[zabbix/el6] Backport patch for CVE-2012-6086, Insecure use of libcurl API
Volker Fröhlich
volter at fedoraproject.org
Sun Aug 4 16:30:53 UTC 2013
commit 19640d55179ab74b23e9bde6818aa9e2889c1c59
Author: Volker Fröhlich <volker27 at gmx.at>
Date: Sun Aug 4 18:29:52 2013 +0200
Backport patch for CVE-2012-6086, Insecure use of libcurl API
zabbix-1.8.17-ZBX-5924.patch | 13 +++++++++++++
zabbix.spec | 11 ++++++++++-
2 files changed, 23 insertions(+), 1 deletions(-)
---
diff --git a/zabbix-1.8.17-ZBX-5924.patch b/zabbix-1.8.17-ZBX-5924.patch
new file mode 100644
index 0000000..9469450
--- /dev/null
+++ b/zabbix-1.8.17-ZBX-5924.patch
@@ -0,0 +1,13 @@
+Index: src/libs/zbxmedia/eztexting.c
+===================================================================
+--- src/libs/zbxmedia/eztexting.c (revision 37340)
++++ src/libs/zbxmedia/eztexting.c (revision 37454)
+@@ -205,7 +205,7 @@
+ CURLE_OK != (err = curl_easy_setopt(easy_handle, opt = CURLOPT_WRITEFUNCTION, WRITEFUNCTION2)) ||
+ CURLE_OK != (err = curl_easy_setopt(easy_handle, opt = CURLOPT_HEADERFUNCTION, HEADERFUNCTION2)) ||
+ CURLE_OK != (err = curl_easy_setopt(easy_handle, opt = CURLOPT_SSL_VERIFYPEER, 1)) ||
+- CURLE_OK != (err = curl_easy_setopt(easy_handle, opt = CURLOPT_SSL_VERIFYHOST, 1)) ||
++ CURLE_OK != (err = curl_easy_setopt(easy_handle, opt = CURLOPT_SSL_VERIFYHOST, 2)) ||
+ CURLE_OK != (err = curl_easy_setopt(easy_handle, opt = CURLOPT_POSTFIELDS, postfields)) ||
+ CURLE_OK != (err = curl_easy_setopt(easy_handle, opt = CURLOPT_POST, 1)) ||
+ CURLE_OK != (err = curl_easy_setopt(easy_handle, opt = CURLOPT_URL, EZ_TEXTING_API_URL)) ||
diff --git a/zabbix.spec b/zabbix.spec
index 6d52910..f478fc0 100644
--- a/zabbix.spec
+++ b/zabbix.spec
@@ -7,7 +7,7 @@
Name: zabbix
Version: 1.8.17
-Release: 1%{?dist}
+Release: 2%{?dist}
Summary: Open-source monitoring solution for your IT infrastructure
Group: Applications/Internet
@@ -30,6 +30,11 @@ Patch1: zabbix-1.8.4-fonts-config.patch
# remove flash content (#737337)
Patch2: zabbix-1.8.8-no-flash.patch
+# Insecure use of libcurl API, CVE-2012-6086
+# https://support.zabbix.com/browse/ZBX-5924
+# Solved in 1.8.18
+Patch3: zabbix-1.8.17-ZBX-5924.patch
+
Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildRequires: mysql-devel
@@ -296,6 +301,7 @@ rm -rf bin
# remove flash applet
rm -f frontend/php/images/flash/zbxclock.swf
%patch2 -p1
+%patch3 -p0
%build
@@ -613,6 +619,9 @@ fi
%changelog
+* Sun Aug 04 2013 Volker Fröhlich <volker27 at gmx.at> - 1.8.17-2
+- Backport fix for CVE-2012-6086
+
* Fri Jul 26 2013 Volker Fröhlich <volker27 at gmx.at> - 1.8.17-1
- New upstream release
- Shorten spec file changelog
More information about the scm-commits
mailing list