Hello community, here is the log from the commit of package nagios for openSUSE:Factory checked in at 2014-02-02 18:41:34 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/nagios (Old) and /work/SRC/openSUSE:Factory/.nagios.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "nagios" Changes: -------- --- /work/SRC/openSUSE:Factory/nagios/nagios.changes 2013-09-27 17:47:42.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.nagios.new/nagios.changes 2014-02-02 18:41:35.000000000 +0100 @@ -1,0 +2,14 @@ +Wed Jan 22 16:53:49 UTC 2014 - obs@botter.cc + +- bring package back to compiling state after introducing + incompatible changes in nagios.spec with submit from + Dec 27th (spec file changes obviously already for nagios 4.0, + whereas we are still at 3.5.1). + +------------------------------------------------------------------- +Fri Dec 27 14:49:18 UTC 2013 - lars@linux-schulserver.de + +- Fix possible denial of service in CGI executables: + * nagios-CVE-2013-7108.patch (bnc#856837) + +------------------------------------------------------------------- New: ---- nagios-CVE-2013-7108.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ nagios.spec ++++++ --- /var/tmp/diff_new_pack.lxMtJm/_old 2014-02-02 18:41:37.000000000 +0100 +++ /var/tmp/diff_new_pack.lxMtJm/_new 2014-02-02 18:41:37.000000000 +0100 @@ -45,6 +45,8 @@ Patch11: nagios-disable_phone_home.patch # PATCH-FIX-UPSTREAM fix CVE-2013-2214 Patch12: nagios-CVE-2013-2214.patch +# PATCH-FIX-UPSTREAM fix CVE-2013-7108 +Patch13: nagios-CVE-2013-7108.patch BuildRequires: apache2-devel BuildRequires: freetype2-devel BuildRequires: gd-devel @@ -188,6 +190,7 @@ %patch10 -p0 %patch11 -p0 %patch12 -p1 +%patch13 -p1 find -name ".gitignore" | xargs rm # fix p1.pl [dos] perl -p -i -e 's|\r\n|\n|' contrib/p1.pl ++++++ nagios-CVE-2013-7108.patch ++++++ Index: nagios/cgi/avail.c =================================================================== --- nagios.orig/cgi/avail.c +++ nagios/cgi/avail.c @@ -1141,7 +1141,6 @@ int process_cgivars(void) { /* do some basic length checking on the variable identifier to prevent buffer overflows */ if(strlen(variables[x]) >= MAX_INPUT_BUFFER - 1) { - x++; continue; } Index: nagios/cgi/config.c =================================================================== --- nagios.orig/cgi/config.c +++ nagios/cgi/config.c @@ -386,7 +386,6 @@ int process_cgivars(void) { /* do some basic length checking on the variable identifier to prevent buffer overflows */ if(strlen(variables[x]) >= MAX_INPUT_BUFFER - 1) { - x++; continue; } Index: nagios/cgi/extinfo.c =================================================================== --- nagios.orig/cgi/extinfo.c +++ nagios/cgi/extinfo.c @@ -651,7 +651,6 @@ int process_cgivars(void) { /* do some basic length checking on the variable identifier to prevent buffer overflows */ if(strlen(variables[x]) >= MAX_INPUT_BUFFER - 1) { - x++; continue; } Index: nagios/cgi/histogram.c =================================================================== --- nagios.orig/cgi/histogram.c +++ nagios/cgi/histogram.c @@ -1069,7 +1069,6 @@ int process_cgivars(void) { /* do some basic length checking on the variable identifier to prevent buffer overflows */ if(strlen(variables[x]) >= MAX_INPUT_BUFFER - 1) { - x++; continue; } Index: nagios/cgi/notifications.c =================================================================== --- nagios.orig/cgi/notifications.c +++ nagios/cgi/notifications.c @@ -358,7 +358,6 @@ int process_cgivars(void) { /* do some basic length checking on the variable identifier to prevent buffer overflows */ if(strlen(variables[x]) >= MAX_INPUT_BUFFER - 1) { - x++; continue; } Index: nagios/cgi/outages.c =================================================================== --- nagios.orig/cgi/outages.c +++ nagios/cgi/outages.c @@ -269,7 +269,6 @@ int process_cgivars(void) { /* do some basic length checking on the variable identifier to prevent buffer overflows */ if(strlen(variables[x]) >= MAX_INPUT_BUFFER - 1) { - x++; continue; } Index: nagios/cgi/status.c =================================================================== --- nagios.orig/cgi/status.c +++ nagios/cgi/status.c @@ -600,7 +600,6 @@ int process_cgivars(void) { /* do some basic length checking on the variable identifier to prevent buffer overflows */ if(strlen(variables[x]) >= MAX_INPUT_BUFFER - 1) { - x++; continue; } Index: nagios/cgi/statusmap.c =================================================================== --- nagios.orig/cgi/statusmap.c +++ nagios/cgi/statusmap.c @@ -407,7 +407,6 @@ int process_cgivars(void) { /* do some basic length checking on the variable identifier to prevent buffer overflows */ if(strlen(variables[x]) >= MAX_INPUT_BUFFER - 1) { - x++; continue; } Index: nagios/cgi/statuswml.c =================================================================== --- nagios.orig/cgi/statuswml.c +++ nagios/cgi/statuswml.c @@ -235,8 +235,13 @@ int process_cgivars(void) { for(x = 0; variables[x] != NULL; x++) { + /* do some basic length checking on the variable identifier to prevent buffer overflows */ + if(strlen(variables[x]) >= MAX_INPUT_BUFFER - 1) { + continue; + } + /* we found the hostgroup argument */ - if(!strcmp(variables[x], "hostgroup")) { + else if(!strcmp(variables[x], "hostgroup")) { display_type = DISPLAY_HOSTGROUP; x++; if(variables[x] == NULL) { Index: nagios/cgi/summary.c =================================================================== --- nagios.orig/cgi/summary.c +++ nagios/cgi/summary.c @@ -761,7 +761,6 @@ int process_cgivars(void) { /* do some basic length checking on the variable identifier to prevent buffer overflows */ if(strlen(variables[x]) >= MAX_INPUT_BUFFER - 1) { - x++; continue; } Index: nagios/cgi/trends.c =================================================================== --- nagios.orig/cgi/trends.c +++ nagios/cgi/trends.c @@ -1271,7 +1271,6 @@ int process_cgivars(void) { /* do some basic length checking on the variable identifier to prevent buffer overflows */ if(strlen(variables[x]) >= MAX_INPUT_BUFFER - 1) { - x++; continue; } Index: nagios/contrib/daemonchk.c =================================================================== --- nagios.orig/contrib/daemonchk.c +++ nagios/contrib/daemonchk.c @@ -174,7 +174,6 @@ static int process_cgivars(void) { /* do some basic length checking on the variable identifier to prevent buffer overflows */ if(strlen(variables[x]) >= MAX_INPUT_BUFFER - 1) { - x++; continue; } } -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org