[zabbix20/el6] Possible remote command injection ZBX-7479 (CVE-2013-6824)
Volker Fröhlich
volter at fedoraproject.org
Tue Dec 3 18:42:17 UTC 2013
commit 9170450ddeaeb36cbfd43ce735ea883bfce12eca
Author: Volker Fröhlich <volker27 at gmx.at>
Date: Tue Dec 3 19:40:56 2013 +0100
Possible remote command injection ZBX-7479 (CVE-2013-6824)
zabbix-2.0.9-ZBX-7479.patch | 83 +++++++++++++++++++++++++++++++++++++++++++
zabbix20.spec | 10 +++++-
2 files changed, 92 insertions(+), 1 deletions(-)
---
diff --git a/zabbix-2.0.9-ZBX-7479.patch b/zabbix-2.0.9-ZBX-7479.patch
new file mode 100644
index 0000000..52cabd4
--- /dev/null
+++ b/zabbix-2.0.9-ZBX-7479.patch
@@ -0,0 +1,83 @@
+Index: src/libs/zbxsysinfo/sysinfo.c
+===================================================================
+--- src/libs/zbxsysinfo/sysinfo.c (revision 40346)
++++ src/libs/zbxsysinfo/sysinfo.c (working copy)
+@@ -267,13 +267,49 @@
+ test_parameter(commands[i].key, PROCESS_TEST | PROCESS_USE_TEST_PARAM);
+ }
+
++static int zbx_check_user_parameter(const char *param, char *error, int max_error_len)
++{
++ const char suppressed_chars[] = "\\'\"`*?[]{}~$!&;()<>|#@\n", *c;
++ char *buf = NULL;
++ size_t buf_alloc = 128, buf_offset = 0;
++
++ if (0 != CONFIG_UNSAFE_USER_PARAMETERS)
++ return SUCCEED;
++
++ for (c = suppressed_chars; '\0' != *c; c++)
++ {
++ if (NULL == strchr(param, *c))
++ continue;
++
++ buf = zbx_malloc(buf, buf_alloc);
++
++ for (c = suppressed_chars; '\0' != *c; c++)
++ {
++ if (c != suppressed_chars)
++ zbx_strcpy_alloc(&buf, &buf_alloc, &buf_offset, ", ");
++
++ if (0 != isprint(*c))
++ zbx_chrcpy_alloc(&buf, &buf_alloc, &buf_offset, *c);
++ else
++ zbx_snprintf_alloc(&buf, &buf_alloc, &buf_offset, "0x%02x", *c);
++ }
++
++ zbx_snprintf(error, max_error_len, "special characters \"%s\" are not allowed in the parameters", buf);
++
++ zbx_free(buf);
++
++ return FAIL;
++ }
++
++ return SUCCEED;
++}
++
+ static int replace_param(const char *cmd, const char *param, char *out, int outlen, char *error, int max_error_len)
+ {
+ int ret = SUCCEED;
+ char buf[MAX_STRING_LEN];
+ char command[MAX_STRING_LEN];
+ char *pl, *pr;
+- const char suppressed_chars[] = "\\'\"`*?[]{}~$!&;()<>|#@", *c;
+
+ assert(out);
+
+@@ -305,25 +341,10 @@
+ {
+ get_param(param, (int)(pr[1] - '0'), buf, sizeof(buf));
+
+- if (0 == CONFIG_UNSAFE_USER_PARAMETERS)
+- {
+- for (c = suppressed_chars; '\0' != *c; c++)
+- {
+- if (NULL != strchr(buf, *c))
+- {
+- zbx_snprintf(error, max_error_len, "Special characters '%s'"
+- " are not allowed in the parameters",
+- suppressed_chars);
+- ret = FAIL;
+- break;
+- }
+- }
+- }
++ if (SUCCEED != (ret = zbx_check_user_parameter(buf, error, max_error_len)))
++ break;
+ }
+
+- if (FAIL == ret)
+- break;
+-
+ zbx_strlcat(out, buf, outlen);
+ outlen -= MIN((int)strlen(buf), (int)outlen);
+
diff --git a/zabbix20.spec b/zabbix20.spec
index b28e732..b01a104 100644
--- a/zabbix20.spec
+++ b/zabbix20.spec
@@ -20,7 +20,7 @@
Name: zabbix20
Version: 2.0.9
-Release: 1%{?dist}
+Release: 2%{?dist}
Summary: Open-source monitoring solution for your IT infrastructure
Group: Applications/Internet
@@ -55,6 +55,9 @@ Patch1: %{srcname}-2.0.3-fonts-config.patch
Patch2: %{srcname}-2.0.1-no-flash.patch
# adapt for fping3 - https://support.zabbix.com/browse/ZBX-4894
Patch3: %{srcname}-1.8.12-fping3.patch
+# Fix vulnerability for remote command execution injection CVE-2013-6824
+# https://support.zabbix.com/browse/ZBX-7479
+Patch4: %{srcname}-2.0.9-ZBX-7479.patch
BuildRequires: mysql-devel
BuildRequires: postgresql-devel
@@ -272,6 +275,7 @@ Zabbix web frontend for PostgreSQL
%if 0%{?fedora}
%patch3 -p1
%endif
+%patch4 -p0
# Logrotate's su option is currently only available in Fedora
%if 0%{?rhel}
@@ -848,6 +852,10 @@ fi
%files web-pgsql
%changelog
+* Tue Nov 3 2013 Volker Fröhlich <volker27 at gmx.at> - 2.0.9-2
+- Fix vulnerability for remote command execution injection
+ (ZBX-7479, CVE-2013-6824)
+
* Wed Oct 9 2013 Volker Fröhlich <volker27 at gmx.at> - 2.0.9-1
- New upstream release
- Drop obsolete patches ZBX-6804, ZBX-7091, ZBX-6922, ZBX-6992
More information about the scm-commits
mailing list