[zabbix/f20] Add patch for zbx-8158 (CVE-2014-3005)

Volker Fröhlich volter at fedoraproject.org
Thu Jun 19 22:53:30 UTC 2014 

commit 205ba2b6c95e31fdea8c04d110e418b23559e044
Author: Volker Fröhlich <volker27 at gmx.at>
Date:   Fri Jun 20 00:52:47 2014 +0200

    Add patch for zbx-8158 (CVE-2014-3005)

 zabbix-2.0.12-zbx8151.patch |   53 +++++++++++++++++++++++++++++++++++++++++++
 zabbix.spec                 |    9 ++++++-
 2 files changed, 61 insertions(+), 1 deletions(-)
---
diff --git a/zabbix-2.0.12-zbx8151.patch b/zabbix-2.0.12-zbx8151.patch
new file mode 100644
index 0000000..1ce2bac
--- /dev/null
+++ b/zabbix-2.0.12-zbx8151.patch
@@ -0,0 +1,53 @@
+Index: frontends/php/include/defines.inc.php
+===================================================================
+--- frontends/php/include/defines.inc.php	(Revision 46596)
++++ frontends/php/include/defines.inc.php	(Revision 46655)
+@@ -835,6 +835,14 @@
+ 
+ define('ZBX_DEFAULT_IMPORT_HOST_GROUP', 'Imported hosts');
+ 
++// XML import flags
++// See ZBX-8151. Old version of libxml suffered from setting DTDLOAD and NOENT flags by default, which allowed
++// performing XXE attacks. Calling libxml_disable_entity_loader(true) also had no affect if flags passed to libxml
++// calls were 0 - so for better security with legacy libxml we need to call libxml_disable_entity_loader(true) AND
++// pass the LIBXML_NONET flag. Please keep in mind that LIBXML_NOENT actually EXPANDS entities, opposite to it's name -
++// so this flag is not needed here.
++define('LIBXML_IMPORT_FLAGS', LIBXML_NONET);
++
+ // API errors
+ define('ZBX_API_ERROR_INTERNAL',	111);
+ define('ZBX_API_ERROR_PARAMETERS',	100);
+Index: frontends/php/include/classes/import/readers/CXmlImportReader.php
+===================================================================
+--- frontends/php/include/classes/import/readers/CXmlImportReader.php	(Revision 46596)
++++ frontends/php/include/classes/import/readers/CXmlImportReader.php	(Revision 46655)
+@@ -32,7 +32,8 @@
+ 	 */
+ 	public function read($string) {
+ 		libxml_use_internal_errors(true);
+-		$result = simplexml_load_string($string);
++		libxml_disable_entity_loader(true);
++		$result = simplexml_load_string($string, null, LIBXML_IMPORT_FLAGS);
+ 		if (!$result) {
+ 			$errors = libxml_get_errors();
+ 			libxml_clear_errors();
+Index: frontends/php/include/classes/import/CXmlImport18.php
+===================================================================
+--- frontends/php/include/classes/import/CXmlImport18.php	(Revision 46596)
++++ frontends/php/include/classes/import/CXmlImport18.php	(Revision 46655)
+@@ -390,12 +390,13 @@
+ 		return $array;
+ 	}
+ 
+-	public static function import($file) {
++	public static function import($source) {
+ 
+ 		libxml_use_internal_errors(true);
++		libxml_disable_entity_loader(true);
+ 
+ 		$xml = new DOMDocument();
+-		if (!$xml->loadXML($file)) {
++		if (!$xml->loadXML($source, LIBXML_IMPORT_FLAGS)) {
+ 			$text = '';
+ 			foreach (libxml_get_errors() as $error) {
+ 				switch ($error->level) {
diff --git a/zabbix.spec b/zabbix.spec
index e4dce43..773d65d 100644
--- a/zabbix.spec
+++ b/zabbix.spec
@@ -19,7 +19,7 @@
 
 Name:           zabbix
 Version:        2.0.12
-Release:        2%{?dist}
+Release:        3%{?dist}
 Summary:        Open-source monitoring solution for your IT infrastructure
 
 Group:          Applications/Internet
@@ -53,6 +53,9 @@ Patch2:         %{srcname}-2.0.1-no-flash.patch
 Patch3:         %{srcname}-1.8.12-fping3.patch
 # logrt may continue reading an old file repeatedly.
 Patch4:         %{srcname}-2.0.12-zbx8238.patch
+# Local file inclusion via XXE attack (CVE-2014-3005)
+# https://support.zabbix.com/browse/ZBX-8151
+Patch5:         %{srcname}-2.0.12-zbx8151.patch
 
 BuildRequires:   mysql-devel
 BuildRequires:   postgresql-devel
@@ -252,6 +255,7 @@ rm -f frontends/php/images/flash/zbxclock.swf
 
 %patch3 -p1
 %patch4 -p1
+%patch5 -p0
 
 # Remove bundled java libs
 rm -rf src/zabbix_java/lib/*.jar
@@ -653,6 +657,9 @@ fi
 %files web-pgsql
 
 %changelog
+* Fri Jun 20 2014 Volker Fröhlich <volker27 at gmx.at> - 2.0.12-3
+- Patch for ZBX-8151 (Local file inclusion via XXE attack) -- CVE-2014-3005
+
 * Tue Jun  3 2014 Volker Fröhlich <volker27 at gmx.at> - 2.0.12-2
 - Patch for ZBX-8238 (logrt may continue reading an old file repeatedly)

More information about the scm-commits mailing list