patches: Added CVE-2013-2131.

This is an upstream patch fixing a format string vulnerability in rrdgraph.
Thanks to Henri Salo for reporting this!

Closes: #708866
Raised urgency to medium for this.

diff --git a/debian/changelog b/debian/changelog
index 555fd8c9e56a8c4066b8fe5f86f33dd5652ffd0d..3488ead425663b68d0574033e40957e080930831 100644 (file)
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,7 +1,11 @@
-rrdtool (1.4.8-1) UNRELEASED; urgency=low
+rrdtool (1.4.8-1) UNRELEASED; urgency=medium
 
   * Fixed changelog of 1.4.7-2 regarding the versioned build-dep on tcl-dev.
   * Merged 1.4.7-2.1 NMU; thanks to Christian Hofstaedtler (Closes: 736333).
+  * debian/patches:
+    - Added CVE-2013-2131; upstream patch fixing a format string vulnerability
+      in rrdgraph; thanks to Henri Salo for reporting this (Closes: #708866).
+      Raised urgency to medium for this.
 
  -- Sebastian Harl <tokkee@debian.org>  Sat, 18 Aug 2012 15:53:54 +0200
 

diff --git a/debian/patches/CVE-2013-2131 b/debian/patches/CVE-2013-2131
new file mode 100644 (file)
index 0000000..b0b576b
--- /dev/null
+++ b/debian/patches/CVE-2013-2131
@@ -0,0 +1,69 @@
+diff --git a/src/rrd_graph.c b/src/rrd_graph.c
+index 25ae485..e714e4f 100644
+--- a/src/rrd_graph.c
++++ b/src/rrd_graph.c
+@@ -4144,6 +4144,12 @@ rrd_info_t *rrd_graph_v(
+         char     *path;
+         char     *filename;
+ 
++        if (bad_format_imginfo(im.imginfo)) {
++            rrd_info_free(im.grinfo);
++            im_free(&im);
++            rrd_set_error("bad format for imginfo");
++            return NULL;
++        }
+         path = strdup(im.graphfile);
+         filename = basename(path);
+         info.u_str =
+@@ -4961,6 +4967,51 @@ int bad_format(
+ }
+ 
+ 
++int bad_format_imginfo(
++    char *fmt)
++{
++    char     *ptr;
++    int       n = 0;
++
++    ptr = fmt;
++    while (*ptr != '\0')
++        if (*ptr++ == '%') {
++
++            /* line cannot end with percent char */
++            if (*ptr == '\0')
++                return 1;
++            /* '%%' is allowed */
++            if (*ptr == '%')
++                ptr++;
++            /* '%s', '%S' are allowed */
++            else if (*ptr == 's' || *ptr == 'S') {
++                n = 1;
++                ptr++;
++            }
++
++            /* or else '% 4lu' and such are allowed */
++            else {
++                /* optional padding character */
++                if (*ptr == ' ')
++                    ptr++;
++                /* This should take care of 'm' */
++                while (*ptr >= '0' && *ptr <= '9')
++                    ptr++;
++                /* 'lu' must follow here */
++                if (*ptr++ != 'l')
++                    return 1;
++                if (*ptr == 'u')
++                    ptr++;
++                else
++                    return 1;
++                n++;
++            }
++        }
++
++    return (n != 3);
++}
++
++
+ int vdef_parse(
+     struct graph_desc_t
+     *gdes,

diff --git a/debian/patches/series b/debian/patches/series
index 76fd6d3aa26f1227b112a9e593b895633a5e9e45..0420162b2a0c339ae8d3b7d6a6564377db1e67f6 100644 (file)
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -7,3 +7,4 @@ bts530814-hurd
 tcl-8.5
 ruby_bindings_format_string.patch
 bts664724-rrdcached-j-segfault
+CVE-2013-2131