SECURITY; add a fix for CVE-2009-2288 (statuswml.cgi uses an unchecked

url parameter in the ping/traceroute command line). "go ahead please, if you think it's correct" sturm@ (maintainer). Users would have to pass webserver authentication (if configured) to trigger this.
2009-08-07 17:18:34 +00:00 · 2009-08-07 17:18:34 +00:00 · ac5cff493b
commit ac5cff493b
parent 59580eb12b
2 changed files with 57 additions and 2 deletions
--- a/net/nagios/nagios/Makefile
+++ b/net/nagios/nagios/Makefile
@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.35 2009/01/10 16:16:21 henning Exp $
+# $OpenBSD: Makefile,v 1.36 2009/08/07 17:18:34 sthen Exp $

 COMMENT-main=	host and service monitor
 COMMENT-web=	cgis and webpages for nagios
@ -6,7 +6,7 @@ COMMENT-web=	cgis and webpages for nagios
 V=		3.0.6
 DISTNAME=	nagios-${V}
 PKGNAME-main=	nagios-${V}p1
-PKGNAME-web=	nagios-web-${V}
+PKGNAME-web=	nagios-web-${V}p0
 CATEGORIES=	net

 HOMEPAGE=	http://www.nagios.org/
--- a/net/nagios/nagios/patches/patch-cgi_statuswml_c
+++ b/net/nagios/nagios/patches/patch-cgi_statuswml_c
@ -0,0 +1,55 @@
+$OpenBSD: patch-cgi_statuswml_c,v 1.2 2009/08/07 17:18:34 sthen Exp $
+
+Fix CVE-2009-2288.
+
+--- cgi/statuswml.c.orig	Sun Nov 30 18:13:11 2008
+++ cgi/statuswml.c	Fri Aug  7 15:15:10 2009
+@@ -67,6 +67,8 @@ extern char     *ping_syntax;
+ void document_header(void);
+ void document_footer(void);
+ int process_cgivars(void);
+int validate_arguments(void);
+int is_valid_hostip(char *hostip);
+ 
+ int display_type=DISPLAY_INDEX;
+ int hostgroup_style=DISPLAY_HOSTGROUP_SUMMARY;
+@@ -108,6 +110,13 @@ int main(void){
+ 
+ 	document_header();
+ 
+	/* validate arguments in URL */
+	result=validate_arguments();
+	if(result==ERROR){
+		document_footer();
+		return ERROR;
+	        }
+	
+ 	/* read the CGI configuration file */
+ 	result=read_cgi_config_file(get_cgi_config_location());
+ 	if(result==ERROR){
+@@ -334,7 +343,25 @@ int process_cgivars(void){
+ 	return error;
+         }
+ 
+int validate_arguments(void){
+	int result=OK;
+	if((strcmp(ping_address,"")) && !is_valid_hostip(ping_address)) {
+		printf("<p>Invalid host name/ip</p>\n");
+		result=ERROR;
+		}
+	if(strcmp(traceroute_address,"") && !is_valid_hostip(traceroute_address)){
+		printf("<p>Invalid host name/ip</p>\n");
+		result=ERROR;
+		}
+	return result;
+	}
+ 
+int is_valid_hostip(char *hostip) {
+	char *valid_domain_chars="abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-";
+	if(strcmp(hostip,"") && strlen(hostip)==strspn(hostip,valid_domain_chars) && hostip[0] != '-' && hostip[strlen(hostip)-1] != '-')
+		return TRUE;
+	return FALSE;
+	}
+ 
+ /* main intro screen */
+ void display_index(void){