From: Sebastian Harl Date: Fri, 25 Apr 2014 18:43:48 +0000 (+0200) Subject: patches: Added CVE-2013-2131. X-Git-Tag: debian/1.4.8-1~13 X-Git-Url: https://git.tokkee.org/?a=commitdiff_plain;h=9abcef955da722c92524c98055125b76ddf78db3;p=pkg-rrdtool.git patches: Added CVE-2013-2131. This is an upstream patch fixing a format string vulnerability in rrdgraph. Thanks to Henri Salo for reporting this! Closes: #708866 Raised urgency to medium for this. --- diff --git a/debian/changelog b/debian/changelog index 555fd8c..3488ead 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,7 +1,11 @@ -rrdtool (1.4.8-1) UNRELEASED; urgency=low +rrdtool (1.4.8-1) UNRELEASED; urgency=medium * Fixed changelog of 1.4.7-2 regarding the versioned build-dep on tcl-dev. * Merged 1.4.7-2.1 NMU; thanks to Christian Hofstaedtler (Closes: 736333). + * debian/patches: + - Added CVE-2013-2131; upstream patch fixing a format string vulnerability + in rrdgraph; thanks to Henri Salo for reporting this (Closes: #708866). + Raised urgency to medium for this. -- Sebastian Harl Sat, 18 Aug 2012 15:53:54 +0200 diff --git a/debian/patches/CVE-2013-2131 b/debian/patches/CVE-2013-2131 new file mode 100644 index 0000000..b0b576b --- /dev/null +++ b/debian/patches/CVE-2013-2131 @@ -0,0 +1,69 @@ +diff --git a/src/rrd_graph.c b/src/rrd_graph.c +index 25ae485..e714e4f 100644 +--- a/src/rrd_graph.c ++++ b/src/rrd_graph.c +@@ -4144,6 +4144,12 @@ rrd_info_t *rrd_graph_v( + char *path; + char *filename; + ++ if (bad_format_imginfo(im.imginfo)) { ++ rrd_info_free(im.grinfo); ++ im_free(&im); ++ rrd_set_error("bad format for imginfo"); ++ return NULL; ++ } + path = strdup(im.graphfile); + filename = basename(path); + info.u_str = +@@ -4961,6 +4967,51 @@ int bad_format( + } + + ++int bad_format_imginfo( ++ char *fmt) ++{ ++ char *ptr; ++ int n = 0; ++ ++ ptr = fmt; ++ while (*ptr != '\0') ++ if (*ptr++ == '%') { ++ ++ /* line cannot end with percent char */ ++ if (*ptr == '\0') ++ return 1; ++ /* '%%' is allowed */ ++ if (*ptr == '%') ++ ptr++; ++ /* '%s', '%S' are allowed */ ++ else if (*ptr == 's' || *ptr == 'S') { ++ n = 1; ++ ptr++; ++ } ++ ++ /* or else '% 4lu' and such are allowed */ ++ else { ++ /* optional padding character */ ++ if (*ptr == ' ') ++ ptr++; ++ /* This should take care of 'm' */ ++ while (*ptr >= '0' && *ptr <= '9') ++ ptr++; ++ /* 'lu' must follow here */ ++ if (*ptr++ != 'l') ++ return 1; ++ if (*ptr == 'u') ++ ptr++; ++ else ++ return 1; ++ n++; ++ } ++ } ++ ++ return (n != 3); ++} ++ ++ + int vdef_parse( + struct graph_desc_t + *gdes, diff --git a/debian/patches/series b/debian/patches/series index 76fd6d3..0420162 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -7,3 +7,4 @@ bts530814-hurd tcl-8.5 ruby_bindings_format_string.patch bts664724-rrdcached-j-segfault +CVE-2013-2131