diff options
Diffstat (limited to 'net-analyzer/nrpe/files/nrpe-2.15-metachar-security-fix.patch')
| -rw-r--r-- | net-analyzer/nrpe/files/nrpe-2.15-metachar-security-fix.patch | 26 |
1 files changed, 0 insertions, 26 deletions
diff --git a/net-analyzer/nrpe/files/nrpe-2.15-metachar-security-fix.patch b/net-analyzer/nrpe/files/nrpe-2.15-metachar-security-fix.patch deleted file mode 100644 index c42f8bfdec00..000000000000 --- a/net-analyzer/nrpe/files/nrpe-2.15-metachar-security-fix.patch +++ /dev/null @@ -1,26 +0,0 @@ -Disallow all control characters in argument handling. - -This closes a security hole that allowed passing commands via the argument -handling, if a newline was used to seperate the argument from the rest of the -command. - -X-URL: http://www.exploit-db.com/exploits/32925/ -Signed-off-by: Robin H. Johnson <robbat2@gentoo.org> - --- -I didn't find any patches from upstream NRPE, so I wrote this quick one. -If somebody else has a valid use for control characters in NRPE arguments, then -this could be relaxed slightly. - -diff -Nuar --exclude '*.orig' nrpe-2.15.orig/src/nrpe.c nrpe-2.15/src/nrpe.c ---- nrpe-2.15.orig/src/nrpe.c 2014-04-19 09:37:16.022373910 -0700 -+++ nrpe-2.15/src/nrpe.c 2014-04-19 09:46:53.237458939 -0700 -@@ -53,7 +53,7 @@ - - #define DEFAULT_COMMAND_TIMEOUT 60 /* default timeout for execution of plugins */ - #define MAXFD 64 --#define NASTY_METACHARS "|`&><'\"\\[]{};" -+#define NASTY_METACHARS "|`&><'\"\\[]{};\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x7f" - #define howmany(x,y) (((x)+((y)-1))/(y)) - #define MAX_LISTEN_SOCKS 16 - |