Debian Bug report logs -
#751910
zabbix: CVE-2014-3005: local file inclusion via XXE
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Christoph Haas <haas@debian.org>:
Bug#751910; Package zabbix.
(Tue, 17 Jun 2014 18:39:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Henri Salo <henri@nerv.fi>:
New Bug report received and forwarded. Copy sent to Christoph Haas <haas@debian.org>.
(Tue, 17 Jun 2014 18:39:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: zabbix
Version: 1:2.2.3+dfsg-1
Severity: grave
Tags: security
Advisory: http://seclists.org/fulldisclosure/2014/Jun/87
Below might be the fix, but please verify.
---
Henri Salo
svn diff -r46596:46600
Index: frontends/php/include/defines.inc.php
===================================================================
--- frontends/php/include/defines.inc.php (revision 46596)
+++ frontends/php/include/defines.inc.php (revision 46600)
@@ -835,6 +835,9 @@
define('ZBX_DEFAULT_IMPORT_HOST_GROUP', 'Imported hosts');
+// XML import flags
+define('LIBXML_IMPORT_FLAGS', LIBXML_NONET);
+
// API errors
define('ZBX_API_ERROR_INTERNAL', 111);
define('ZBX_API_ERROR_PARAMETERS', 100);
Index: frontends/php/include/classes/import/readers/CXmlImportReader.php
===================================================================
--- frontends/php/include/classes/import/readers/CXmlImportReader.php (revision 46596)
+++ frontends/php/include/classes/import/readers/CXmlImportReader.php (revision 46600)
@@ -32,7 +32,8 @@
*/
public function read($string) {
libxml_use_internal_errors(true);
- $result = simplexml_load_string($string);
+ libxml_disable_entity_loader(true);
+ $result = simplexml_load_string($string, null, LIBXML_IMPORT_FLAGS);
if (!$result) {
$errors = libxml_get_errors();
libxml_clear_errors();
Index: frontends/php/include/classes/import/CXmlImport18.php
===================================================================
--- frontends/php/include/classes/import/CXmlImport18.php (revision 46596)
+++ frontends/php/include/classes/import/CXmlImport18.php (revision 46600)
@@ -390,12 +390,13 @@
return $array;
}
- public static function import($file) {
+ public static function import($source) {
libxml_use_internal_errors(true);
+ libxml_disable_entity_loader(true);
$xml = new DOMDocument();
- if (!$xml->loadXML($file)) {
+ if (!$xml->loadXML($source, LIBXML_IMPORT_FLAGS)) {
$text = '';
foreach (libxml_get_errors() as $error) {
switch ($error->level) {
[signature.asc (application/pgp-signature, inline)]
Added tag(s) patch.
Request was from Henri Salo <henri@nerv.fi>
to control@bugs.debian.org.
(Tue, 17 Jun 2014 18:45:09 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Christoph Haas <haas@debian.org>:
Bug#751910; Package zabbix.
(Wed, 18 Jun 2014 06:36:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Henri Salo <henri@nerv.fi>:
Extra info received and forwarded to list. Copy sent to Christoph Haas <haas@debian.org>.
(Wed, 18 Jun 2014 06:36:08 GMT) (full text, mbox, link).
Message #12 received at 751910@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Upstream bug report: https://support.zabbix.com/browse/ZBX-8151
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Christoph Haas <haas@debian.org>:
Bug#751910; Package zabbix.
(Wed, 02 Jul 2014 18:33:09 GMT) (full text, mbox, link).
Acknowledgement sent
to Dmitry Smirnov <onlyjob@debian.org>:
Extra info received and forwarded to list. Copy sent to Christoph Haas <haas@debian.org>.
(Wed, 02 Jul 2014 18:33:09 GMT) (full text, mbox, link).
Message #17 received at 751910@bugs.debian.org (full text, mbox, reply):
Hi Alexei,
On Wed, 2 Jul 2014 14:15:49 Alexei Vladishev wrote:
> The issues has already been fixed and will be available in Zabbix 2.2.5
> soon.
Thank you for quick action.
> Do you want us to prepare a patch for 2.2.3?
