Hello community, here is the log from the commit of package nagios checked in at Tue May 9 12:37:03 CEST 2006. -------- --- nagios/nagios.changes 2006-01-25 21:38:32.000000000 +0100 +++ STABLE/nagios/nagios.changes 2006-05-03 22:52:06.000000000 +0200 @@ -1,0 +2,6 @@ +Wed May 3 22:51:20 CEST 2006 - stark@suse.de + +- fixed possible buffer overflow in CGI scripts (#140494) + (CVE-2006-2162) + +------------------------------------------------------------------- New: ---- content_length.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ nagios.spec ++++++ --- /var/tmp/diff_new_pack.p8DTRY/_old 2006-05-09 12:36:56.000000000 +0200 +++ /var/tmp/diff_new_pack.p8DTRY/_new 2006-05-09 12:36:56.000000000 +0200 @@ -5,7 +5,7 @@ # This file and all modifications and additions to the pristine # package are under the same license as the package itself. # -# Please submit bugfixes or comments via http://bugs.opensuse.org +# Please submit bugfixes or comments via http://bugs.opensuse.org/ # @@ -13,7 +13,7 @@ BuildRequires: apache2-devel freetype2-devel gd-devel iputils libapr-util1-devel libjpeg-devel libpng-devel mailx pcre-devel xorg-x11-devel Summary: The Nagios Network Monitor Version: 1.3 -Release: 2 +Release: 14 URL: http://www.nagios.org/ License: GPL Group: System/Monitoring @@ -24,6 +24,7 @@ Patch1: sapmoni.dif Patch2: nagios-perl58.dif Patch3: size.patch +Patch4: content_length.patch PreReq: %insserv_prereq %fillup_prereq BuildRoot: %{_tmppath}/%{name}-%{version}-build %define nsusr daemon @@ -60,6 +61,7 @@ %patch2 %endif %patch3 +%patch4 %build CFLAGS="$RPM_OPT_FLAGS" CXXFLAGS="$RPM_OPT_FLAGS" \ @@ -165,6 +167,9 @@ %config(noreplace) %{apache2_sysconfdir}/conf.d/* %changelog -n nagios +* Wed May 03 2006 - stark@suse.de +- fixed possible buffer overflow in CGI scripts (#140494) + (CVE-2006-2162) * Wed Jan 25 2006 - mls@suse.de - converted neededforbuild to BuildRequires * Mon Jan 09 2006 - stark@suse.de ++++++ content_length.patch ++++++ diff -uprN nagios-1.3/cgi/getcgi.c nagios-1.4/cgi/getcgi.c --- cgi/getcgi.c 2002-09-25 01:04:02.000000000 +0200 +++ cgi/getcgi.c 2006-04-12 21:25:14.000000000 +0200 @@ -166,6 +166,8 @@ char **getcgivars(void){ printf("getcgivars(): No Content-Length was sent with the POST request.\n") ; exit(1); } + if(content_length<0) + content_length=0; if(!(cgiinput=(char *)malloc(content_length+1))){ printf("getcgivars(): Could not allocate memory for CGI input.\n"); exit(1); ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun...