[zabbix20/epel7] Add patch for zbx-8158 (CVE-2014-3005)
Volker Fröhlich
volter at fedoraproject.org
Fri Jun 20 06:49:13 UTC 2014
commit 01397837ede5a278f88831ed08228bebd622a51e
Author: Volker Fröhlich <volker27 at gmx.at>
Date: Fri Jun 20 08:34:46 2014 +0200
Add patch for zbx-8158 (CVE-2014-3005)
zabbix-2.0.12-zbx8151.patch | 53 +++++++++++++++++++++++++++++++++++++++++++
zabbix20.spec | 9 ++++++-
2 files changed, 61 insertions(+), 1 deletions(-)
---
diff --git a/zabbix-2.0.12-zbx8151.patch b/zabbix-2.0.12-zbx8151.patch
new file mode 100644
index 0000000..1ce2bac
--- /dev/null
+++ b/zabbix-2.0.12-zbx8151.patch
@@ -0,0 +1,53 @@
+Index: frontends/php/include/defines.inc.php
+===================================================================
+--- frontends/php/include/defines.inc.php (Revision 46596)
++++ frontends/php/include/defines.inc.php (Revision 46655)
+@@ -835,6 +835,14 @@
+
+ define('ZBX_DEFAULT_IMPORT_HOST_GROUP', 'Imported hosts');
+
++// XML import flags
++// See ZBX-8151. Old version of libxml suffered from setting DTDLOAD and NOENT flags by default, which allowed
++// performing XXE attacks. Calling libxml_disable_entity_loader(true) also had no affect if flags passed to libxml
++// calls were 0 - so for better security with legacy libxml we need to call libxml_disable_entity_loader(true) AND
++// pass the LIBXML_NONET flag. Please keep in mind that LIBXML_NOENT actually EXPANDS entities, opposite to it's name -
++// so this flag is not needed here.
++define('LIBXML_IMPORT_FLAGS', LIBXML_NONET);
++
+ // API errors
+ define('ZBX_API_ERROR_INTERNAL', 111);
+ define('ZBX_API_ERROR_PARAMETERS', 100);
+Index: frontends/php/include/classes/import/readers/CXmlImportReader.php
+===================================================================
+--- frontends/php/include/classes/import/readers/CXmlImportReader.php (Revision 46596)
++++ frontends/php/include/classes/import/readers/CXmlImportReader.php (Revision 46655)
+@@ -32,7 +32,8 @@
+ */
+ public function read($string) {
+ libxml_use_internal_errors(true);
+- $result = simplexml_load_string($string);
++ libxml_disable_entity_loader(true);
++ $result = simplexml_load_string($string, null, LIBXML_IMPORT_FLAGS);
+ if (!$result) {
+ $errors = libxml_get_errors();
+ libxml_clear_errors();
+Index: frontends/php/include/classes/import/CXmlImport18.php
+===================================================================
+--- frontends/php/include/classes/import/CXmlImport18.php (Revision 46596)
++++ frontends/php/include/classes/import/CXmlImport18.php (Revision 46655)
+@@ -390,12 +390,13 @@
+ return $array;
+ }
+
+- public static function import($file) {
++ public static function import($source) {
+
+ libxml_use_internal_errors(true);
++ libxml_disable_entity_loader(true);
+
+ $xml = new DOMDocument();
+- if (!$xml->loadXML($file)) {
++ if (!$xml->loadXML($source, LIBXML_IMPORT_FLAGS)) {
+ $text = '';
+ foreach (libxml_get_errors() as $error) {
+ switch ($error->level) {
diff --git a/zabbix20.spec b/zabbix20.spec
index bc31cdd..f3dbb94 100644
--- a/zabbix20.spec
+++ b/zabbix20.spec
@@ -19,7 +19,7 @@
Name: zabbix20
Version: 2.0.12
-Release: 2%{?dist}
+Release: 3%{?dist}
Summary: Open-source monitoring solution for your IT infrastructure
Group: Applications/Internet
@@ -53,6 +53,9 @@ Patch2: %{srcname}-2.0.1-no-flash.patch
Patch3: %{srcname}-1.8.12-fping3.patch
# logrt may continue reading an old file repeatedly.
Patch4: %{srcname}-2.0.12-zbx8238.patch
+# Local file inclusion via XXE attack (CVE-2014-3005)
+# https://support.zabbix.com/browse/ZBX-8151
+Patch5: %{srcname}-2.0.12-zbx8151.patch
BuildRequires: mysql-devel
BuildRequires: postgresql-devel
@@ -252,6 +255,7 @@ rm -f frontends/php/images/flash/zbxclock.swf
%patch3 -p1
%patch4 -p1
+%patch5 -p0
# Remove bundled java libs
rm -rf src/zabbix_java/lib/*.jar
@@ -657,6 +661,9 @@ fi
%files web-pgsql
%changelog
+* Fri Jun 20 2014 Volker Fröhlich <volker27 at gmx.at> - 2.0.12-3
+- Patch for ZBX-8151 (Local file inclusion via XXE attack) -- CVE-2014-3005
+
* Tue Jun 3 2014 Volker Fröhlich <volker27 at gmx.at> - 2.0.12-2
- Don't remove su directive from logrotate config in error
- Adapt logrotate.in file and sed invocation from 2.2 packages
More information about the scm-commits
mailing list