Added imginfo format check
Resolves: CVE-2013-2131
This commit is contained in:
parent
8ad8220ce8
commit
f04c66a1c9
68
rrdtool-1.4.8-imginfo-check.patch
Normal file
68
rrdtool-1.4.8-imginfo-check.patch
Normal file
@ -0,0 +1,68 @@
|
||||
diff -up rrdtool-1.4.8/src/rrd_graph.c.orig2 rrdtool-1.4.8/src/rrd_graph.c
|
||||
--- rrdtool-1.4.8/src/rrd_graph.c.orig2 2013-05-23 09:55:07.000000000 +0200
|
||||
+++ rrdtool-1.4.8/src/rrd_graph.c 2013-06-03 15:56:35.820593192 +0200
|
||||
@@ -4022,6 +4022,12 @@ rrd_info_t *rrd_graph_v(
|
||||
char *path;
|
||||
char *filename;
|
||||
|
||||
+ if (bad_format_imginfo(im.imginfo)) {
|
||||
+ rrd_info_free(im.grinfo);
|
||||
+ im_free(&im);
|
||||
+ rrd_set_error("bad format for imginfo");
|
||||
+ return NULL;
|
||||
+ }
|
||||
path = strdup(im.graphfile);
|
||||
filename = basename(path);
|
||||
info.u_str =
|
||||
@@ -4827,6 +4833,51 @@ int bad_format(
|
||||
}
|
||||
|
||||
|
||||
+int bad_format_imginfo(
|
||||
+ char *fmt)
|
||||
+{
|
||||
+ char *ptr;
|
||||
+ int n = 0;
|
||||
+
|
||||
+ ptr = fmt;
|
||||
+ while (*ptr != '\0')
|
||||
+ if (*ptr++ == '%') {
|
||||
+
|
||||
+ /* line cannot end with percent char */
|
||||
+ if (*ptr == '\0')
|
||||
+ return 1;
|
||||
+ /* '%%' is allowed */
|
||||
+ if (*ptr == '%')
|
||||
+ ptr++;
|
||||
+ /* '%s', '%S' are allowed */
|
||||
+ else if (*ptr == 's' || *ptr == 'S') {
|
||||
+ n = 1;
|
||||
+ ptr++;
|
||||
+ }
|
||||
+
|
||||
+ /* or else '% 4lu' and such are allowed */
|
||||
+ else {
|
||||
+ /* optional padding character */
|
||||
+ if (*ptr == ' ')
|
||||
+ ptr++;
|
||||
+ /* This should take care of 'm' */
|
||||
+ while (*ptr >= '0' && *ptr <= '9')
|
||||
+ ptr++;
|
||||
+ /* 'lu' must follow here */
|
||||
+ if (*ptr++ != 'l')
|
||||
+ return 1;
|
||||
+ if (*ptr == 'u')
|
||||
+ ptr++;
|
||||
+ else
|
||||
+ return 1;
|
||||
+ n++;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ return (n != 3);
|
||||
+}
|
||||
+
|
||||
+
|
||||
int vdef_parse(
|
||||
struct graph_desc_t
|
||||
*gdes,
|
@ -18,7 +18,7 @@
|
||||
Summary: Round Robin Database Tool to store and display time-series data
|
||||
Name: rrdtool
|
||||
Version: 1.4.8
|
||||
Release: 1%{?dist}
|
||||
Release: 2%{?dist}
|
||||
License: GPLv2+ with exceptions
|
||||
Group: Applications/Databases
|
||||
URL: http://oss.oetiker.ch/rrdtool/
|
||||
@ -31,6 +31,8 @@ Patch2: rrdtool-1.4.7-ruby-2-fix.patch
|
||||
Patch3: rrdtool-1.4.7-php55.patch
|
||||
Patch4: rrdtool-1.4.7-autoconf-fix.patch
|
||||
Patch5: rrdtool-1.4.7-lua-5.2.patch
|
||||
# patch merged upstream, http://github.com/oetiker/rrdtool-1.x/pull/397
|
||||
Patch6: rrdtool-1.4.8-imginfo-check.patch
|
||||
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
|
||||
Requires: dejavu-sans-mono-fonts
|
||||
@ -173,6 +175,7 @@ The %{name}-lua package includes RRDtool bindings for Lua.
|
||||
%patch2 -p1 -b .ruby-2-fix
|
||||
%patch4 -p1 -b .autoconf-fix
|
||||
%patch5 -p1 -b .lua-52
|
||||
%patch6 -p1 -b .imginfo-check
|
||||
|
||||
# Fix to find correct python dir on lib64
|
||||
%{__perl} -pi -e 's|get_python_lib\(0,0,prefix|get_python_lib\(1,0,prefix|g' \
|
||||
@ -386,6 +389,10 @@ LD_LIBRARY_PATH=%{buildroot}%{_libdir} php -n \
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Fri Jun 7 2013 Jaroslav Škarvada <jskarvad@redhat.com> - 1.4.8-2
|
||||
- Added imginfo format check
|
||||
Resolves: CVE-2013-2131
|
||||
|
||||
* Thu May 23 2013 Jaroslav Škarvada <jskarvad@redhat.com> - 1.4.8-1
|
||||
- New version
|
||||
Resolves: rhbz#966639
|
||||
|
Loading…
Reference in New Issue
Block a user