diff -u nagios2-2.11/debian/changelog nagios2-2.11/debian/changelog --- nagios2-2.11/debian/changelog +++ nagios2-2.11/debian/changelog @@ -1,3 +1,9 @@ +nagios2 (2.11-1ubuntu2) hardy; urgency=low + + * Fixes XSS issues in CGI scripts (CVE-2007-5803) (LP: #238516) + + -- Thierry Carrez Mon, 09 Jun 2008 14:14:04 +0200 + nagios2 (2.11-1ubuntu1) hardy; urgency=low * debian/nagios2-common.nagios2.init diff -u nagios2-2.11/debian/patches/00list nagios2-2.11/debian/patches/00list --- nagios2-2.11/debian/patches/00list +++ nagios2-2.11/debian/patches/00list @@ -2,0 +3 @@ +30_CVE_2007_5803.dpatch only in patch2: unchanged: --- nagios2-2.11.orig/debian/patches/30_CVE_2007_5803.dpatch +++ nagios2-2.11/debian/patches/30_CVE_2007_5803.dpatch @@ -0,0 +1,614 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 30_CVE_2007_5803.dpatch by Thierry Carrez +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: No description. + +@DPATCH@ +diff -urNad nagios2-2.11~/cgi/avail.c nagios2-2.11/cgi/avail.c +--- nagios2-2.11~/cgi/avail.c 2007-10-21 16:39:51.000000000 +0200 ++++ nagios2-2.11/cgi/avail.c 2008-06-09 14:12:00.000000000 +0200 +@@ -511,11 +511,11 @@ + if(display_type==DISPLAY_HOSTGROUP_AVAIL) + printf("\n",hostgroup_name); + if(display_type==DISPLAY_HOST_AVAIL || display_type==DISPLAY_SERVICE_AVAIL) +- printf("\n",host_name); ++ printf("\n",url_encode(host_name)); + if(display_type==DISPLAY_SERVICE_AVAIL) + printf("\n",svc_description); + if(display_type==DISPLAY_SERVICEGROUP_AVAIL) +- printf("\n",servicegroup_name); ++ printf("\n",url_encode(servicegroup_name)); + + printf("\n",(assume_initial_states==TRUE)?"yes":"no"); + printf("\n",(assume_state_retention==TRUE)?"yes":"no"); +@@ -646,11 +646,11 @@ + if(display_type==DISPLAY_HOSTGROUP_AVAIL) + printf("\n",hostgroup_name); + if(display_type==DISPLAY_HOST_AVAIL || display_type==DISPLAY_SERVICE_AVAIL) +- printf("\n",host_name); ++ printf("\n",url_encode(host_name)); + if(display_type==DISPLAY_SERVICE_AVAIL) + printf("\n",svc_description); + if(display_type==DISPLAY_SERVICEGROUP_AVAIL) +- printf("\n",servicegroup_name); ++ printf("\n",url_encode(servicegroup_name)); + + printf("\n"); + +diff -urNad nagios2-2.11~/cgi/cgiutils.c nagios2-2.11/cgi/cgiutils.c +--- nagios2-2.11~/cgi/cgiutils.c 2007-11-10 22:45:35.000000000 +0100 ++++ nagios2-2.11/cgi/cgiutils.c 2008-06-09 14:12:00.000000000 +0200 +@@ -128,7 +128,7 @@ + char *my_strtok_buffer=NULL; + char *original_my_strtok_buffer=NULL; + +-char encoded_url_string[MAX_INPUT_BUFFER]; ++char encoded_url_string[2][MAX_INPUT_BUFFER]; // 2 to be able use url_encode