[zabbix/el6] Possible remote command injection ZBX-7479 (CVE-2013-6824)
Volker Fröhlich
volter at fedoraproject.org
Wed Dec 4 00:01:53 UTC 2013
commit 8f91f24e8b12e3981eb3bc209529b4b06cc82184
Author: Volker Fröhlich <volker27 at gmx.at>
Date: Wed Dec 4 01:01:36 2013 +0100
Possible remote command injection ZBX-7479 (CVE-2013-6824)
zabbix-1.8.18-ZBX-7479.patch | 81 ++++++++++++++++++++++++++++++++++++++++++
zabbix.spec | 10 +++++-
2 files changed, 90 insertions(+), 1 deletions(-)
---
diff --git a/zabbix-1.8.18-ZBX-7479.patch b/zabbix-1.8.18-ZBX-7479.patch
new file mode 100644
index 0000000..d28d0f4
--- /dev/null
+++ b/zabbix-1.8.18-ZBX-7479.patch
@@ -0,0 +1,81 @@
+Index: src/libs/zbxsysinfo/sysinfo.c
+===================================================================
+--- src/libs/zbxsysinfo/sysinfo.c (revision 40346)
++++ src/libs/zbxsysinfo/sysinfo.c (working copy)
+@@ -320,13 +320,49 @@
+ test_parameter(commands[i].key, PROCESS_TEST | PROCESS_USE_TEST_PARAM);
+ }
+
++static int zbx_check_user_parameter(const char *param, char *error, int max_err_len)
++{
++ const char suppressed_chars[] = "\\'\"`*?[]{}~$!&;()<>|#@\n", *c;
++ char *buf = NULL;
++ int buf_alloc = 128, buf_offset = 0;
++
++ if (0 != CONFIG_UNSAFE_USER_PARAMETERS)
++ return SUCCEED;
++
++ for (c = suppressed_chars; '\0' != *c; c++)
++ {
++ if (NULL == strchr(param, *c))
++ continue;
++
++ buf = zbx_malloc(buf, buf_alloc);
++
++ for (c = suppressed_chars; '\0' != *c; c++)
++ {
++ if (c != suppressed_chars)
++ zbx_strcpy_alloc(&buf, &buf_alloc, &buf_offset, ", ");
++
++ if (0 != isprint(*c))
++ zbx_chrcpy_alloc(&buf, &buf_alloc, &buf_offset, *c);
++ else
++ zbx_snprintf_alloc(&buf, &buf_alloc, &buf_offset, 5, "0x%02x", *c);
++ }
++
++ zbx_snprintf(error, max_err_len, "special characters \"%s\" are not allowed in the parameters", buf);
++
++ zbx_free(buf);
++
++ return FAIL;
++ }
++
++ return SUCCEED;
++}
++
+ static int replace_param(const char *cmd, const char *param, char *out, int outlen, char *error, int max_err_len)
+ {
+ int ret = SUCCEED;
+ char buf[MAX_STRING_LEN];
+ char command[MAX_STRING_LEN];
+ register char *pl, *pr;
+- const char suppressed_chars[] = "\\'\"`*?[]{}~$!&;()<>|#@\0", *c;
+
+ assert(out);
+
+@@ -357,23 +393,10 @@
+ {
+ get_param(param, (int)(pr[1] - '0'), buf, MAX_STRING_LEN);
+
+- if (0 == CONFIG_UNSAFE_USER_PARAMETERS)
+- {
+- for (c = suppressed_chars; '\0' != *c; c++)
+- if (NULL != strchr(buf, *c))
+- {
+- zbx_snprintf(error, max_err_len, "Special characters '%s'"
+- " are not allowed in the parameters",
+- suppressed_chars);
+- ret = FAIL;
+- break;
+- }
+- }
++ if (SUCCEED != (ret = zbx_check_user_parameter(buf, error, max_err_len)))
++ break;
+ }
+
+- if (FAIL == ret)
+- break;
+-
+ zbx_strlcat(out, buf, outlen);
+ outlen -= MIN((int)strlen(buf), (int)outlen);
+
diff --git a/zabbix.spec b/zabbix.spec
index 30cd30d..826bd57 100644
--- a/zabbix.spec
+++ b/zabbix.spec
@@ -7,7 +7,7 @@
Name: zabbix
Version: 1.8.18
-Release: 1%{?dist}
+Release: 2%{?dist}
Summary: Open-source monitoring solution for your IT infrastructure
Group: Applications/Internet
@@ -29,6 +29,9 @@ Patch0: zabbix-1.8.4-config.patch
Patch1: zabbix-1.8.4-fonts-config.patch
# remove flash content (#737337)
Patch2: zabbix-1.8.8-no-flash.patch
+# Fix vulnerability for remote command execution injection CVE-2013-6824
+# https://support.zabbix.com/browse/ZBX-7479
+Patch3: zabbix-1.8.18-ZBX-7479.patch
Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -262,6 +265,7 @@ Zabbix web frontend for SQLite
# remove included fonts
rm -rf frontends/php/fonts
%endif
+%patch3 -p0
# remove executable permissions
chmod a-x upgrades/dbpatches/1.8/mysql/upgrade
@@ -613,6 +617,10 @@ fi
%changelog
+* Tue Nov 3 2013 Volker Fröhlich <volker27 at gmx.at> - 1.8.18-2
+- Fix vulnerability for remote command execution injection
+ (ZBX-7479, CVE-2013-6824)
+
* Thu Oct 10 2013 Volker Fröhlich <volker27 at gmx.at> - 1.8.18-1
- New upstream release
- Drop patches for ZBX-7091 and ZBX-5924
More information about the scm-commits
mailing list