Bump, include a fix that I wrote for security bug 508122.

(Portage version: 2.2.8-r1/cvs/Linux x86_64, unsigned Manifest commit)
author: Robin H. Johnson <robbat2@gentoo.org> 2014-04-19 17:06:23 +0000
committer: Robin H. Johnson <robbat2@gentoo.org> 2014-04-19 17:06:23 +0000
commit: 89fda152d076369340658317ad8e2eae83786332 (patch)
tree: 1ea8616001cf77d4d1ce9850a4933fd4d89035ed /net-analyzer/nrpe
parent: Version bump; remove old; remove Matt from metadata (diff)
download: gentoo-2-89fda152d076369340658317ad8e2eae83786332.tar.gz
gentoo-2-89fda152d076369340658317ad8e2eae83786332.tar.bz2
gentoo-2-89fda152d076369340658317ad8e2eae83786332.zip
5 files changed, 237 insertions, 2 deletions
diff --git a/net-analyzer/nrpe/ChangeLog b/net-analyzer/nrpe/ChangeLog
index 16e8ff7fef38..608a29fd69a3 100644
--- a/net-analyzer/nrpe/ChangeLog
+++ b/net-analyzer/nrpe/ChangeLog
@@ -1,6 +1,14 @@
 # ChangeLog for net-analyzer/nrpe
-# Copyright 1999-2013 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/net-analyzer/nrpe/ChangeLog,v 1.22 2013/03/09 19:09:06 ago Exp $
+# Copyright 1999-2014 Gentoo Foundation; Distributed under the GPL v2
+# $Header: /var/cvsroot/gentoo-x86/net-analyzer/nrpe/ChangeLog,v 1.23 2014/04/19 17:06:23 robbat2 Exp $
+
+*nrpe-2.15 (19 Apr 2014)
+
+  19 Apr 2014; Robin H. Johnson <robbat2@gentoo.org>
+  +files/nrpe-2.15-autoconf-header.patch,
+  +files/nrpe-2.15-metachar-security-fix.patch,
+  +files/nrpe-2.15-tcpd-et-al.patch, +nrpe-2.15.ebuild:
+  Bump, include a fix that I wrote for security bug 508122.
 
   09 Mar 2013; Agostino Sarubbo <ago@gentoo.org> nrpe-2.14.ebuild:
   Stable for sparc, wrt bug #459870
diff --git a/net-analyzer/nrpe/files/nrpe-2.15-autoconf-header.patch b/net-analyzer/nrpe/files/nrpe-2.15-autoconf-header.patch
new file mode 100644
index 000000000000..81078c449713
--- /dev/null
+++ b/net-analyzer/nrpe/files/nrpe-2.15-autoconf-header.patch
@@ -0,0 +1,24 @@
+diff -Nuar --exclude '*.orig' nrpe-2.15.orig/configure.in nrpe-2.15/configure.in
+--- nrpe-2.15.orig/configure.in	2013-09-06 08:27:13.000000000 -0700
++++ nrpe-2.15/configure.in	2014-04-19 09:32:52.251766643 -0700
+@@ -6,7 +6,8 @@
+ 
+ AC_INIT([nrpe],[2.15],[nagios-users@lists.sourceforge.net],[nrpe],[http://www.nagios.org])
+ AC_CONFIG_SRCDIR([src/nrpe.c])
+-AC_CONFIG_HEADERS([include/config.h])
++AC_CONFIG_HEADERS([include/autoconf.h])
+ AC_CONFIG_FILES([Makefile
++	include/config.h
+ 	subst
+ 	src/Makefile
+diff -Nuar --exclude '*.orig' nrpe-2.15.orig/include/config.h.in nrpe-2.15/include/config.h.in
+--- nrpe-2.15.orig/include/config.h.in	2013-09-06 08:27:13.000000000 -0700
++++ nrpe-2.15/include/config.h.in	2014-04-19 09:33:07.620035056 -0700
+@@ -26,6 +26,7 @@
+ 
+ #include <stdio.h>
+ #include <stdlib.h>
++#include "autoconf.h"
+ 
+ 
+ #define DEFAULT_SERVER_PORT	@nrpe_port@	/* default port to use */
diff --git a/net-analyzer/nrpe/files/nrpe-2.15-metachar-security-fix.patch b/net-analyzer/nrpe/files/nrpe-2.15-metachar-security-fix.patch
new file mode 100644
index 000000000000..c42f8bfdec00
--- /dev/null
+++ b/net-analyzer/nrpe/files/nrpe-2.15-metachar-security-fix.patch
@@ -0,0 +1,26 @@
+Disallow all control characters in argument handling.
