forked from pool/rrdtool
1910e5c917
- add rrdtool-1.4.7-CVE-2013-2131-imginfo_format_check.patch that adds check to the imginfo format to prevent crash or exploit bnc#828003, CVE-2013-2131. OBS-URL: https://build.opensuse.org/request/show/264060 OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/rrdtool?expand=0&rev=60
70 lines
1.8 KiB
Diff
70 lines
1.8 KiB
Diff
Index: rrdtool-1.4.7/src/rrd_graph.c
|
|
===================================================================
|
|
--- rrdtool-1.4.7.orig/src/rrd_graph.c
|
|
+++ rrdtool-1.4.7/src/rrd_graph.c
|
|
@@ -4016,6 +4016,12 @@ rrd_info_t *rrd_graph_v(
|
|
char *path;
|
|
char *filename;
|
|
|
|
+ if (bad_format_imginfo(im.imginfo)) {
|
|
+ rrd_info_free(im.grinfo);
|
|
+ im_free(&im);
|
|
+ rrd_set_error("bad format for imginfo");
|
|
+ return NULL;
|
|
+ }
|
|
path = strdup(im.graphfile);
|
|
filename = basename(path);
|
|
info.u_str =
|
|
@@ -4820,6 +4826,51 @@ int bad_format(
|
|
}
|
|
|
|
|
|
+int bad_format_imginfo(
|
|
+ char *fmt)
|
|
+{
|
|
+ char *ptr;
|
|
+ int n = 0;
|
|
+
|
|
+ ptr = fmt;
|
|
+ while (*ptr != '\0')
|
|
+ if (*ptr++ == '%') {
|
|
+
|
|
+ /* line cannot end with percent char */
|
|
+ if (*ptr == '\0')
|
|
+ return 1;
|
|
+ /* '%%' is allowed */
|
|
+ if (*ptr == '%')
|
|
+ ptr++;
|
|
+ /* '%s', '%S' are allowed */
|
|
+ else if (*ptr == 's' || *ptr == 'S') {
|
|
+ n = 1;
|
|
+ ptr++;
|
|
+ }
|
|
+
|
|
+ /* or else '% 4lu' and such are allowed */
|
|
+ else {
|
|
+ /* optional padding character */
|
|
+ if (*ptr == ' ')
|
|
+ ptr++;
|
|
+ /* This should take care of 'm' */
|
|
+ while (*ptr >= '0' && *ptr <= '9')
|
|
+ ptr++;
|
|
+ /* 'lu' must follow here */
|
|
+ if (*ptr++ != 'l')
|
|
+ return 1;
|
|
+ if (*ptr == 'u')
|
|
+ ptr++;
|
|
+ else
|
|
+ return 1;
|
|
+ n++;
|
|
+ }
|
|
+ }
|
|
+
|
|
+ return (n != 3);
|
|
+}
|
|
+
|
|
+
|
|
int vdef_parse(
|
|
struct graph_desc_t
|
|
*gdes,
|