Thank you for your help with patching of current versions of Zabbix in Debian
-- much appreciated.
I'm working on 2.2.4 so perhaps it will be helpful if we could fix the issue
with the upload of 2.2.4 unless 2.2.5 happens before I prepare 2.2.4...
--
Regards,
Dmitry Smirnov
GPG key : 4096R/53968D1B
Information forwarded
to debian-bugs-dist@lists.debian.org, Christoph Haas <haas@debian.org>:
Bug#751910; Package zabbix.
(Thu, 03 Jul 2014 07:21:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Alexei Vladishev <alexei.vladishev@zabbix.com>:
Extra info received and forwarded to list. Copy sent to Christoph Haas <haas@debian.org>.
(Thu, 03 Jul 2014 07:21:08 GMT) (full text, mbox, link).
Message #22 received at 751910@bugs.debian.org (full text, mbox, reply):
Hi Dmitry,
> The issues has already been fixed and will be available in Zabbix 2.2.5
> soon.
> Thank you for quick action.
>
>> Do you want us to prepare a patch for 2.2.3?
> Thank you for your help with patching of current versions of Zabbix in Debian
> -- much appreciated.
>
> I'm working on 2.2.4 so perhaps it will be helpful if we could fix the issue
> with the upload of 2.2.4 unless 2.2.5 happens before I prepare 2.2.4...
>
Since 2.2.5 fixes this security related issue we'll do all our best to
release it asap.
I hope first RC will be ready early next week.
Alexei
Information forwarded
to debian-bugs-dist@lists.debian.org, Christoph Haas <haas@debian.org>:
Bug#751910; Package zabbix.
(Sun, 06 Jul 2014 06:57:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Dmitry Smirnov <onlyjob@debian.org>:
Extra info received and forwarded to list. Copy sent to Christoph Haas <haas@debian.org>.
(Sun, 06 Jul 2014 06:57:05 GMT) (full text, mbox, link).
Message #29 received at 751910@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Thu, 3 Jul 2014 10:11:15 Alexei Vladishev wrote:
> Since 2.2.5 fixes this security related issue we'll do all our best to
> release it asap.
>
> I hope first RC will be ready early next week.
Thanks for ETA. Once 2.2.5 is released I'll do my best to upload it to Debian
ASAP.
--
All the best,
Dmitry Smirnov.
[signature.asc (application/pgp-signature, inline)]
Reply sent
to Dmitry Smirnov <onlyjob@debian.org>:
You have taken responsibility.
(Thu, 17 Jul 2014 21:42:24 GMT) (full text, mbox, link).
Notification sent
to Henri Salo <henri@nerv.fi>:
Bug acknowledged by developer.
(Thu, 17 Jul 2014 21:42:24 GMT) (full text, mbox, link).
Message #34 received at 751910-close@bugs.debian.org (full text, mbox, reply):
Source: zabbix
Source-Version: 1:2.2.5+dfsg-1
We believe that the bug you reported is fixed in the latest version of
zabbix, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 751910@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Dmitry Smirnov <onlyjob@debian.org> (supplier of updated zabbix package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 18 Jul 2014 03:16:47 +1000
Source: zabbix
Binary: zabbix-agent zabbix-frontend-php zabbix-java-gateway zabbix-proxy-mysql zabbix-proxy-pgsql zabbix-proxy-sqlite3 zabbix-server-mysql zabbix-server-pgsql
Architecture: source amd64 all
Version: 1:2.2.5+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Christoph Haas <haas@debian.org>
Changed-By: Dmitry Smirnov <onlyjob@debian.org>
Description:
zabbix-agent - network monitoring solution - agent
zabbix-frontend-php - network monitoring solution - PHP front-end
zabbix-java-gateway - network monitoring solution - Java gateway
zabbix-proxy-mysql - network monitoring solution - proxy (using MySQL)
zabbix-proxy-pgsql - network monitoring solution - proxy (using PostgreSQL)
zabbix-proxy-sqlite3 - network monitoring solution - proxy (using SQLite3)
zabbix-server-mysql - network monitoring solution - server (using MySQL)
zabbix-server-pgsql - network monitoring solution - server (using PostgreSQL)
Closes: 744385 749707 751910 752627 754271
Changes:
zabbix (1:2.2.5+dfsg-1) unstable; urgency=medium
.