+
+This closes a security hole that allowed passing commands via the argument
+handling, if a newline was used to seperate the argument from the rest of the
+command.
+
+X-URL: http://www.exploit-db.com/exploits/32925/
+Signed-off-by: Robin H. Johnson <robbat2@gentoo.org>
+
+--
+I didn't find any patches from upstream NRPE, so I wrote this quick one.
+If somebody else has a valid use for control characters in NRPE arguments, then
+this could be relaxed slightly.
+
+diff -Nuar --exclude '*.orig' nrpe-2.15.orig/src/nrpe.c nrpe-2.15/src/nrpe.c
+--- nrpe-2.15.orig/src/nrpe.c	2014-04-19 09:37:16.022373910 -0700
++++ nrpe-2.15/src/nrpe.c	2014-04-19 09:46:53.237458939 -0700
+@@ -53,7 +53,7 @@
+ 
+ #define DEFAULT_COMMAND_TIMEOUT	60			/* default timeout for execution of plugins */
+ #define MAXFD                   64
+-#define NASTY_METACHARS         "|`&><'\"\\[]{};"
++#define NASTY_METACHARS         "|`&><'\"\\[]{};\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x7f"
+ #define howmany(x,y)	(((x)+((y)-1))/(y))
+ #define MAX_LISTEN_SOCKS        16
+ 
diff --git a/net-analyzer/nrpe/files/nrpe-2.15-tcpd-et-al.patch b/net-analyzer/nrpe/files/nrpe-2.15-tcpd-et-al.patch
new file mode 100644
index 000000000000..b8a0811b831c
--- /dev/null
+++ b/net-analyzer/nrpe/files/nrpe-2.15-tcpd-et-al.patch
@@ -0,0 +1,50 @@
+diff -Nuar --exclude '*.orig' nrpe-2.15.orig/configure.in nrpe-2.15/configure.in
+--- nrpe-2.15.orig/configure.in	2013-09-06 08:27:13.000000000 -0700
++++ nrpe-2.15/configure.in	2014-04-19 09:20:50.406150828 -0700
+@@ -45,7 +45,7 @@
+ AC_HEADER_STDC
+ AC_HEADER_TIME
+ AC_HEADER_SYS_WAIT
+-AC_CHECK_HEADERS(ctype.h dirent.h errno.h fcntl.h getopt.h grp.h inttypes.h netdb.h pwd.h signal.h stdint.h strings.h string.h syslog.h tcpd.h unistd.h arpa/inet.h netinet/in.h socket.h sys/types.h sys/time.h sys/resource.h sys/wait.h sys/socket.h sys/stat.h)
++AC_CHECK_HEADERS(ctype.h dirent.h errno.h fcntl.h getopt.h grp.h inttypes.h netdb.h pwd.h signal.h stdint.h strings.h string.h syslog.h unistd.h arpa/inet.h netinet/in.h socket.h sys/types.h sys/time.h sys/resource.h sys/wait.h sys/socket.h sys/stat.h)
+ 
+ dnl Checks for typedefs, structures, and compiler characteristics.
