From 912f5a12034c779102b255cce3989d8032807fe3 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Elan=20Ruusam=C3=A4e?= Date: Sat, 9 Jan 2016 15:56:32 +0200 Subject: [PATCH] add CVE-2014-2913 fix from fedora --- CVE-2014-2913-nasty-metacharacters.patch | 18 ++++++++++++++++++ nagios-nrpe.spec | 4 +++- 2 files changed, 21 insertions(+), 1 deletion(-) create mode 100644 CVE-2014-2913-nasty-metacharacters.patch diff --git a/CVE-2014-2913-nasty-metacharacters.patch b/CVE-2014-2913-nasty-metacharacters.patch new file mode 100644 index 0000000..bca3930 --- /dev/null +++ b/CVE-2014-2913-nasty-metacharacters.patch @@ -0,0 +1,18 @@ +# This should get removed whenever 2.16 is released, assuming it has the fix +# included. http://seclists.org/oss-sec/2014/q2/129. There's not upstream +# concensus that quoting arguments in a mode which is widely agreed upon to be +# risky so track upstream discussions here, too. + +diff --git b/src/nrpe.c a/src/nrpe.c +index 381f0ac..ad1e05d 100644 +--- b/src/nrpe.c ++++ a/src/nrpe.c +@@ -53,7 +53,7 @@ int use_ssl=FALSE; + + #define DEFAULT_COMMAND_TIMEOUT 60 /* default timeout for execution of plugins */ + #define MAXFD 64 +-#define NASTY_METACHARS "|`&><'\"\\[]{};" ++#define NASTY_METACHARS "|`&><'\"\\[]{};\n" + #define howmany(x,y) (((x)+((y)-1))/(y)) + #define MAX_LISTEN_SOCKS 16 + diff --git a/nagios-nrpe.spec b/nagios-nrpe.spec index 8669c8e..38434ef 100644 --- a/nagios-nrpe.spec +++ b/nagios-nrpe.spec @@ -2,7 +2,7 @@ Summary: Nagios remote plugin execution service/plugin Summary(pl.UTF-8): Demon i wtyczka zdalnego wywoływania wtyczek Nagios Name: nagios-nrpe Version: 2.15 -Release: 5 +Release: 6 License: GPL v2 Group: Networking Source0: http://downloads.sourceforge.net/nagios/nrpe-%{version}.tar.gz @@ -13,6 +13,7 @@ Source3: %{name}.tmpfiles Source4: commands.cfg Patch0: %{name}-config.patch Patch1: nrpe_check_control.patch +Patch2: CVE-2014-2913-nasty-metacharacters.patch URL: http://www.nagios.org/ BuildRequires: openssl-devel BuildRequires: openssl-tools @@ -68,6 +69,7 @@ na innych komputerach za pomocą demona nrpe. %undos contrib/nrpe_check_control.c %patch0 -p1 %patch1 -p1 +%patch2 -p1 %build %configure \ -- 2.43.0