- add upstream patch for CVE-2012-6096

PR:		175196
Submitted by:	Jarrod Sayers <jarrod@mail.downtools.com.au> (maintainer)
Security:	97c22a94-5b8b-11e2-b131-000c299b62e1

net-mgmt/nagios/Makefile

@@ -3,6 +3,7 @@
 
 PORTNAME=	nagios
 PORTVERSION=	3.4.3
+PORTREVISION=	1
 CATEGORIES=	net-mgmt
 MASTER_SITES=	SF/${PORTNAME}/${PORTNAME}-3.x/${PORTNAME}-${PORTVERSION}
 

net-mgmt/nagios/files/patch-CVE-2012-6096

@@ -0,0 +1,117 @@
+--- cgi/getcgi.c.orig	2011-08-17 17:06:27.000000000 +0930
++++ cgi/getcgi.c	2013-01-11 17:02:53.000000000 +1030
+@@ -137,14 +137,15 @@
+ 		/* check for NULL query string environment variable - 04/28/00 (Ludo Bosmans) */
+ 		if(getenv("QUERY_STRING") == NULL) {
+ 			cgiinput = (char *)malloc(1);
+-			if(cgiinput == NULL) {
+-				printf("getcgivars(): Could not allocate memory for CGI input.\n");
+-				exit(1);
+-				}
+-			cgiinput[0] = '\x0';
++			if(cgiinput != NULL) 
++				cgiinput[0] = '\x0';
+ 			}
+ 		else
+ 			cgiinput = strdup(getenv("QUERY_STRING"));
++		if(cgiinput == NULL) {
++			printf("getcgivars(): Could not allocate memory for CGI input.\n");
++			exit(1);
++			}
+ 		}
+ 
+ 	else if(!strcmp(request_method, "POST") || !strcmp(request_method, "PUT")) {
+@@ -220,7 +221,12 @@
+ 	paircount = 0;
+ 	nvpair = strtok(cgiinput, "&");
+ 	while(nvpair) {
+-		pairlist[paircount++] = strdup(nvpair);
++		pairlist[paircount] = strdup(nvpair);
++		if( NULL == pairlist[paircount]) {
++			printf("getcgivars(): Could not allocate memory for name-value pair #%d.\n", paircount);
++			exit(1);
++			}
++		paircount++;
+ 		if(!(paircount % 256)) {
+ 			pairlist = (char **)realloc(pairlist, (paircount + 256) * sizeof(char **));
+ 			if(pairlist == NULL) {
+@@ -245,13 +251,29 @@
+ 		/* get the variable name preceding the equal (=) sign */
+ 		if((eqpos = strchr(pairlist[i], '=')) != NULL) {
+ 			*eqpos = '\0';
+-			unescape_cgi_input(cgivars[i * 2 + 1] = strdup(eqpos + 1));
++			cgivars[i * 2 + 1] = strdup(eqpos + 1);
++			if( NULL == cgivars[ i * 2 + 1]) {
++				printf("getcgivars(): Could not allocate memory for cgi value #%d.\n", i);
++				exit(1);
++				}
++			unescape_cgi_input(cgivars[i * 2 + 1]);
++			}
++		else {
++			cgivars[i * 2 + 1] = strdup("");
++			if( NULL == cgivars[ i * 2 + 1]) {
++				printf("getcgivars(): Could not allocate memory for empty stringfor variable value #%d.\n", i);
++				exit(1);
++				}
++			unescape_cgi_input(cgivars[i * 2 + 1]);
+ 			}
+-		else
+-			unescape_cgi_input(cgivars[i * 2 + 1] = strdup(""));
+ 
+ 		/* get the variable value (or name/value of there was no real "pair" in the first place) */
+-		unescape_cgi_input(cgivars[i * 2] = strdup(pairlist[i]));
++		cgivars[i * 2] = strdup(pairlist[i]);
++		if( NULL == cgivars[ i * 2]) {
++			printf("getcgivars(): Could not allocate memory for cgi name #%d.\n", i);
++			exit(1);
++			}
++		unescape_cgi_input(cgivars[i * 2]);
+ 		}
+ 
+ 	/* terminate the name-value list */
+--- cgi/history.c.orig	2011-08-17 17:06:27.000000000 +0930
++++ cgi/history.c	2013-01-11 17:03:18.000000000 +1030
+@@ -805,16 +805,22 @@
+ 			else if(display_type == DISPLAY_HOSTS) {
+ 
+ 				if(history_type == HOST_HISTORY || history_type == SERVICE_HISTORY) {
+-					sprintf(match1, " HOST ALERT: %s;", host_name);
+-					sprintf(match2, " SERVICE ALERT: %s;", host_name);
++					snprintf(match1, sizeof( match1), 
++							" HOST ALERT: %s;", host_name);
++					snprintf(match2, sizeof( match2), 
++							" SERVICE ALERT: %s;", host_name);
+ 					}
+ 				else if(history_type == HOST_FLAPPING_HISTORY || history_type == SERVICE_FLAPPING_HISTORY) {
+-					sprintf(match1, " HOST FLAPPING ALERT: %s;", host_name);
+-					sprintf(match2, " SERVICE FLAPPING ALERT: %s;", host_name);
++					snprintf(match1, sizeof( match1), 
++							" HOST FLAPPING ALERT: %s;", host_name);
++					snprintf(match2, sizeof( match2), 
++							" SERVICE FLAPPING ALERT: %s;", host_name);
+ 					}
+ 				else if(history_type == HOST_DOWNTIME_HISTORY || history_type == SERVICE_DOWNTIME_HISTORY) {
+-					sprintf(match1, " HOST DOWNTIME ALERT: %s;", host_name);
+-					sprintf(match2, " SERVICE DOWNTIME ALERT: %s;", host_name);
++					snprintf(match1, sizeof( match1), 
++							" HOST DOWNTIME ALERT: %s;", host_name);
++					snprintf(match2, sizeof( match2), 
++							" SERVICE DOWNTIME ALERT: %s;", host_name);
+ 					}
+ 
+ 				if(show_all_hosts == TRUE)
+@@ -853,11 +859,11 @@
+ 			else if(display_type == DISPLAY_SERVICES) {
+ 
+ 				if(history_type == SERVICE_HISTORY)
+-					sprintf(match1, " SERVICE ALERT: %s;%s;", host_name, svc_description);
++					snprintf(match1, sizeof( match1), " SERVICE ALERT: %s;%s;", host_name, svc_description);
+ 				else if(history_type == SERVICE_FLAPPING_HISTORY)
+-					sprintf(match1, " SERVICE FLAPPING ALERT: %s;%s;", host_name, svc_description);
++					snprintf(match1, sizeof( match1), " SERVICE FLAPPING ALERT: %s;%s;", host_name, svc_description);
+ 				else if(history_type == SERVICE_DOWNTIME_HISTORY)
+-					sprintf(match1, " SERVICE DOWNTIME ALERT: %s;%s;", host_name, svc_description);
++					snprintf(match1, sizeof( match1), " SERVICE DOWNTIME ALERT: %s;%s;", host_name, svc_description);
+ 
+ 				if(strstr(temp_buffer, match1) && (history_type == SERVICE_HISTORY || history_type == SERVICE_FLAPPING_HISTORY || history_type == SERVICE_DOWNTIME_HISTORY))
+ 					display_line = TRUE;