Added imginfo format check
Resolves: CVE-2013-2131
This commit is contained in:
parent
8ad8220ce8
commit
f04c66a1c9
68
rrdtool-1.4.8-imginfo-check.patch
Normal file
68
rrdtool-1.4.8-imginfo-check.patch
Normal file
@ -0,0 +1,68 @@
|
|||||||
|
diff -up rrdtool-1.4.8/src/rrd_graph.c.orig2 rrdtool-1.4.8/src/rrd_graph.c
|
||||||
|
--- rrdtool-1.4.8/src/rrd_graph.c.orig2 2013-05-23 09:55:07.000000000 +0200
|
||||||
|
+++ rrdtool-1.4.8/src/rrd_graph.c 2013-06-03 15:56:35.820593192 +0200
|
||||||
|
@@ -4022,6 +4022,12 @@ rrd_info_t *rrd_graph_v(
|
||||||
|
char *path;
|
||||||
|
char *filename;
|
||||||
|
|
||||||
|
+ if (bad_format_imginfo(im.imginfo)) {
|
||||||
|
+ rrd_info_free(im.grinfo);
|
||||||
|
+ im_free(&im);
|
||||||
|
+ rrd_set_error("bad format for imginfo");
|
||||||
|
+ return NULL;
|
||||||
|
+ }
|
||||||
|
path = strdup(im.graphfile);
|
||||||
|
filename = basename(path);
|
||||||
|
info.u_str =
|
||||||
|
@@ -4827,6 +4833,51 @@ int bad_format(
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
+int bad_format_imginfo(
|
||||||
|
+ char *fmt)
|
||||||
|
+{
|
||||||
|
+ char *ptr;
|
||||||
|
+ int n = 0;
|
||||||
|
+
|
||||||
|
+ ptr = fmt;
|
||||||
|
+ while (*ptr != '\0')
|
||||||
|
+ if (*ptr++ == '%') {
|
||||||
|
+
|
||||||
|
+ /* line cannot end with percent char */
|
||||||
|
+ if (*ptr == '\0')
|
||||||
|
+ return 1;
|
||||||
|
+ /* '%%' is allowed */
|
||||||
|
+ if (*ptr == '%')
|
||||||
|
+ ptr++;
|
||||||
|
+ /* '%s', '%S' are allowed */
|
||||||
|
+ else if (*ptr == 's' || *ptr == 'S') {
|
||||||
|
+ n = 1;
|
||||||
|
+ ptr++;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ /* or else '% 4lu' and such are allowed */
|
||||||
|
+ else {
|
||||||
|
+ /* optional padding character */
|
||||||
|
+ if (*ptr == ' ')
|
||||||
|
+ ptr++;
|
||||||
|
+ /* This should take care of 'm' */
|
||||||
|
+ while (*ptr >= '0' && *ptr <= '9')
|
||||||
|
+ ptr++;
|
||||||
|
+ /* 'lu' must follow here */
|
||||||
|
+ if (*ptr++ != 'l')
|
||||||
|
+ return 1;
|
||||||
|
+ if (*ptr == 'u')
|
||||||
|
+ ptr++;
|
||||||
|
+ else
|
||||||
|
+ return 1;
|
||||||
|
+ n++;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ return (n != 3);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+
|
||||||
|
int vdef_parse(
|
||||||
|
struct graph_desc_t
|
||||||
|
*gdes,
|
@ -18,7 +18,7 @@
|
|||||||
Summary: Round Robin Database Tool to store and display time-series data
|
Summary: Round Robin Database Tool to store and display time-series data
|
||||||
Name: rrdtool
|
Name: rrdtool
|
||||||
Version: 1.4.8
|
Version: 1.4.8
|
||||||
Release: 1%{?dist}
|
Release: 2%{?dist}
|
||||||
License: GPLv2+ with exceptions
|
License: GPLv2+ with exceptions
|
||||||
Group: Applications/Databases
|
Group: Applications/Databases
|
||||||
URL: http://oss.oetiker.ch/rrdtool/
|
URL: http://oss.oetiker.ch/rrdtool/
|
||||||
@ -31,6 +31,8 @@ Patch2: rrdtool-1.4.7-ruby-2-fix.patch
|
|||||||
Patch3: rrdtool-1.4.7-php55.patch
|
Patch3: rrdtool-1.4.7-php55.patch
|
||||||
Patch4: rrdtool-1.4.7-autoconf-fix.patch
|
Patch4: rrdtool-1.4.7-autoconf-fix.patch
|
||||||
Patch5: rrdtool-1.4.7-lua-5.2.patch
|
Patch5: rrdtool-1.4.7-lua-5.2.patch
|
||||||
|
# patch merged upstream, http://github.com/oetiker/rrdtool-1.x/pull/397
|
||||||
|
Patch6: rrdtool-1.4.8-imginfo-check.patch
|
||||||
|
|
||||||
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
|
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
|
||||||
Requires: dejavu-sans-mono-fonts
|
Requires: dejavu-sans-mono-fonts
|
||||||
@ -173,6 +175,7 @@ The %{name}-lua package includes RRDtool bindings for Lua.
|
|||||||
%patch2 -p1 -b .ruby-2-fix
|
%patch2 -p1 -b .ruby-2-fix
|
||||||
%patch4 -p1 -b .autoconf-fix
|
%patch4 -p1 -b .autoconf-fix
|
||||||
%patch5 -p1 -b .lua-52
|
%patch5 -p1 -b .lua-52
|
||||||
|
%patch6 -p1 -b .imginfo-check
|
||||||
|
|
||||||
# Fix to find correct python dir on lib64
|
# Fix to find correct python dir on lib64
|
||||||
%{__perl} -pi -e 's|get_python_lib\(0,0,prefix|get_python_lib\(1,0,prefix|g' \
|
%{__perl} -pi -e 's|get_python_lib\(0,0,prefix|get_python_lib\(1,0,prefix|g' \
|
||||||
@ -386,6 +389,10 @@ LD_LIBRARY_PATH=%{buildroot}%{_libdir} php -n \
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Jun 7 2013 Jaroslav Škarvada <jskarvad@redhat.com> - 1.4.8-2
|
||||||
|
- Added imginfo format check
|
||||||
|
Resolves: CVE-2013-2131
|
||||||
|
|
||||||
* Thu May 23 2013 Jaroslav Škarvada <jskarvad@redhat.com> - 1.4.8-1
|
* Thu May 23 2013 Jaroslav Škarvada <jskarvad@redhat.com> - 1.4.8-1
|
||||||
- New version
|
- New version
|
||||||
Resolves: rhbz#966639
|
Resolves: rhbz#966639
|
||||||
|
Loading…
Reference in New Issue
Block a user