[zabbix/el6] Backport patch for CVE-2012-6086, Insecure use of libcurl API

Sun Aug 4 16:30:53 UTC 2013

commit 19640d55179ab74b23e9bde6818aa9e2889c1c59
Author: Volker Fröhlich <volker27 at gmx.at>
Date:   Sun Aug 4 18:29:52 2013 +0200

    Backport patch for CVE-2012-6086, Insecure use of libcurl API

 zabbix-1.8.17-ZBX-5924.patch |   13 +++++++++++++
 zabbix.spec                  |   11 ++++++++++-
 2 files changed, 23 insertions(+), 1 deletions(-)
---

diff --git a/zabbix-1.8.17-ZBX-5924.patch b/zabbix-1.8.17-ZBX-5924.patch
new file mode 100644
index 0000000..9469450
--- /dev/null
+++ b/zabbix-1.8.17-ZBX-5924.patch
@@ -0,0 +1,13 @@
+Index: src/libs/zbxmedia/eztexting.c
+===================================================================
+--- src/libs/zbxmedia/eztexting.c	(revision 37340)
++++ src/libs/zbxmedia/eztexting.c	(revision 37454)
+@@ -205,7 +205,7 @@
+ 			CURLE_OK != (err = curl_easy_setopt(easy_handle, opt = CURLOPT_WRITEFUNCTION, WRITEFUNCTION2)) ||
+ 			CURLE_OK != (err = curl_easy_setopt(easy_handle, opt = CURLOPT_HEADERFUNCTION, HEADERFUNCTION2)) ||
+ 			CURLE_OK != (err = curl_easy_setopt(easy_handle, opt = CURLOPT_SSL_VERIFYPEER, 1)) ||
+-			CURLE_OK != (err = curl_easy_setopt(easy_handle, opt = CURLOPT_SSL_VERIFYHOST, 1)) ||
++			CURLE_OK != (err = curl_easy_setopt(easy_handle, opt = CURLOPT_SSL_VERIFYHOST, 2)) ||
+ 			CURLE_OK != (err = curl_easy_setopt(easy_handle, opt = CURLOPT_POSTFIELDS, postfields)) ||
+ 			CURLE_OK != (err = curl_easy_setopt(easy_handle, opt = CURLOPT_POST, 1)) ||
+ 			CURLE_OK != (err = curl_easy_setopt(easy_handle, opt = CURLOPT_URL, EZ_TEXTING_API_URL)) ||
diff --git a/zabbix.spec b/zabbix.spec
index 6d52910..f478fc0 100644
--- a/zabbix.spec
+++ b/zabbix.spec
@@ -7,7 +7,7 @@
 
 Name:           zabbix
 Version:        1.8.17
-Release:        1%{?dist}
+Release:        2%{?dist}
 Summary:        Open-source monitoring solution for your IT infrastructure
 
 Group:          Applications/Internet
@@ -30,6 +30,11 @@ Patch1:         zabbix-1.8.4-fonts-config.patch
 # remove flash content (#737337)
 Patch2:         zabbix-1.8.8-no-flash.patch
 
+# Insecure use of libcurl API, CVE-2012-6086
+# https://support.zabbix.com/browse/ZBX-5924
+# Solved in 1.8.18
+Patch3:         zabbix-1.8.17-ZBX-5924.patch
+
 Buildroot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
 BuildRequires:   mysql-devel
@@ -296,6 +301,7 @@ rm -rf bin
 # remove flash applet
 rm -f frontend/php/images/flash/zbxclock.swf
 %patch2 -p1
+%patch3 -p0
 
 
 %build
@@ -613,6 +619,9 @@ fi
 
 
 %changelog
+* Sun Aug 04 2013 Volker Fröhlich <volker27 at gmx.at> - 1.8.17-2
+- Backport fix for CVE-2012-6086
+
 * Fri Jul 26 2013 Volker Fröhlich <volker27 at gmx.at> - 1.8.17-1
 - New upstream release
 - Shorten spec file changelog
