zoneminder: Several security issues (XSS, SQL injection, Command injection)

Debian Bug report logs - #497640
zoneminder: Several security issues (XSS, SQL injection, Command injection)

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Steffen Joeris <steffen.joeris@skolelinux.de>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: zoneminder: Several security issues (XSS, SQL injection, Command injection)

Date: Wed, 03 Sep 2008 19:54:11 +1000

Package: zoneminder
Severity: grave
Tags: security
Justification: user security hole

Hi,
the following CVE (Common Vulnerabilities & Exposures) ids were
published for zoneminder.

CVE-2008-3882[0]:
| ZoneMinder 1.23.3 and earlier allows remote attackers to execute
| arbitrary commands (aka "Command Injection") via (1) the executeFilter
| function in zm_html_view_events.php and (2) the run_state parameter to
| zm_html_view_state.php.

CVE-2008-3881[1]:
| Multiple cross-site scripting (XSS) vulnerabilities in ZoneMinder
| 1.23.3 and earlier allow remote attackers to inject arbitrary web
| script or HTML via unspecified parameters to unspecified
| "zm_html_view_*.php" files.

CVE-2008-3880[2]:
| SQL injection vulnerability in zm_html_view_event.php in ZoneMinder
| 1.23.3 and earlier allows remote attackers to execute arbitrary SQL
| commands via the filter array parameter.

Another security report including all the vulnerabilities can be found here[3].

If you fix the vulnerabilities please also make sure to include the
CVE ids in your changelog entry.

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3882
    http://security-tracker.debian.net/tracker/CVE-2008-3882
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3881
    http://security-tracker.debian.net/tracker/CVE-2008-3881
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3880
    http://security-tracker.debian.net/tracker/CVE-2008-3880
[3] http://www.securityfocus.com/archive/1/archive/1/495745/100/0/threaded

Cheers
Steffen

Message #10 received at submit@bugs.debian.org (full text, mbox, reply):

From: Peter Howard <pjh@northern-ridge.com.au>

To: Steffen Joeris <steffen.joeris@skolelinux.de>, 497640@bugs.debian.org

Cc: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: Re: Bug#497640: zoneminder: Several security issues (XSS, SQL injection, Command injection)

Date: Sat, 06 Sep 2008 17:33:26 +1000

[Message part 1 (text/plain, inline)]

On Wed, 2008-09-03 at 19:54 +1000, Steffen Joeris wrote:
> Package: zoneminder
> Severity: grave
> Tags: security
> Justification: user security hole
> 
> Hi,
> the following CVE (Common Vulnerabilities & Exposures) ids were
> published for zoneminder.
> 

These are currently being fixed in the next upstream release (1.24 -
currently in RC phase).  When that is released I will output a 1.24
package.

> CVE-2008-3882[0]:
> | ZoneMinder 1.23.3 and earlier allows remote attackers to execute
> | arbitrary commands (aka "Command Injection") via (1) the executeFilter
> | function in zm_html_view_events.php and (2) the run_state parameter to
> | zm_html_view_state.php.
> 
> CVE-2008-3881[1]:
> | Multiple cross-site scripting (XSS) vulnerabilities in ZoneMinder
> | 1.23.3 and earlier allow remote attackers to inject arbitrary web
> | script or HTML via unspecified parameters to unspecified
> | "zm_html_view_*.php" files.
> 
> CVE-2008-3880[2]:
> | SQL injection vulnerability in zm_html_view_event.php in ZoneMinder
> | 1.23.3 and earlier allows remote attackers to execute arbitrary SQL
> | commands via the filter array parameter.
> 
> Another security report including all the vulnerabilities can be found here[3].
> 
> If you fix the vulnerabilities please also make sure to include the
> CVE ids in your changelog entry.
> 
> [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3882
>     http://security-tracker.debian.net/tracker/CVE-2008-3882
> [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3881
>     http://security-tracker.debian.net/tracker/CVE-2008-3881
> [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3880
>     http://security-tracker.debian.net/tracker/CVE-2008-3880
> [3] http://www.securityfocus.com/archive/1/archive/1/495745/100/0/threaded
> 
> Cheers
> Steffen

[signature.asc (application/pgp-signature, inline)]

Message #20 received at 497640@bugs.debian.org (full text, mbox, reply):

From: Ansgar Burchardt <ansgar@2008.43-1.org>

To: Peter Howard <pjh@northern-ridge.com.au>

Cc: 497640@bugs.debian.org

Subject: Re: Bug#497640: zoneminder: Several security issues

Date: Wed, 15 Apr 2009 21:33:43 +0200

Hi,

zoneminder 1.24.0 has been released in Februrary.  Have you any plans to
update the Debian package yet?  It would be nice if the security
problems could be fixed.

