switch back to the nagios version of NRPE and update to 2.14, including

fix for metacharacter filtering (CVE-2013-1362) which was letting $(...) through, reported by a couple of people. this loses the v6 support but the fork which added this is currently dead.
2013-04-17 15:15:16 +00:00 · 2013-04-17 15:15:16 +00:00 · cf80c9cf32
commit cf80c9cf32
parent c0dcb5f96f
5 changed files with 34 additions and 34 deletions
--- a/net/nagios/nrpe/Makefile
+++ b/net/nagios/nrpe/Makefile
@ -1,12 +1,8 @@
-# $OpenBSD: Makefile,v 1.19 2013/03/11 11:35:49 espie Exp $
+# $OpenBSD: Makefile,v 1.20 2013/04/17 15:15:16 sthen Exp $

 COMMENT=	Nagios Remote Plugin Executor

-# packaged from Icinga git repo.
-DISTNAME=	icinga-nrpe-2.12.20100914
-REVISION=	4
-PKGNAME=	${DISTNAME:S/icinga-//}
-WRKDIST=	${WRKDIR}/icinga-nrpe
+DISTNAME=	nrpe-2.14
 CATEGORIES=	net

 MAINTAINER=	Stuart Henderson <sthen@openbsd.org>
@ -17,12 +13,12 @@ PERMIT_PACKAGE_CDROM=	Yes

 WANTLIB=		c crypto ssl wrap

-MASTER_SITES=	http://spacehopper.org/mirrors/
+MASTER_SITES=	${MASTER_SITE_SOURCEFORGE:=nagios/}

 RUN_DEPENDS=	net/nagios/plugins

 CONFIGURE_STYLE= gnu
-CONFIGURE_ARGS+=--enable-command-args \
+CONFIGURE_ARGS+= --enable-command-args \
 		--libexecdir=${LOCALBASE}/libexec/nagios \
 		--with-nrpe-user=_nrpe \
 		--with-nrpe-group=_nrpe \
--- a/net/nagios/nrpe/distinfo
+++ b/net/nagios/nrpe/distinfo
@ -1,5 +1,2 @@
-MD5 (icinga-nrpe-2.12.20100914.tar.gz) = S3fFevjHWdmnhNeon59FSg==
-RMD160 (icinga-nrpe-2.12.20100914.tar.gz) = DmFg7tP0zQmaHgTXAE+Fr/1brko=
-SHA1 (icinga-nrpe-2.12.20100914.tar.gz) = IGpeK2Xnqs9+xust0aWKrJXlwG4=
-SHA256 (icinga-nrpe-2.12.20100914.tar.gz) = fEEX3He6VPrC4XFGmpD7+dFdT6Gy9oL2bmwazKMO34I=
-SIZE (icinga-nrpe-2.12.20100914.tar.gz) = 410907
+SHA256 (nrpe-2.14.tar.gz) = gIx8SoLQrd8VRJZj5HErUBjIu9Zo5GcjE59zHxrERDE=
+SIZE (nrpe-2.14.tar.gz) = 421635
--- a/net/nagios/nrpe/patches/patch-configure
+++ b/net/nagios/nrpe/patches/patch-configure
@ -0,0 +1,12 @@
+$OpenBSD: patch-configure,v 1.4 2013/04/17 15:15:16 sthen Exp $
+--- configure.orig	Wed Apr 17 15:50:17 2013
+++ configure	Wed Apr 17 15:50:54 2013
+@@ -7519,7 +7519,7 @@ $as_echo_n "checking for SSL libraries... " >&6; }
+ 			else
+ 				soext="so"
+ 			fi
+-			if test -f "$dir/libssl.$soext"; then
+			if test -f "$dir/libssl.$soext" -o -f "$dir/libssl.a"; then
+ 				found_ssl=yes
+ 			        break
+ 			fi
--- a/net/nagios/nrpe/patches/patch-sample-config_nrpe_cfg_in
+++ b/net/nagios/nrpe/patches/patch-sample-config_nrpe_cfg_in
@ -1,14 +1,11 @@
-$OpenBSD: patch-sample-config_nrpe_cfg_in,v 1.1 2012/09/05 19:57:42 sthen Exp $
-
- better default loads to warn at (these machines are meant to be doing
-actual work, right?!)
+$OpenBSD: patch-sample-config_nrpe_cfg_in,v 1.2 2013/04/17 15:15:16 sthen Exp $

 - provide a standard check_disk that checks all volumes, apart from hda1
 not existing, it's stupid to check individual FS when they're split up
 as usual with OpenBSD.

