Ubuntu Pastebin

Paste from arussell at Wed, 10 May 2017 21:57:44 +0000

Download as text 
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
diff -Nru nagios3-3.5.1.dfsg/debian/changelog nagios3-3.5.1.dfsg/debian/changelog
--- nagios3-3.5.1.dfsg/debian/changelog	2017-03-31 20:28:22.000000000 +0100
+++ nagios3-3.5.1.dfsg/debian/changelog	2017-05-10 22:55:38.000000000 +0100
@@ -1,3 +1,11 @@
+nagios3 (3.5.1.dfsg-2.1ubuntu1.2) xenial; urgency=medium
+
+  * debian/patches/fix_permissions_for_hostgroups_reports.patch: Fix
+    permissions for hostgroups reports.  Thanks to John C. Frickson
+    <jfrickson@nagios.com>.  Closes LP: #1686768.
+
+ -- Aaron B. Russell <aaron@unadopted.co.uk>  Wed, 10 May 2017 22:43:53 +0100
+
 nagios3 (3.5.1.dfsg-2.1ubuntu1.1) xenial-security; urgency=medium
 
   * SECURITY UPDATE: off-by-one errors leading to DoS or info disclosure
diff -Nru nagios3-3.5.1.dfsg/debian/patches/fix_permissions_for_hostgroups_reports.patch nagios3-3.5.1.dfsg/debian/patches/fix_permissions_for_hostgroups_reports.patch
--- nagios3-3.5.1.dfsg/debian/patches/fix_permissions_for_hostgroups_reports.patch	1970-01-01 01:00:00.000000000 +0100
+++ nagios3-3.5.1.dfsg/debian/patches/fix_permissions_for_hostgroups_reports.patch	2017-05-10 22:43:13.000000000 +0100
@@ -0,0 +1,57 @@
+Description: Fix permissions for hostgroups reports
+ .
+ Fixes a bug where users could view other servers in the hostgroup
+ even if those servers were not associated to the user's contactgroup.
+ http://tracker.nagios.org/view.php?id=619 (LP: #1686768).
+ .
+Author: John C. Frickson <jfrickson@nagios.com>
+Origin: upstream, https://github.com/NagiosEnterprises/nagioscore/commit/d1b3a07f
+Bug: http://tracker.nagios.org/view.php?id=619
+Bug-Ubuntu: https://launchpad.net/bugs/1686768
+
+--- nagios3-3.5.1.dfsg.orig/cgi/status.c
++++ nagios3-3.5.1.dfsg/cgi/status.c
+@@ -3606,6 +3606,10 @@ void show_hostgroup_overview(hostgroup *
+ 		if(temp_host == NULL)
+ 			continue;
+ 
++		/* make sure user has rights to view this host */
++		if(is_authorized_for_host(temp_host, &current_authdata) == FALSE)
++			continue;
++
+ 		/* find the host status */
+ 		temp_hoststatus = find_hoststatus(temp_host->name);
+ 		if(temp_hoststatus == NULL)
+@@ -3989,6 +3993,10 @@ void show_hostgroup_host_totals_summary(
+ 		if(temp_host == NULL)
+ 			continue;
+ 
++		/* make sure user has rights to view this host */
++		if(is_authorized_for_host(temp_host, &current_authdata) == FALSE)
++			continue;
++
+ 		/* find the host status */
+ 		temp_hoststatus = find_hoststatus(temp_host->name);
+ 		if(temp_hoststatus == NULL)
+@@ -4160,6 +4168,10 @@ void show_hostgroup_service_totals_summa
+ 		if(temp_host == NULL)
+ 			continue;
+ 
++		/* make sure user has rights to view this host */
++		if(is_authorized_for_host(temp_host, &current_authdata) == FALSE)
++			continue;
++
+ 		/* see if this service is associated with a host in the specified hostgroup */
+ 		if(is_host_member_of_hostgroup(temp_hostgroup, temp_host) == FALSE)
+ 			continue;
+@@ -4515,6 +4527,10 @@ void show_hostgroup_grid(hostgroup *temp
+ 		if(temp_host == NULL)
+ 			continue;
+ 
++		/* make sure user has rights to view this host */
++		if(is_authorized_for_host(temp_host, &current_authdata) == FALSE)
++			continue;
++
+ 		/* grab macros */
+ 		grab_host_macros_r(mac, temp_host);
+ 
diff -Nru nagios3-3.5.1.dfsg/debian/patches/series nagios3-3.5.1.dfsg/debian/patches/series
--- nagios3-3.5.1.dfsg/debian/patches/series	2017-03-31 20:28:16.000000000 +0100
+++ nagios3-3.5.1.dfsg/debian/patches/series	2017-05-10 22:51:32.000000000 +0100
@@ -12,3 +12,4 @@
 CVE-2013-7xxx.patch
 CVE-2014-1878.patch
 CVE-2016-9566.patch
+fix_permissions_for_hostgroups_reports.patch
Download as text