[packages/nagios-nrpe.git] / CVE-2014-2913-nasty-metacharacters.patch

# This should get removed whenever 2.16 is released, assuming it has the fix
# included. http://seclists.org/oss-sec/2014/q2/129. There's not upstream
# concensus that quoting arguments in a mode which is widely agreed upon to be
# risky so track upstream discussions here, too.

diff --git b/src/nrpe.c a/src/nrpe.c
index 381f0ac..ad1e05d 100644
--- b/src/nrpe.c
+++ a/src/nrpe.c
@@ -53,7 +53,7 @@ int use_ssl=FALSE;
 
 #define DEFAULT_COMMAND_TIMEOUT	60			/* default timeout for execution of plugins */
 #define MAXFD                   64
-#define NASTY_METACHARS         "|`&><'\"\\[]{};"
+#define NASTY_METACHARS         "|`&><'\"\\[]{};\n"
 #define howmany(x,y)	(((x)+((y)-1))/(y))
 #define MAX_LISTEN_SOCKS        16
Commit	Line	Data
912f5a12 ER	1	# This should get removed whenever 2.16 is released, assuming it has the fix
	2	# included. http://seclists.org/oss-sec/2014/q2/129. There's not upstream
	3	# concensus that quoting arguments in a mode which is widely agreed upon to be
	4	# risky so track upstream discussions here, too.
	5
	6	diff --git b/src/nrpe.c a/src/nrpe.c
	7	index 381f0ac..ad1e05d 100644
	8	--- b/src/nrpe.c
	9	+++ a/src/nrpe.c
	10	@@ -53,7 +53,7 @@ int use_ssl=FALSE;
	11
	12	#define DEFAULT_COMMAND_TIMEOUT 60 /* default timeout for execution of plugins */
	13	#define MAXFD 64
	14	-#define NASTY_METACHARS "\|`&><'\"\\[]{};"
	15	+#define NASTY_METACHARS "\|`&><'\"\\[]{};\n"
	16	#define howmany(x,y) (((x)+((y)-1))/(y))
	17	#define MAX_LISTEN_SOCKS 16
	18