twice + char encoded_html_string[MAX_INPUT_BUFFER]; + + #ifdef HAVE_TZNAME +@@ -1297,46 +1297,48 @@ + int len,output_len; + int x,y; + char temp_expansion[4]; ++ static int i = 0; ++ char* str = encoded_url_string[i]; + + len=(int)strlen(input); +- output_len=(int)sizeof(encoded_url_string); ++ output_len=(int)sizeof(encoded_url_string[0]); + +- encoded_url_string[0]='\x0'; ++ str[0]='\x0'; + + for(x=0,y=0;x<=len && y='0' && (char)input[x]<='9') || ((char)input[x]>='A' && (char)input[x]<='Z') || ((char)input[x]>=(char)'a' && (char)input[x]<=(char)'z') || (char)input[x]==(char)'.' || (char)input[x]==(char)'-' || (char)input[x]==(char)'_'){ +- encoded_url_string[y]=input[x]; ++ str[y]=input[x]; + y++; + } + + /* spaces are pluses */ + else if((char)input[x]<=(char)' '){ +- encoded_url_string[y]='+'; ++ str[y]='+'; + y++; + } + + /* anything else gets represented by its hex value */ + else{ +- encoded_url_string[y]='\x0'; +- if((int)strlen(encoded_url_string)<(output_len-3)){ ++ str[y]='\x0'; ++ if((int)strlen(str)<(output_len-3)){ + sprintf(temp_expansion,"%%%02X",(unsigned int)input[x]); +- strcat(encoded_url_string,temp_expansion); ++ strcat(str,temp_expansion); + y+=3; + } + } + } + +- encoded_url_string[sizeof(encoded_url_string)-1]='\x0'; ++ str[sizeof(encoded_url_string[0])-1]='\x0'; + +- return &encoded_url_string[0]; ++ return str; + } + + +diff -urNad nagios2-2.11~/cgi/cmd.c nagios2-2.11/cgi/cmd.c +--- nagios2-2.11~/cgi/cmd.c 2007-10-21 16:39:51.000000000 +0200 ++++ nagios2-2.11/cgi/cmd.c 2008-06-09 14:12:00.000000000 +0200 +@@ -949,10 +949,10 @@ + printf(""); + printf("\n"); + printf("\n"); + printf("\n"); + break; + +@@ -975,10 +975,10 @@ + printf(""); + printf("\n"); + printf("\n"); + printf("\n"); + break; + +@@ -1158,10 +1158,10 @@ + printf("",service_desc); + } + printf("\n"); + printf("\n"); + + printf("\n"); +@@ -1290,10 +1290,10 @@ + printf("\n"); + } + printf("\n"); + printf("\n"); + time(&t); + get_time_string(&t,buffer,sizeof(buffer)-1,SHORT_DATE_TIME); +diff -urNad nagios2-2.11~/cgi/histogram.c nagios2-2.11/cgi/histogram.c +--- nagios2-2.11~/cgi/histogram.c 2007-10-21 16:39:51.000000000 +0200 ++++ nagios2-2.11/cgi/histogram.c 2008-06-09 14:12:00.000000000 +0200 +@@ -406,9 +406,9 @@ + printf("\n",HISTOGRAM_CGI); + printf("\n",(unsigned long)t1); + printf("\n",(unsigned long)t2); +- printf("\n",host_name); ++ printf("\n",url_encode(host_name)); + if(display_type==DISPLAY_SERVICE_HISTOGRAM) +- printf("\n",svc_description); ++ printf("\n",url_encode(svc_description)); + + + printf("\n"); +@@ -788,9 +788,9 @@ + + printf("