* New upstream release [July 2014] (Closes: #754271).
- fixed CVE-2014-3005: local file inclusion via XXE (Closes: #751910).
- removed PHP-licensed code (Closes: #752627).
- don't use deprecated function "mbstring.internal_encoding"
(Closes: #749707).
* zabbix-agent: Depends: +pciutils; Recommends: +usbutils (Closes: #744385).
* Added "debian/gbp.conf".
* Build-Depends:
+ "libgcrypt-dev" --> "libgcrypt20-dev | libgcrypt-dev".
+ "pkg-config".
* Replace source-less minified .js files on build-time;
added "source-is-missing" lintian-overrides; updated "debian/copyright".
Checksums-Sha1:
fb074adef42adfa6690c1f9129483957957ace6c 2752 zabbix_2.2.5+dfsg-1.dsc
f35d5831563a51b8376a573e1729d44eeba1cd0e 5907528 zabbix_2.2.5+dfsg.orig.tar.xz
c04d4ed2bc9165b73f8e043b3fd2fc59e6b010a9 187992 zabbix_2.2.5+dfsg-1.debian.tar.xz
552a538487ec461100642322f7b94cdecdd62524 315730 zabbix-agent_2.2.5+dfsg-1_amd64.deb
817abfc68610567b1a054b0246ca0d126b5b36d7 2909488 zabbix-frontend-php_2.2.5+dfsg-1_all.deb
1d5483ddc593ebe0db9fbcb4338b1924e75ba83b 182528 zabbix-java-gateway_2.2.5+dfsg-1_all.deb
07167f8f1902fe63680980ab81976d7cf9316ed3 555886 zabbix-proxy-mysql_2.2.5+dfsg-1_amd64.deb
b153a4d2959855348027671ba176acecc31e3de3 559134 zabbix-proxy-pgsql_2.2.5+dfsg-1_amd64.deb
9a05a073f4f38b268bd847aba343bc3997e4fccf 542226 zabbix-proxy-sqlite3_2.2.5+dfsg-1_amd64.deb
91b9adc4c9b557681786e17863caffc17ec5188d 1732974 zabbix-server-mysql_2.2.5+dfsg-1_amd64.deb
fdd42f71455248be99d4f02e7eb6c7e16676dc1c 1734762 zabbix-server-pgsql_2.2.5+dfsg-1_amd64.deb
Checksums-Sha256:
c3cc4bc4df0342601470b47496fa3a52fd2024bcdd5410098ed29bac9e41e25f 2752 zabbix_2.2.5+dfsg-1.dsc
7cd16787fb4f4f1285166677990b211284009e5d87c665806cdf982d0f1f8f93 5907528 zabbix_2.2.5+dfsg.orig.tar.xz
337269f624afabb37e42be8b3159414dd183ec277e4a5f7add8881e5645a65d2 187992 zabbix_2.2.5+dfsg-1.debian.tar.xz
7f7c3b7d812636f2f3b2d55cf21965f4f5baad395af69f704c3cc06a8edeba7c 315730 zabbix-agent_2.2.5+dfsg-1_amd64.deb
4a6e529986a9b3c9ba3d4385c3fe64ac121de093884a0bb6de67d6736c0daa4d 2909488 zabbix-frontend-php_2.2.5+dfsg-1_all.deb
ba7b16d612ca0f7b61c92fe5ed3094342afe28058f6a8b75d27be1694b682253 182528 zabbix-java-gateway_2.2.5+dfsg-1_all.deb
a6ba5558a1c7783669bf0f9b7485b777284476f66e9fce4a3695b1df277e6723 555886 zabbix-proxy-mysql_2.2.5+dfsg-1_amd64.deb
40b15ab4f109af49ff8601d7ea8663574d27b6f2d89bb6f4833e4e1bb7013760 559134 zabbix-proxy-pgsql_2.2.5+dfsg-1_amd64.deb
