From f04c66a1c904411b0459b8e6b55ff6c41803cd0c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jaroslav=20=C5=A0karvada?= <jskarvad@redhat.com>
Date: Fri, 7 Jun 2013 10:11:59 +0200
Subject: [PATCH] Added imginfo format check

  Resolves: CVE-2013-2131
---
 rrdtool-1.4.8-imginfo-check.patch | 68 +++++++++++++++++++++++++++++++
 rrdtool.spec                      |  9 +++-
 2 files changed, 76 insertions(+), 1 deletion(-)
 create mode 100644 rrdtool-1.4.8-imginfo-check.patch

diff --git a/rrdtool-1.4.8-imginfo-check.patch b/rrdtool-1.4.8-imginfo-check.patch
new file mode 100644
index 0000000..cd7d104
--- /dev/null
+++ b/rrdtool-1.4.8-imginfo-check.patch
@@ -0,0 +1,68 @@
+diff -up rrdtool-1.4.8/src/rrd_graph.c.orig2 rrdtool-1.4.8/src/rrd_graph.c
+--- rrdtool-1.4.8/src/rrd_graph.c.orig2	2013-05-23 09:55:07.000000000 +0200
++++ rrdtool-1.4.8/src/rrd_graph.c	2013-06-03 15:56:35.820593192 +0200
+@@ -4022,6 +4022,12 @@ rrd_info_t *rrd_graph_v(
+         char     *path;
+         char     *filename;
+ 
++        if (bad_format_imginfo(im.imginfo)) {
++            rrd_info_free(im.grinfo);
++            im_free(&im);
++            rrd_set_error("bad format for imginfo");
++            return NULL;
++        }
+         path = strdup(im.graphfile);
+         filename = basename(path);
+         info.u_str =
+@@ -4827,6 +4833,51 @@ int bad_format(
+ }
+ 
+ 
++int bad_format_imginfo(
++    char *fmt)
++{
++    char     *ptr;
++    int       n = 0;
++
++    ptr = fmt;
++    while (*ptr != '\0')
++        if (*ptr++ == '%') {
++
++            /* line cannot end with percent char */
++            if (*ptr == '\0')
++                return 1;
++            /* '%%' is allowed */
++            if (*ptr == '%')
++                ptr++;
++            /* '%s', '%S' are allowed */
++            else if (*ptr == 's' || *ptr == 'S') {
++                n = 1;
++                ptr++;
++            }
++
++            /* or else '% 4lu' and such are allowed */
++            else {
++                /* optional padding character */
++                if (*ptr == ' ')
++                    ptr++;
++                /* This should take care of 'm' */
++                while (*ptr >= '0' && *ptr <= '9')
++                    ptr++;
++                /* 'lu' must follow here */
++                if (*ptr++ != 'l')
++                    return 1;
++                if (*ptr == 'u')
++                    ptr++;
++                else
++                    return 1;
++                n++;
++            }
++        }
++
++    return (n != 3);
++}
++
++
+ int vdef_parse(
+     struct graph_desc_t
+     *gdes,
diff --git a/rrdtool.spec b/rrdtool.spec
index 0092b9c..4213d0c 100644
--- a/rrdtool.spec
+++ b/rrdtool.spec
@@ -18,7 +18,7 @@
 Summary: Round Robin Database Tool to store and display time-series data
 Name: rrdtool
 Version: 1.4.8
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: GPLv2+ with exceptions
 Group: Applications/Databases
 URL: http://oss.oetiker.ch/rrdtool/
@@ -31,6 +31,8 @@ Patch2: rrdtool-1.4.7-ruby-2-fix.patch
 Patch3: rrdtool-1.4.7-php55.patch
 Patch4: rrdtool-1.4.7-autoconf-fix.patch
 Patch5: rrdtool-1.4.7-lua-5.2.patch
+# patch merged upstream, http://github.com/oetiker/rrdtool-1.x/pull/397
+Patch6: rrdtool-1.4.8-imginfo-check.patch
 
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 Requires: dejavu-sans-mono-fonts
@@ -173,6 +175,7 @@ The %{name}-lua package includes RRDtool bindings for Lua.
 %patch2 -p1 -b .ruby-2-fix
 %patch4 -p1 -b .autoconf-fix
 %patch5 -p1 -b .lua-52
+%patch6 -p1 -b .imginfo-check
 
 # Fix to find correct python dir on lib64
 %{__perl} -pi -e 's|get_python_lib\(0,0,prefix|get_python_lib\(1,0,prefix|g' \
@@ -386,6 +389,10 @@ LD_LIBRARY_PATH=%{buildroot}%{_libdir} php -n \
 %endif
 
 %changelog
+* Fri Jun  7 2013 Jaroslav Škarvada <jskarvad@redhat.com> - 1.4.8-2
+- Added imginfo format check
+  Resolves: CVE-2013-2131
+
 * Thu May 23 2013 Jaroslav Škarvada <jskarvad@redhat.com> - 1.4.8-1
 - New version
   Resolves: rhbz#966639