Author (Your Name):	"); +- printf("",comment_author); ++ printf("",url_encode(comment_author)); + printf("
Comment:	"); +- printf("",comment_data); ++ printf("",url_encode(comment_data)); + printf("
Author (Your Name):	"); +- printf("",comment_author); ++ printf("",url_encode(comment_author)); + printf("
Comment:	"); +- printf("",comment_data); ++ printf("",url_encode(comment_data)); + printf("
Author (Your Name):	"); +- printf("",comment_author); ++ printf("",url_encode(comment_author)); + printf("
Comment:	"); +- printf("",comment_data); ++ printf("",url_encode(comment_data)); + printf("

Author (Your Name):	"); +- printf("",comment_author); ++ printf("",url_encode(comment_author)); + printf("
Comment:	"); +- printf("",comment_data); ++ printf("",url_encode(comment_data)); + printf("
Report period:	Assume state retention:

\n"); + printf("\n",HISTOGRAM_CGI); +- printf("\n",host_name); ++ printf("\n",url_encode(host_name)); + if(display_type==DISPLAY_SERVICE_HISTOGRAM) +- printf("\n",svc_description); ++ printf("\n",url_encode(svc_description)); + + printf("\n"); + printf("

Report Period:

\n"); +diff -urNad nagios2-2.11~/cgi/history.c nagios2-2.11/cgi/history.c +--- nagios2-2.11~/cgi/history.c 2007-11-10 22:45:35.000000000 +0100 ++++ nagios2-2.11/cgi/history.c 2008-06-09 14:12:00.000000000 +0200 +@@ -201,9 +201,9 @@ + + printf("\n"); + printf("\n",HISTORY_CGI); +- printf("\n",(show_all_hosts==TRUE)?"all":host_name); ++ printf("\n",(show_all_hosts==TRUE)?"all":url_encode(host_name)); + if(display_type==DISPLAY_SERVICES) +- printf("\n",svc_description); ++ printf("\n",url_encode(svc_description)); + printf("\n",log_archive); + + printf("\n"); +diff -urNad nagios2-2.11~/cgi/notifications.c nagios2-2.11/cgi/notifications.c +--- nagios2-2.11~/cgi/notifications.c 2007-11-10 22:45:35.000000000 +0100 ++++ nagios2-2.11/cgi/notifications.c 2008-06-09 14:12:00.000000000 +0200 +@@ -212,11 +212,11 @@ + printf("

\n"); + printf("\n",NOTIFICATIONS_CGI); + if(query_type==FIND_SERVICE){ +- printf("\n",query_host_name); +- printf("\n",query_svc_description); ++ printf("\n",url_encode(query_host_name)); ++ printf("\n",url_encode(query_svc_description)); + } + else +- printf("\n",(query_type==FIND_HOST)?"host":"contact",(query_type==FIND_HOST)?query_host_name:query_contact_name); ++ printf("\n",(query_type==FIND_HOST)?"host":"contact",url_encode((query_type==FIND_HOST)?query_host_name:query_contact_name)); + printf("\n",log_archive); + printf("\n"); + if(query_type==FIND_SERVICE) +diff -urNad nagios2-2.11~/cgi/status.c nagios2-2.11/cgi/status.c +--- nagios2-2.11~/cgi/status.c 2007-11-10 22:45:35.000000000 +0100 ++++ nagios2-2.11/cgi/status.c 2008-06-09 14:12:00.000000000 +0200 +@@ -821,11 +821,11 @@ + printf("\n"); +@@ -833,11 +833,11 @@ + printf("\n"); +@@ -845,11 +845,11 @@ + printf("\n"); +@@ -857,11 +857,11 @@ + printf("\n"); +@@ -869,11 +869,11 @@ + printf("\n"); +@@ -910,11 +910,11 @@ + printf("\n"); +@@ -922,11 +922,11 @@ + printf("\n"); + +@@ -1035,11 +1035,11 @@ + printf("

"); + printf("",host_status_types); + printf("Ok	"); + printf("",host_status_types); + printf("Warning	"); + printf("",host_status_types); + printf("Unknown	"); + printf("",host_status_types); + printf("Critical	"); + printf("",host_status_types); + printf("Pending	"); + printf("",host_status_types); + printf("All Problems	"); + printf("",host_status_types); + printf("All Types	"); + printf(""); + printf(""); + printf(""); + printf(""); + printf(""); + printf("\n"); + printf("
\n"); + printf("\n",STATUSMAP_CGI); +- printf("\n",host_name); ++ printf("\n",url_encode(host_name)); + printf("\n",layout_method); + + printf("	\n"); +diff -urNad nagios2-2.11~/cgi/statuswml.c nagios2-2.11/cgi/statuswml.c +--- nagios2-2.11~/cgi/statuswml.c 2007-10-21 16:39:52.000000000 +0200 ++++ nagios2-2.11/cgi/statuswml.c 2008-06-09 14:12:00.000000000 +0200 +@@ -621,7 +621,7 @@ + printf("\n"); + printf(" \n"); + +- printf("Status Overview \n",STATUSWML_CGI,hostgroup_name); ++ printf("Status Overview \n",STATUSWML_CGI,url_encode(hostgroup_name)); + + /* check all hostgroups / + for(temp_hostgroup=hostgroup_list;temp_hostgroup!=NULL;temp_hostgroup=temp_hostgroup->next){ +@@ -704,7 +704,7 @@ + printf("\n"); + printf(" \n"); + +- printf("Status Summary* \n",STATUSWML_CGI,hostgroup_name); ++ printf("Status Summary \n",STATUSWML_CGI,url_encode(hostgroup_name)); + + /* check all hostgroups */ + for(temp_hostgroup=hostgroup_list;temp_hostgroup!=NULL;temp_hostgroup=temp_hostgroup->next){ +@@ -926,7 +926,7 @@ + + printf("

