rpms/rrdtool
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Added imginfo format check

Browse Source 
Resolves: CVE-2013-2131
This commit is contained in:
Jaroslav Škarvada 2013-06-07 10:11:59 +02:00
parent 8ad8220ce8
commit f04c66a1c9
2 changed files with 76 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

68
rrdtool-1.4.8-imginfo-check.patch Normal file
View File

@ -0,0 +1,68 @@
diff -up rrdtool-1.4.8/src/rrd_graph.c.orig2 rrdtool-1.4.8/src/rrd_graph.c
--- rrdtool-1.4.8/src/rrd_graph.c.orig2 2013-05-23 09:55:07.000000000 +0200
+++ rrdtool-1.4.8/src/rrd_graph.c 2013-06-03 15:56:35.820593192 +0200
@@ -4022,6 +4022,12 @@ rrd_info_t *rrd_graph_v(
char *path;
char *filename;
+ if (bad_format_imginfo(im.imginfo)) {
+ rrd_info_free(im.grinfo);
+ im_free(&im);
+ rrd_set_error("bad format for imginfo");
+ return NULL;
+ }
path = strdup(im.graphfile);
filename = basename(path);
info.u_str =
@@ -4827,6 +4833,51 @@ int bad_format(
}
+int bad_format_imginfo(
+ char *fmt)
+{
+ char *ptr;
+ int n = 0;
+
+ ptr = fmt;
+ while (*ptr != '\0')
+ if (*ptr++ == '%') {
+
+ /* line cannot end with percent char */
+ if (*ptr == '\0')
+ return 1;
+ /* '%%' is allowed */
+ if (*ptr == '%')
+ ptr++;
+ /* '%s', '%S' are allowed */
+ else if (*ptr == 's' || *ptr == 'S') {
+ n = 1;
+ ptr++;
+ }
+
+ /* or else '% 4lu' and such are allowed */
+ else {
+ /* optional padding character */
+ if (*ptr == ' ')
+ ptr++;
+ /* This should take care of 'm' */
+ while (*ptr >= '0' && *ptr <= '9')
+ ptr++;
+ /* 'lu' must follow here */
+ if (*ptr++ != 'l')
+ return 1;
+ if (*ptr == 'u')
+ ptr++;
+ else
+ return 1;
+ n++;
+ }
+ }
+
+ return (n != 3);
+}
+
+
int vdef_parse(
struct graph_desc_t
*gdes,

9
rrdtool.spec
View File

@ -18,7 +18,7 @@
Summary: Round Robin Database Tool to store and display time-series data Summary: Round Robin Database Tool to store and display time-series data
Name: rrdtool Name: rrdtool
Version: 1.4.8 Version: 1.4.8
Release: 1%{?dist} Release: 2%{?dist}
License: GPLv2+ with exceptions License: GPLv2+ with exceptions
Group: Applications/Databases Group: Applications/Databases
URL: http://oss.oetiker.ch/rrdtool/ URL: http://oss.oetiker.ch/rrdtool/
@ -31,6 +31,8 @@ Patch2: rrdtool-1.4.7-ruby-2-fix.patch
Patch3: rrdtool-1.4.7-php55.patch Patch3: rrdtool-1.4.7-php55.patch
Patch4: rrdtool-1.4.7-autoconf-fix.patch Patch4: rrdtool-1.4.7-autoconf-fix.patch
Patch5: rrdtool-1.4.7-lua-5.2.patch Patch5: rrdtool-1.4.7-lua-5.2.patch
# patch merged upstream, http://github.com/oetiker/rrdtool-1.x/pull/397
Patch6: rrdtool-1.4.8-imginfo-check.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
Requires: dejavu-sans-mono-fonts Requires: dejavu-sans-mono-fonts
@ -173,6 +175,7 @@ The %{name}-lua package includes RRDtool bindings for Lua.
%patch2 -p1 -b .ruby-2-fix %patch2 -p1 -b .ruby-2-fix
%patch4 -p1 -b .autoconf-fix %patch4 -p1 -b .autoconf-fix
%patch5 -p1 -b .lua-52 %patch5 -p1 -b .lua-52
%patch6 -p1 -b .imginfo-check
# Fix to find correct python dir on lib64 # Fix to find correct python dir on lib64
%{__perl} -pi -e 's|get_python_lib\(0,0,prefix|get_python_lib\(1,0,prefix|g' \ %{__perl} -pi -e 's|get_python_lib\(0,0,prefix|get_python_lib\(1,0,prefix|g' \
@ -386,6 +389,10 @@ LD_LIBRARY_PATH=%{buildroot}%{_libdir} php -n \
%endif %endif
%changelog %changelog
* Fri Jun 7 2013 Jaroslav Škarvada <jskarvad@redhat.com> - 1.4.8-2
- Added imginfo format check
Resolves: CVE-2013-2131
* Thu May 23 2013 Jaroslav Škarvada <jskarvad@redhat.com> - 1.4.8-1 * Thu May 23 2013 Jaroslav Škarvada <jskarvad@redhat.com> - 1.4.8-1
- New version - New version
Resolves: rhbz#966639 Resolves: rhbz#966639