+ AC_C_CONST
+@@ -164,11 +164,20 @@
+ AC_CHECK_LIB(nsl,main,SOCKETLIBS="$SOCKETLIBS -lnsl")
+ AC_CHECK_LIB(socket,socket,SOCKETLIBS="$SOCKETLIBS -lsocket")
+ AC_SUBST(SOCKETLIBS)
+-AC_CHECK_LIB(wrap,main,[
+-	LIBWRAPLIBS="$LIBWRAPLIBS -lwrap"
++
++AC_ARG_ENABLE([tcp-wrapper],
++    AS_HELP_STRING([--disable-tcp-wrapper], [Disable building with TCP wrappers. *** DISABLING IS A SECURITY RISK! *** Read the SECURITY file before using this option! @<:@default=enable@:>@]))
++
++LIBWRAPLIBS=""
++AS_IF([test "x$enable_tcp_wrapper" != "xno"], [
++    AC_CHECK_LIB([wrap],[hosts_access],[
++        LIBWRAPLIBS="$LIBWRAPLIBS -lwrap"
+ 	AC_DEFINE(HAVE_LIBWRAP,[1],[Have the TCP wrappers library])
+-	])
++	AC_DEFINE(HAVE_TCPD_H,[1],[Have the TCP wrappers library])
++    ])
++])
+ AC_SUBST(LIBWRAPLIBS)
++
+ AC_CHECK_FUNCS(strdup strstr strtoul initgroups closesocket)
+ 
+ dnl socklen_t check - from curl
+@@ -440,8 +449,11 @@
+ AC_SUBST(TARGET_PLATFORM)
+ 
+ AC_ARG_ENABLE([command-args],
+-	AS_HELP_STRING([--enable-command-args],[allows clients to specify command arguments.  *** THIS IS A SECURITY RISK! *** Read the SECURITY file before using this option!]),
+-	AC_DEFINE_UNQUOTED(ENABLE_COMMAND_ARGUMENTS,[1],[Enable command-line arguments]))
++	AS_HELP_STRING([--enable-command-args],[allows clients to specify command arguments.  *** THIS IS A SECURITY RISK! *** Read the SECURITY file before using this option!]))
++
++AS_IF([test "x$enable_command_args" = "xyes"], [
++	AC_DEFINE(ENABLE_COMMAND_ARGUMENTS,[1],[Enable command-line arguments])
++])
+ 
+ AC_ARG_ENABLE([bash-command-substitution],
+ 	AS_HELP_STRING([--enable-bash-command-substitution],[allows clients to pass bash command substitutions of the form $(command).  *** THIS IS A HIGH SECURITY RISK! *** Read the SECURITY file before using this option!]),
diff --git a/net-analyzer/nrpe/nrpe-2.15.ebuild b/net-analyzer/nrpe/nrpe-2.15.ebuild
new file mode 100644
index 000000000000..769bf31fe2a6
--- /dev/null
+++ b/net-analyzer/nrpe/nrpe-2.15.ebuild
@@ -0,0 +1,127 @@
+# Copyright 1999-2014 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/net-analyzer/nrpe/nrpe-2.15.ebuild,v 1.1 2014/04/19 17:06:23 robbat2 Exp $
+
+EAPI=4
+
+inherit eutils toolchain-funcs multilib user autotools
+
+DESCRIPTION="Nagios Remote Plugin Executor"
+HOMEPAGE="http://www.nagios.org/"
+SRC_URI="mirror://sourceforge/nagios/${P}.tar.gz"
+
+LICENSE="GPL-2+"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~hppa ~ppc ~ppc64 ~sparc ~x86"
+IUSE="command-args ssl tcpd minimal"
+
+DEPEND="ssl? ( dev-libs/openssl )
+	!minimal? ( tcpd? ( sys-apps/tcp-wrappers ) )"
+RDEPEND="${DEPEND}
+	!minimal? ( >=net-analyzer/nagios-plugins-1.3.0 )"
+
+pkg_setup() {
+	enewgroup nagios
+	enewuser nagios -1 /bin/bash /dev/null nagios
+
+	elog "If you plan to use \"nrpe_check_control\" then you may want to specify"
+	elog "different command and services files. You can override the defaults"
+	elog "through the \"NAGIOS_COMMAND_FILE\" and \"NAGIOS_SERVICES_FILE\" environment variables."