\n"); + printf("
\n"); +- printf("View Services\n",STATUSWML_CGI,host_name); ++ printf("View Services\n",STATUSWML_CGI,url_encode(host_name)); + printf("Host Commands\n"); + printf("

\n"); + +@@ -945,23 +945,23 @@ + printf("Acknowledge Problem\n"); + + if(temp_hoststatus->checks_enabled==FALSE) +- printf("Enable Host Checks
\n",COMMAND_CGI,host_name,CMD_ENABLE_HOST_CHECK,CMDMODE_COMMIT); ++ printf("Enable Host Checks
\n",COMMAND_CGI,url_encode(host_name),CMD_ENABLE_HOST_CHECK,CMDMODE_COMMIT); + else +- printf("Disable Host Checks
\n",COMMAND_CGI,host_name,CMD_DISABLE_HOST_CHECK,CMDMODE_COMMIT); ++ printf("Disable Host Checks
\n",COMMAND_CGI,url_encode(host_name),CMD_DISABLE_HOST_CHECK,CMDMODE_COMMIT); + + if(temp_hoststatus->notifications_enabled==FALSE) +- printf("Enable Host Notifications
\n",COMMAND_CGI,host_name,CMD_ENABLE_HOST_NOTIFICATIONS,CMDMODE_COMMIT); ++ printf("Enable Host Notifications
\n",COMMAND_CGI,url_encode(host_name),CMD_ENABLE_HOST_NOTIFICATIONS,CMDMODE_COMMIT); + else +- printf("Disable Host Notifications
\n",COMMAND_CGI,host_name,CMD_DISABLE_HOST_NOTIFICATIONS,CMDMODE_COMMIT); ++ printf("Disable Host Notifications
\n",COMMAND_CGI,url_encode(host_name),CMD_DISABLE_HOST_NOTIFICATIONS,CMDMODE_COMMIT); + + +- printf("Enable All Service Checks
\n",COMMAND_CGI,host_name,CMD_ENABLE_HOST_SVC_CHECKS,CMDMODE_COMMIT); ++ printf("Enable All Service Checks
\n",COMMAND_CGI,url_encode(host_name),CMD_ENABLE_HOST_SVC_CHECKS,CMDMODE_COMMIT); + +- printf("Disable All Service Checks
\n",COMMAND_CGI,host_name,CMD_DISABLE_HOST_SVC_CHECKS,CMDMODE_COMMIT); ++ printf("Disable All Service Checks
\n",COMMAND_CGI,url_encode(host_name),CMD_DISABLE_HOST_SVC_CHECKS,CMDMODE_COMMIT); + +- printf("Enable All Service Notifications
\n",COMMAND_CGI,host_name,CMD_ENABLE_HOST_SVC_NOTIFICATIONS,CMDMODE_COMMIT); ++ printf("Enable All Service Notifications
\n",COMMAND_CGI,url_encode(host_name),CMD_ENABLE_HOST_SVC_NOTIFICATIONS,CMDMODE_COMMIT); + +- printf("Disable All Service Notifications
\n",COMMAND_CGI,host_name,CMD_DISABLE_HOST_SVC_NOTIFICATIONS,CMDMODE_COMMIT); ++ printf("Disable All Service Notifications
\n",COMMAND_CGI,url_encode(host_name),CMD_DISABLE_HOST_SVC_NOTIFICATIONS,CMDMODE_COMMIT); + + printf("

\n"); + +@@ -981,7 +981,7 @@ + printf("\n"); + + printf("\n"); +- printf("\n",COMMAND_CGI,host_name,CMD_ACKNOWLEDGE_HOST_PROBLEM,CMDMODE_COMMIT); ++ printf("\n",COMMAND_CGI,url_encode(host_name),CMD_ACKNOWLEDGE_HOST_PROBLEM,CMDMODE_COMMIT); + printf("\n"); + + printf("

\n"); +@@ -1001,7 +1001,7 @@ + /**** MAIN SCREEN (CARD 1) ****/ + printf("\n"); + printf("