ca6d9b045502af64facf6ae35974a540a4686aa05c2a9b867861bdafe0e72dc2 542226 zabbix-proxy-sqlite3_2.2.5+dfsg-1_amd64.deb
c1ebaad6914a0b36c743b005a5a5a4a8365ca75497e52c6c102f20a9012e3fc5 1732974 zabbix-server-mysql_2.2.5+dfsg-1_amd64.deb
8af583046a81a742b4932a44450f37b28cf50db7454b10010846ee330c543224 1734762 zabbix-server-pgsql_2.2.5+dfsg-1_amd64.deb
Files:
541fb503cbd9c0d59692aaed3ca3ace0 315730 net optional zabbix-agent_2.2.5+dfsg-1_amd64.deb
e30ad15c3adb3e67328723cc1e8ddb0a 2909488 net optional zabbix-frontend-php_2.2.5+dfsg-1_all.deb
e22899bcba4a646090c6c028d7ee8ef1 182528 net optional zabbix-java-gateway_2.2.5+dfsg-1_all.deb
7294906f8b0a3b6d36d07add8e49fa30 555886 net optional zabbix-proxy-mysql_2.2.5+dfsg-1_amd64.deb
f8be05275927612fc135b6e3b06812ec 559134 net optional zabbix-proxy-pgsql_2.2.5+dfsg-1_amd64.deb
9c67e85e521e1f2c1458ec734b5b3e2a 542226 net optional zabbix-proxy-sqlite3_2.2.5+dfsg-1_amd64.deb
988ddbd0bebdb628bf7442b7491e4d26 1732974 net optional zabbix-server-mysql_2.2.5+dfsg-1_amd64.deb
2c152fffbcc78ba557bd5714460bd8a3 1734762 net optional zabbix-server-pgsql_2.2.5+dfsg-1_amd64.deb
e40a6a4f522212a03713068e93295f48 2752 net optional zabbix_2.2.5+dfsg-1.dsc
eb1d48cebd0493d34eafc375a1967145 5907528 net optional zabbix_2.2.5+dfsg.orig.tar.xz
9922cbd49937ba1b9cd91ec5578e1b10 187992 net optional zabbix_2.2.5+dfsg-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJTyDn9AAoJEFK2u9lTlo0btKoP/ipKvRDSiU2pdBt4B77crEvR
nHiWehjSaQyisxhr0gvyOcqeTuTEIilicMf6erK6FJraCXJwk17BhIjsLLGQcioM
IeIWp/HLxBXMshC7wlTJWyfHvfvPWqj/0dTy6uxw8eyHaNrnQyMloeLlaRtBoIem
xHzMbV/m1GhN2X2WlVnbkUcS4EXxCVRGFwOjR4LmL0oAOM/3q9+mOdsvTJTihdd+
GuYCnbgwG2U5Q/iJL1nw8+X687hLGwwPovn9uN9si7syiTtKnjm80q+DwB0FqL6t
cAmqzMB9gQHHLGKezHnvFUETdoy+58/RsYR1IrUoVE6Q+DhjxFqcRWRsxjBO/fL/
662YglQBGe4ot+OWg9FOBS/9Utztq/Ha4itrCre0wJDpcZho6kWSH7FvThBLxvQZ
V/bLQ+knqi9l5rPuVIKpOlgHK+Cd9lWprGjSTq/0VV5NQYQfPq0qDyXrW/vu33K4
hh4rHmNjhR4y+/y4V9KDCdbE4+aOpudJCEoCRLSCTMNp74f4JCWxujaa1zcsskKt
bAI5RQ9nUeQQjKnh++7htbk4dBq47z4/g5YVFT2JCsA2+QkHTw8vfr7e1uhMUW5P
uC9YFuF1SlFBUETCgiGlnNfpjyAtU/UGABWSQmTwqogNKp7iB4h4LrcxCHrSTGXy
4213lrcvkdQoOzw1fGD5
=WM+C
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Fri, 15 Aug 2014 07:26:43 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:42:17 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon