
signature.asc
Description: This is a digitally signed message part.