\n"); +- printf("Host '%s' Services
\n",host_name,host_name,STATUSWML_CGI,host_name); ++ printf("Host '%s' Services
\n",url_encode(host_name),host_name,STATUSWML_CGI,url_encode(host_name)); + + printf("\n"); + +@@ -1142,7 +1142,7 @@ + + printf("
\n"); + printf("
\n"); +- printf("View Host\n",STATUSWML_CGI,host_name); ++ printf("View Host\n",STATUSWML_CGI,url_encode(host_name)); + printf("Svc. Commands\n"); + printf("

\n"); + +@@ -1158,16 +1158,16 @@ + printf("Acknowledge Problem\n"); + + if(temp_servicestatus->checks_enabled==FALSE) +- printf("Enable Checks
\n",COMMAND_CGI,host_name,service_desc,CMD_ENABLE_SVC_CHECK,CMDMODE_COMMIT); ++ printf("Enable Checks
\n",COMMAND_CGI,url_encode(host_name),url_encode(service_desc),CMD_ENABLE_SVC_CHECK,CMDMODE_COMMIT); + else{ +- printf("Disable Checks
\n",COMMAND_CGI,host_name,service_desc,CMD_DISABLE_SVC_CHECK,CMDMODE_COMMIT); +- printf("Schedule Immediate Check
\n",COMMAND_CGI,host_name,service_desc,(unsigned long)current_time,CMD_SCHEDULE_SVC_CHECK,CMDMODE_COMMIT); ++ printf("Disable Checks
\n",COMMAND_CGI,url_encode(host_name),url_encode(service_desc),CMD_DISABLE_SVC_CHECK,CMDMODE_COMMIT); ++ printf("Schedule Immediate Check
\n",COMMAND_CGI,url_encode(host_name),url_encode(service_desc),(unsigned long)current_time,CMD_SCHEDULE_SVC_CHECK,CMDMODE_COMMIT); + } + + if(temp_servicestatus->notifications_enabled==FALSE) +- printf("Enable Notifications
\n",COMMAND_CGI,host_name,service_desc,CMD_ENABLE_SVC_NOTIFICATIONS,CMDMODE_COMMIT); ++ printf("Enable Notifications
\n",COMMAND_CGI,url_encode(host_name),url_encode(service_desc),CMD_ENABLE_SVC_NOTIFICATIONS,CMDMODE_COMMIT); + else +- printf("Disable Notifications
\n",COMMAND_CGI,host_name,service_desc,CMD_DISABLE_SVC_NOTIFICATIONS,CMDMODE_COMMIT); ++ printf("Disable Notifications
\n",COMMAND_CGI,url_encode(host_name),url_encode(service_desc),CMD_DISABLE_SVC_NOTIFICATIONS,CMDMODE_COMMIT); + + printf("

\n"); + +@@ -1187,7 +1187,7 @@ + printf("\n"); + + printf("\n"); +- printf("\n",COMMAND_CGI,host_name,service_desc,CMD_ACKNOWLEDGE_SVC_PROBLEM,CMDMODE_COMMIT); ++ printf("\n",COMMAND_CGI,url_encode(host_name),url_encode(service_desc),CMD_ACKNOWLEDGE_SVC_PROBLEM,CMDMODE_COMMIT); + printf("\n"); + + printf("

\n"); +diff -urNad nagios2-2.11~/cgi/trends.c nagios2-2.11/cgi/trends.c +--- nagios2-2.11~/cgi/trends.c 2007-10-21 16:39:52.000000000 +0200 ++++ nagios2-2.11/cgi/trends.c 2008-06-09 14:12:00.000000000 +0200 +@@ -451,9 +451,9 @@ + printf("\n"); + printf("\n",(unsigned long)t1); + printf("\n",(unsigned long)t2); +- printf("\n",host_name); ++ printf("\n",url_encode(host_name)); + if(display_type==DISPLAY_SERVICE_TRENDS) +- printf("\n",svc_description); ++ printf("\n",url_encode(svc_description)); + + printf("\n",(assume_initial_states==TRUE)?"yes":"no"); + printf("\n",(assume_state_retention==TRUE)?"yes":"no"); +@@ -897,9 +897,9 @@ + + printf("\n"); + printf("\n",TRENDS_CGI); +- printf("\n",host_name); ++ printf("\n",url_encode(host_name)); + if(display_type==DISPLAY_SERVICE_TRENDS) +- printf("\n",svc_description); ++ printf("\n",url_encode(svc_description)); + + printf("\n"); + printf("

Report period:

\n");