[packages/nagios-nrpe] add CVE-2014-2913 fix from fedora
glen
glen at pld-linux.org
Sat Jan 9 14:56:57 CET 2016
commit 912f5a12034c779102b255cce3989d8032807fe3
Author: Elan Ruusamäe <glen at delfi.ee>
Date: Sat Jan 9 15:56:32 2016 +0200
add CVE-2014-2913 fix from fedora
CVE-2014-2913-nasty-metacharacters.patch | 18 ++++++++++++++++++
nagios-nrpe.spec | 4 +++-
2 files changed, 21 insertions(+), 1 deletion(-)
---
diff --git a/nagios-nrpe.spec b/nagios-nrpe.spec
index 8669c8e..38434ef 100644
--- a/nagios-nrpe.spec
+++ b/nagios-nrpe.spec
@@ -2,7 +2,7 @@ Summary: Nagios remote plugin execution service/plugin
Summary(pl.UTF-8): Demon i wtyczka zdalnego wywoływania wtyczek Nagios
Name: nagios-nrpe
Version: 2.15
-Release: 5
+Release: 6
License: GPL v2
Group: Networking
Source0: http://downloads.sourceforge.net/nagios/nrpe-%{version}.tar.gz
@@ -13,6 +13,7 @@ Source3: %{name}.tmpfiles
Source4: commands.cfg
Patch0: %{name}-config.patch
Patch1: nrpe_check_control.patch
+Patch2: CVE-2014-2913-nasty-metacharacters.patch
URL: http://www.nagios.org/
BuildRequires: openssl-devel
BuildRequires: openssl-tools
@@ -68,6 +69,7 @@ na innych komputerach za pomocą demona nrpe.
%undos contrib/nrpe_check_control.c
%patch0 -p1
%patch1 -p1
+%patch2 -p1
%build
%configure \
diff --git a/CVE-2014-2913-nasty-metacharacters.patch b/CVE-2014-2913-nasty-metacharacters.patch
new file mode 100644
index 0000000..bca3930
--- /dev/null
+++ b/CVE-2014-2913-nasty-metacharacters.patch
@@ -0,0 +1,18 @@
+# This should get removed whenever 2.16 is released, assuming it has the fix
+# included. http://seclists.org/oss-sec/2014/q2/129. There's not upstream
+# concensus that quoting arguments in a mode which is widely agreed upon to be
+# risky so track upstream discussions here, too.
+
+diff --git b/src/nrpe.c a/src/nrpe.c
+index 381f0ac..ad1e05d 100644
+--- b/src/nrpe.c
++++ a/src/nrpe.c
+@@ -53,7 +53,7 @@ int use_ssl=FALSE;
+
+ #define DEFAULT_COMMAND_TIMEOUT 60 /* default timeout for execution of plugins */
+ #define MAXFD 64
+-#define NASTY_METACHARS "|`&><'\"\\[]{};"
++#define NASTY_METACHARS "|`&><'\"\\[]{};\n"
+ #define howmany(x,y) (((x)+((y)-1))/(y))
+ #define MAX_LISTEN_SOCKS 16
+
================================================================
---- gitweb:
http://git.pld-linux.org/gitweb.cgi/packages/nagios-nrpe.git/commitdiff/912f5a12034c779102b255cce3989d8032807fe3
More information about the pld-cvs-commit
mailing list