import NMUs

debian/changelog

@@ -7,9 +7,32 @@ nagios-plugins (1.4.8-3) UNRELEASED; urgency=low
     #449671).
   * include fix for several typos provided by Luca Falavigna, thanks (closes:
     #453012).
+  * merge changes from and ack NMUs. Thanks to Steffen Joeris (closes:
+    #445475) and Nico Golde (closes: #448372, #447639).
 
  -- sean finney <sean@rangda.stickybit.se>  Mon, 28 May 2007 19:48:35 +0200
 
+nagios-plugins (1.4.8-2.2) unstable; urgency=high
+
+  * Non-maintainer upload by testing-security team.
+  * Fix remote DoS which can be triggered by a remote attacker
+    via crafted snmpget replies (CVE-2007-5623) (Closes: #448372).
+  * Modifying CVE-2007-5198 patch since it is incomplete (Closes: #447639).
+
+ -- Nico Golde <nion@debian.org>  Sun, 28 Oct 2007 16:15:54 +0100
+
+nagios-plugins (1.4.8-2.1) unstable; urgency=high
+
+  * Non-maintainer upload by the testing-security team
+  * Include CVS patch to fix buffer overflow in redir function in
+    check_http.c, which was caused by parsing HTTP redirect strings
+    using sscanf (Closes: #445475)
+    Fixes: CVE-2007-5198
+  * Include fix for off-by-one error and a NULL pointer, which leads
+    to a segfault
+
+ -- Steffen Joeris <white@debian.org>  Sun, 14 Oct 2007 10:36:01 +0000
+
 nagios-plugins (1.4.8-2) unstable; urgency=low
 
   * fix typo in upstream configure script which caused some plugins

debian/patches/00list

@@ -8,4 +8,6 @@
 26_implicit-basename.dpatch
 27_check_radius_segfault.dpatch
 28_configure_typo.dpatch
+CVE-2007-5198.dpatch
+CVE-2007-5623.dpatch
 50_misc_typos.dpatch

debian/patches/CVE-2007-5198.dpatch

@@ -0,0 +1,143 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## CVE-2007-5198.dpatch
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Fixes CVE-2007-5198
+
+@DPATCH@
+diff -urNad nagios-plugins-1.4.8~/plugins/check_http.c nagios-plugins-1.4.8/plugins/check_http.c
+--- nagios-plugins-1.4.8~/plugins/check_http.c	2007-03-06 23:45:57.000000000 +0100
++++ nagios-plugins-1.4.8/plugins/check_http.c	2007-10-28 16:25:01.000000000 +0100
+@@ -53,7 +53,8 @@
+ enum {
+   MAX_IPV4_HOSTLENGTH = 255,
+   HTTP_PORT = 80,
+-  HTTPS_PORT = 443
++  HTTPS_PORT = 443,
++  MAX_PORT = 65535
+ };
+ 
+ #ifdef HAVE_SSL
+@@ -148,7 +149,7 @@
+ 
+   if (display_html == TRUE)
+     printf ("<A HREF=\"%s://%s:%d%s\" target=\"_blank\">", 
+-      use_ssl ? "https" : "http", host_name,
++      use_ssl ? "https" : "http", server_address,
+       server_port, server_url);
+ 
+   /* initialize alarm signal handling, set socket timeout, start timer */
+@@ -1057,14 +1058,14 @@
+ 
+ /* per RFC 2396 */
+ #define HDR_LOCATION "%*[Ll]%*[Oo]%*[Cc]%*[Aa]%*[Tt]%*[Ii]%*[Oo]%*[Nn]: "
+-#define URI_HTTP "%[HTPShtps]://"
+-#define URI_HOST "%[-.abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789]"
+-#define URI_PORT ":%[0123456789]"
++#define URI_HTTP "%5[HTPShtps]"
++#define URI_HOST "%255[-.abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789]"
++#define URI_PORT "%6d" /* MAX_PORT's width is 5 chars, 6 to detect overflow */
+ #define URI_PATH "%[-_.!~*'();/?:@&=+$,%#abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789]"
+-#define HD1 URI_HTTP URI_HOST URI_PORT URI_PATH
+-#define HD2 URI_HTTP URI_HOST URI_PATH
+-#define HD3 URI_HTTP URI_HOST URI_PORT
+-#define HD4 URI_HTTP URI_HOST
++#define HD1 URI_HTTP "://" URI_HOST ":" URI_PORT "/" URI_PATH
++#define HD2 URI_HTTP "://" URI_HOST "/" URI_PATH
++#define HD3 URI_HTTP "://" URI_HOST ":" URI_PORT
++#define HD4 URI_HTTP "://" URI_HOST
+ #define HD5 URI_PATH
+ 
+ void
+@@ -1075,7 +1076,6 @@
+   char xx[2];
+   char type[6];
+   char *addr;
+-  char port[6];
+   char *url;
+ 
+   addr = malloc (MAX_IPV4_HOSTLENGTH + 1);
+@@ -1087,7 +1087,7 @@
+     die (STATE_UNKNOWN, _("Could not allocate url\n"));
+ 
+   while (pos) {
+-    sscanf (pos, "%[Ll]%*[Oo]%*[Cc]%*[Aa]%*[Tt]%*[Ii]%*[Oo]%*[Nn]:%n", xx, &i);
++	sscanf (pos, "%1[Ll]%*[Oo]%*[Cc]%*[Aa]%*[Tt]%*[Ii]%*[Oo]%*[Nn]:%n", xx, &i);
+     if (i == 0) {
+       pos += (size_t) strcspn (pos, "\r\n");
+       pos += (size_t) strspn (pos, "\r\n");
+@@ -1099,17 +1099,21 @@
+     }
+ 
+     pos += i;
+-    pos += strspn (pos, " \t\r\n");
++    pos += strspn (pos, " \t");
++    for (; (i = strspn (pos, "\r\n")); pos += i) {
++      pos += i;
++      if (!(i = strspn (pos, " \t"))) {
++	die (STATE_UNKNOWN, _("HTTP UNKNOWN - Empty redirect location%s\n"),display_html ? "</A>" : "");
++	}
++    }
+ 
+-    url = realloc (url, strcspn (pos, "\r\n"));
++    url = realloc (url, strcspn (pos, "\r\n")+ 1);
+     if (url == NULL)
+       die (STATE_UNKNOWN, _("could not allocate url\n"));
+ 
+     /* URI_HTTP, URI_HOST, URI_PORT, URI_PATH */
+-    if (sscanf (pos, HD1, type, addr, port, url) == 4) {
++    if (sscanf (pos, HD1, type, addr, &i, url) == 4)    
+       use_ssl = server_type_check (type);
+-      i = atoi (port);
+-    }
+ 
+     /* URI_HTTP URI_HOST URI_PATH */
+     else if (sscanf (pos, HD2, type, addr, url) == 3 ) { 
+@@ -1118,10 +1122,9 @@
+     }
+ 
+     /* URI_HTTP URI_HOST URI_PORT */
+-    else if(sscanf (pos, HD3, type, addr, port) == 3) {
++    else if(sscanf (pos, HD3, type, addr, &i) == 3) {    
+       strcpy (url, HTTP_URL);
+       use_ssl = server_type_check (type);
+-      i = atoi (port);
+     }
+ 
+     /* URI_HTTP URI_HOST */
+@@ -1141,7 +1144,7 @@
+       }
+       i = server_port;
+       strcpy (type, server_type);
+-      strcpy (addr, host_name);
++      strcpy (addr, server_address);
+     }           
+ 
+     else {
+@@ -1167,7 +1170,6 @@
+          _("WARNING - redirection creates an infinite loop - %s://%s:%d%s%s\n"),
+          type, addr, i, url, (display_html ? "</A>" : ""));
+ 
+-  server_port = i;
+   strcpy (server_type, type);
+ 
+   free (host_name);
+@@ -1177,7 +1179,18 @@
+   server_address = strdup (addr);
+ 
+   free (server_url);
++  if ((url[0] == '/'))
+   server_url = strdup (url);
++  else if (asprintf(&server_url, "/%s", url) == -1)
++      die (STATE_UNKNOWN, _("HTTP UNKNOWN - Could not allocate server_url%s\n"), display_html ? "</A>" : "");
++      free(url);
++      
++      if ((server_port = i) > MAX_PORT)
++          die (STATE_UNKNOWN, _("HTTP UNKNOWN - Redirection to port above %d - %s://%s:%d%s%s\n"),
++               MAX_PORT, server_type, server_address, server_port, server_url, display_html ? "</A>" : "");
++      
++      if (verbose)
++          printf ("Redirection to %s://%s:%d%s\n", server_type, server_address, server_port, server_url);
+ 
+   check_http ();
+ }

