add CVE-2014-2913 fix from fedora AC-branch auto/ac/nagios-nrpe-2.15-6 auto/th/nagios-nrpe-2.15-6
authorElan Ruusamäe <glen@delfi.ee>
Sat, 9 Jan 2016 13:56:32 +0000 (15:56 +0200)
committerElan Ruusamäe <glen@delfi.ee>
Sat, 9 Jan 2016 13:56:42 +0000 (15:56 +0200)
CVE-2014-2913-nasty-metacharacters.patch [new file with mode: 0644]
nagios-nrpe.spec

diff --git a/CVE-2014-2913-nasty-metacharacters.patch b/CVE-2014-2913-nasty-metacharacters.patch
new file mode 100644 (file)
index 0000000..bca3930
--- /dev/null
@@ -0,0 +1,18 @@
+# This should get removed whenever 2.16 is released, assuming it has the fix
+# included. http://seclists.org/oss-sec/2014/q2/129. There's not upstream
+# concensus that quoting arguments in a mode which is widely agreed upon to be
+# risky so track upstream discussions here, too.
+
+diff --git b/src/nrpe.c a/src/nrpe.c
+index 381f0ac..ad1e05d 100644
+--- b/src/nrpe.c
++++ a/src/nrpe.c
+@@ -53,7 +53,7 @@ int use_ssl=FALSE;
+ #define DEFAULT_COMMAND_TIMEOUT       60                      /* default timeout for execution of plugins */
+ #define MAXFD                   64
+-#define NASTY_METACHARS         "|`&><'\"\\[]{};"
++#define NASTY_METACHARS         "|`&><'\"\\[]{};\n"
+ #define howmany(x,y)  (((x)+((y)-1))/(y))
+ #define MAX_LISTEN_SOCKS        16
index 8669c8e415fdf309a4d44b8e44d5267a55f4a241..38434efc9c1115a3edca83b64916ec6f24186cf9 100644 (file)
@@ -2,7 +2,7 @@ Summary:        Nagios remote plugin execution service/plugin
 Summary(pl.UTF-8):     Demon i wtyczka zdalnego wywoływania wtyczek Nagios
 Name:          nagios-nrpe
 Version:       2.15
-Release:       5
+Release:       6
 License:       GPL v2
 Group:         Networking
 Source0:       http://downloads.sourceforge.net/nagios/nrpe-%{version}.tar.gz
@@ -13,6 +13,7 @@ Source3:      %{name}.tmpfiles
 Source4:       commands.cfg
 Patch0:                %{name}-config.patch
 Patch1:                nrpe_check_control.patch
+Patch2:                CVE-2014-2913-nasty-metacharacters.patch
 URL:           http://www.nagios.org/
 BuildRequires: openssl-devel
 BuildRequires: openssl-tools
@@ -68,6 +69,7 @@ na innych komputerach za pomocą demona nrpe.
 %undos contrib/nrpe_check_control.c
 %patch0 -p1
 %patch1 -p1
+%patch2 -p1
 
 %build
 %configure \
This page took 0.088975 seconds and 4 git commands to generate.