+	elog "NAGIOS_COMMAND_FILE=${NAGIOS_COMMAND_FILE:-/var/rw/nagios.cmd}"
+	elog "NAGIOS_SERVICES_FILE=${NAGIOS_SERVICES_FILE:-/etc/services.cfg}"
+}
+
+src_prepare() {
+	# Add support for large output,
+	# http://opsview-blog.opsera.com/dotorg/2008/08/enhancing-nrpe.html
+	epatch "${FILESDIR}"/${PN}-2.14-multiline.patch
+	# fix configure, among others #326367, #397603
+	epatch "${FILESDIR}"/${PN}-2.15-tcpd-et-al.patch
+	# otherwise autoconf will overwrite the custom include/config.h.in
+	epatch "${FILESDIR}"/${PN}-2.15-autoconf-header.patch
+	# improve handling of metachars for security
+	epatch "${FILESDIR}"/${PN}-2.15-metachar-security-fix.patch
+
+	sed -i -e '/define \(COMMAND\|SERVICES\)_FILE/d' contrib/nrpe_check_control.c || die
+
+	# change the default location of the pid file
+	sed -i -e '/pid_file/s:/var/run:/run:' sample-config/nrpe.cfg.in || die
+
+	# fix TFU handling of autoheader
+	sed -i -e '/#undef/d' include/config.h.in || die
+
+	eautoreconf
+}
+
+src_configure() {
+	local myconf
+	if use minimal; then
+		myconf="--disable-tcp-wrapper --disable-command-args"
+	else
+		myconf="$(use_enable tcpd tcp-wrapper) $(use_enable command-args)"
+	fi
+
+	econf \
+		--libexecdir=/usr/$(get_libdir)/nagios/plugins \
+		--localstatedir=/var/nagios \
+		--sysconfdir=/etc/nagios \
+		--with-nrpe-user=nagios \
+		--with-nrpe-group=nagios \
+		$(use_enable ssl) \
+		${myconf}
+}
+
+src_compile() {
+	emake -C src check_nrpe $(use minimal || echo nrpe)
+
+	# Add nifty nrpe check tool
+	$(tc-getCC) ${CPPFLAGS} ${CFLAGS} \
+		-DCOMMAND_FILE=\"${NAGIOS_COMMAND_FILE:-/var/rw/nagios.cmd}\" \
+		-DSERVICES_FILE=\"${NAGIOS_SERVICES_FILE:-/etc/services.cfg}\" \
+		${LDFLAGS} -o nrpe_check_control contrib/nrpe_check_control.c || die
+}
+
+src_install() {
+	dodoc LEGAL Changelog README SECURITY \
+		contrib/README.nrpe_check_control \
+		$(use ssl && echo README.SSL)
+
+	exeinto /usr/$(get_libdir)/nagios/plugins
+	doexe src/check_nrpe nrpe_check_control
+
+	use minimal && return 0
+
+	## NON-MINIMAL INSTALL FOLLOWS ##
+
+	insinto /etc/nagios
+	newins sample-config/nrpe.cfg nrpe.cfg
+	fowners root:nagios /etc/nagios/nrpe.cfg
+	fperms 0640 /etc/nagios/nrpe.cfg
+
+	exeinto /usr/libexec
+	doexe src/nrpe
+
+	newinitd "${FILESDIR}"/nrpe.init nrpe
+
+	insinto /etc/xinetd.d/
+	newins "${FILESDIR}/nrpe.xinetd.2" nrpe
+
+	if use tcpd; then
+		sed -i -e '/^reload()/, /^}/ d' -e '/extra_started_commands/s:reload::' \
+			"${D}"/etc/init.d/nrpe
+	fi
+}
+
+pkg_postinst() {
+	elog "If you are using the nrpe daemon, remember to edit"
+	elog "the config file /etc/nagios/nrpe.cfg"
+
+	if use command-args ; then
+		ewarn ""
+		ewarn "You have enabled command-args for NRPE. This enables"
+		ewarn "the ability for clients to supply arguments to commands"
+		ewarn "which should be run. "
+		ewarn "THIS IS CONSIDERED A SECURITY RISK!"
+		ewarn "Please read /usr/share/doc/${PF}/SECURITY.bz2 for more info"
+	fi
+}
author	Robin H. Johnson <robbat2@gentoo.org>	2014-04-19 17:06:23 +0000
committer	Robin H. Johnson <robbat2@gentoo.org>	2014-04-19 17:06:23 +0000
commit	89fda152d076369340658317ad8e2eae83786332 (patch)
tree	1ea8616001cf77d4d1ce9850a4933fd4d89035ed /net-analyzer/nrpe
parent	Version bump; remove old; remove Matt from metadata (diff)
download	gentoo-2-89fda152d076369340658317ad8e2eae83786332.tar.gz gentoo-2-89fda152d076369340658317ad8e2eae83786332.tar.bz2 gentoo-2-89fda152d076369340658317ad8e2eae83786332.zip