debian/patches/CVE-2007-5623.dpatch

@@ -0,0 +1,45 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## CVE-2007-5623.dpatch by Nico Golde <nion@debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: No description.
+
+@DPATCH@
+diff -urNad nagios-plugins-1.4.8~/plugins/check_snmp.c nagios-plugins-1.4.8/plugins/check_snmp.c
+--- nagios-plugins-1.4.8~/plugins/check_snmp.c	2007-02-02 10:10:22.000000000 +0100
++++ nagios-plugins-1.4.8/plugins/check_snmp.c	2007-10-28 16:14:48.000000000 +0100
+@@ -217,12 +217,16 @@
+ 
+ 	ptr = output;
+ 
+-	strcat(perfstr, "| ");
++	strncat(perfstr, "| ", sizeof(perfstr)-strlen(perfstr)-1);
+ 	while (ptr) {
+ 		char *foo;
++		unsigned int copylen;
+ 
+ 		foo = strstr (ptr, delimiter);
+-		strncat(perfstr, ptr, foo-ptr);
++		copylen = foo-ptr;
++		if (copylen > sizeof(perfstr)-strlen(perfstr)-1)
++			copylen = sizeof(perfstr)-strlen(perfstr)-1;
++		strncat(perfstr, ptr, copylen);
+ 		ptr = foo; 
+ 
+ 		if (ptr == NULL)
+@@ -351,11 +355,11 @@
+ 
+ 		i++;
+ 
+-		strcat(perfstr, "=");
+-		strcat(perfstr, show);
++		strncat(perfstr, "=", sizeof(perfstr)-strlen(perfstr)-1);
++		strncat(perfstr, show, sizeof(perfstr)-strlen(perfstr)-1);
+ 		if (type)
+-			strcat(perfstr, type);
+-		strcat(perfstr, " ");
++			strncat(perfstr, type, sizeof(perfstr)-strlen(perfstr)-1);
++		strncat(perfstr, " ", sizeof(perfstr)-strlen(perfstr)-1);
+ 
+ 	}	/* end while (ptr) */
+