--- sample-config/nrpe.cfg.in.orig	Tue Sep 14 16:51:48 2010
-+++ sample-config/nrpe.cfg.in	Wed Sep  5 20:49:28 2012
+--- sample-config/nrpe.cfg.in.orig	Mon Dec 17 13:44:46 2012
+++ sample-config/nrpe.cfg.in	Wed Apr 17 15:35:57 2013
@@ -23,7 +23,7 @@ log_facility=@log_facility@
 # number.  The file is only written if the NRPE daemon is started by the root
 # user and is running in standalone mode.
@ -18,14 +15,12 @@ as usual with OpenBSD.
 
 
 
-@@ -197,8 +197,8 @@ connection_timeout=300
- # The following examples use hardcoded command arguments...
+@@ -218,7 +218,7 @@ connection_timeout=300
 
 command[check_users]=@libexecdir@/check_users -w 5 -c 10
-command[check_load]=@libexecdir@/check_load -w 1.5,1.1,0.9 -c 3.0,2.2,1.9
+ command[check_load]=@libexecdir@/check_load -w 15,10,5 -c 30,25,20
 -command[check_hda1]=@libexecdir@/check_disk -w 20% -c 10% -p /dev/hda1
-+command[check_load]=@libexecdir@/check_load -w 12,8,5 -c 16,12,10
-+command[check_disk]=@libexecdir@/check_disk -w 18% -c 10%
+command[check_disk]=@libexecdir@/check_disk -w 20% -c 10%
 command[check_zombie_procs]=@libexecdir@/check_procs -w 5 -c 10 -s Z
 command[check_total_procs]=@libexecdir@/check_procs -w 150 -c 200 
 
--- a/net/nagios/nrpe/patches/patch-src_nrpe_c
+++ b/net/nagios/nrpe/patches/patch-src_nrpe_c
@ -1,25 +1,25 @@
-$OpenBSD: patch-src_nrpe_c,v 1.5 2011/04/21 11:23:38 sthen Exp $
--- src/nrpe.c.orig	Tue Sep 14 16:51:48 2010
-+++ src/nrpe.c	Thu Apr 21 10:56:51 2011
-@@ -23,6 +23,8 @@
- #include "../include/nrpe.h"
- #include "../include/utils.h"
+$OpenBSD: patch-src_nrpe_c,v 1.6 2013/04/17 15:15:16 sthen Exp $
+--- src/nrpe.c.orig	Fri Dec 21 17:22:00 2012
+++ src/nrpe.c	Wed Apr 17 15:51:14 2013
+@@ -30,6 +30,8 @@
+ #include "utils.h"
+ #include "acl.h"
 
 +#include <poll.h>
 +
 #ifdef HAVE_SSL
 #include "../include/dh.h"
 #endif
-@@ -54,7 +56,7 @@ int     num_listen_socks = 0;
+@@ -54,7 +56,7 @@ int use_ssl=FALSE;
 char    *command_name=NULL;
 char    *macro_argv[MAX_COMMAND_ARGUMENTS];
 
 -char    config_file[MAX_INPUT_BUFFER]="nrpe.cfg";
 +char    config_file[MAX_INPUT_BUFFER]="${SYSCONFDIR}/nrpe.cfg";
 int     log_facility=LOG_DAEMON;
- 
- char    *server_port=DEFAULT_SERVER_PORT;
-@@ -836,8 +838,14 @@ void wait_for_connections(void){
+ int     server_port=DEFAULT_SERVER_PORT;
+ char    server_address[16]="0.0.0.0";
+@@ -891,8 +893,14 @@ void wait_for_connections(void){
 					continue;
 
 				/* socket is nonblocking and we don't have a connection yet */