Accepting request 264071 from devel:languages:python

1 OBS-URL: https://build.opensuse.org/request/show/264071 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/rrdtool?expand=0&rev=57
2014-12-06 12:45:24 +00:00 · 2014-12-06 12:45:24 +00:00 · 2794c42cd1
commit 2794c42cd1
parent ab80ccca49 1910e5c917
3 changed files with 79 additions and 0 deletions
--- a/rrdtool-1.4.7-CVE-2013-2131-imginfo_format_check.patch
+++ b/rrdtool-1.4.7-CVE-2013-2131-imginfo_format_check.patch
@ -0,0 +1,69 @@
+Index: rrdtool-1.4.7/src/rrd_graph.c
+===================================================================
+--- rrdtool-1.4.7.orig/src/rrd_graph.c
+++ rrdtool-1.4.7/src/rrd_graph.c
+@@ -4016,6 +4016,12 @@ rrd_info_t *rrd_graph_v(
+         char     *path;
+         char     *filename;
+ 
+        if (bad_format_imginfo(im.imginfo)) {
+            rrd_info_free(im.grinfo);
+            im_free(&im);
+            rrd_set_error("bad format for imginfo");
+            return NULL;
+        }
+         path = strdup(im.graphfile);
+         filename = basename(path);
+         info.u_str =
+@@ -4820,6 +4826,51 @@ int bad_format(
+ }
+ 
+ 
+int bad_format_imginfo(
+    char *fmt)
+{
+    char     *ptr;
+    int       n = 0;
+
+    ptr = fmt;
+    while (*ptr != '\0')
+        if (*ptr++ == '%') {
+
+            /* line cannot end with percent char */
+            if (*ptr == '\0')
+                return 1;
+            /* '%%' is allowed */
+            if (*ptr == '%')
+                ptr++;
+            /* '%s', '%S' are allowed */
+            else if (*ptr == 's' || *ptr == 'S') {
+                n = 1;
+                ptr++;
+            }
+
+            /* or else '% 4lu' and such are allowed */
+            else {
+                /* optional padding character */
+                if (*ptr == ' ')
+                    ptr++;
+                /* This should take care of 'm' */
+                while (*ptr >= '0' && *ptr <= '9')
+                    ptr++;
+                /* 'lu' must follow here */
+                if (*ptr++ != 'l')
+                    return 1;
+                if (*ptr == 'u')
+                    ptr++;
+                else
+                    return 1;
+                n++;
+            }
+        }
+
+    return (n != 3);
+}
+
+
+ int vdef_parse(
+     struct graph_desc_t
+     *gdes,
--- a/rrdtool.changes
+++ b/rrdtool.changes
@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Thu Dec  4 16:40:33 UTC 2014 - kstreitova@suse.com
+
+- add rrdtool-1.4.7-CVE-2013-2131-imginfo_format_check.patch that
+  adds check to the imginfo format to prevent crash or exploit
+  bnc#828003, CVE-2013-2131.
+
 -------------------------------------------------------------------
 Sun Nov 23 06:16:00 UTC 2014 - Led <ledest@gmail.com>

--- a/rrdtool.spec
+++ b/rrdtool.spec
@ -46,6 +46,8 @@ Source:         http://oss.oetiker.ch/rrdtool/pub/rrdtool-%{version}.tar.gz
 Patch1:         rrdtool-lua-ruby_lib64.patch
 Patch2:         rrdtool-tclversion.patch
 Patch3:         rrdtool-tclsegfault.patch
+# PATCH-FIX-UPSTREAM bnc#828003 kstreitova@suse.com -- adds check to the imginfo format to prevent crash or exploit
+Patch4:         rrdtool-1.4.7-CVE-2013-2131-imginfo_format_check.patch
 Source1:        http://www.infodrom.org/projects/cgilib/download/cgilib-%{cgilib_version}.tar.gz
 Patch11:        cgilib-fix_automake.patch
 #PATCH FIX UPSTREAM BNC#793636
@ -154,6 +156,7 @@ daemon was written to alleviate these problems.
 %endif
 %patch2
 %patch3
+%patch4 -p1
 pushd "cgilib-%{cgilib_version}"
 %patch11
 popd #cgilib