Regards,
Ansgar

Message #25 received at 497640@bugs.debian.org (full text, mbox, reply):

From: Peter Howard <pjh@northern-ridge.com.au>

To: Ansgar Burchardt <ansgar@2008.43-1.org>, 497640@bugs.debian.org

Subject: Re: Bug#497640: zoneminder: Several security issues

Date: Thu, 16 Apr 2009 13:57:43 +1000

[Message part 1 (text/plain, inline)]

On Wed, 2009-04-15 at 21:33 +0200, Ansgar Burchardt wrote:
> Hi,
> 
> zoneminder 1.24.0 has been released in Februrary.  Have you any plans to
> update the Debian package yet?  It would be nice if the security
> problems could be fixed.

I have (or had, see next para) a package for 1.24 but haven't done any
proper testing.  (The first tester reported it crashing).

My build+test environment has been down for a while, and is only back
together again as of Easter.  I am about to put out a final 1.23.3
release to close bug #517569, then I'll get back to making 1.24 work.


-- 
Peter Howard <pjh@northern-ridge.com.au>

[signature.asc (application/pgp-signature, inline)]

Message #30 received at 497640@bugs.debian.org (full text, mbox, reply):

From: Jordi Mallach <jordi@debian.org>

To: 497640@bugs.debian.org

Subject: What's the status of this?

Date: Fri, 8 May 2009 12:05:43 +0200

Hi, I've been waiting for packages of the new version for a while, and wonder
whgat's missing of if we can do something to help getting the packages done.

Thanks,
Jordi

-- 
Jordi Mallach Pérez  --  Debian developer     http://www.debian.org/
jordi@sindominio.net     jordi@debian.org     http://www.sindominio.net/
GnuPG public key information available at http://oskuro.net/

Message #35 received at 497640@bugs.debian.org (full text, mbox, reply):

From: Peter Howard <pjh@northern-ridge.com.au>

To: Jordi Mallach <jordi@debian.org>, 497640@bugs.debian.org

Subject: Re: Bug#497640: What's the status of this?

Date: Thu, 14 May 2009 10:53:03 +1000

[Message part 1 (text/plain, inline)]

On Fri, 2009-05-08 at 12:05 +0200, Jordi Mallach wrote:
> Hi, I've been waiting for packages of the new version for a while, and wonder
> whgat's missing of if we can do something to help getting the packages done.
> 

I have it packaged, and it does a clean install fine.  However it's
failing to upgrade from previous versions.  Once that's resolved it will
go into the repo.

-- 
Peter Howard <pjh@northern-ridge.com.au>

[signature.asc (application/pgp-signature, inline)]

Message #40 received at 497640@bugs.debian.org (full text, mbox, reply):

From: Jordi Mallach <jordi@sindominio.net>

To: Peter Howard <pjh@northern-ridge.com.au>

Cc: 497640@bugs.debian.org

Subject: Re: Bug#497640: What's the status of this?

Date: Thu, 14 May 2009 05:33:05 +0200

On Thu, May 14, 2009 at 10:53:03AM +1000, Peter Howard wrote:
> I have it packaged, and it does a clean install fine.  However it's
> failing to upgrade from previous versions.  Once that's resolved it will
> go into the repo.

If I can help in any way, please say. I'd be willing to get your sources
posted somehere where it's uploaded against our tiredness and drive,


-- 
Jordi Mallach Pérez  --  Debian developer     http://www.debian.org/
jordi@sindominio.net     jordi@debian.org     http://www.sindominio.net/
GnuPG public key information available at http://oskuro.net/

Message #45 received at 497640-close@bugs.debian.org (full text, mbox, reply):

From: Peter Howard <pjh@northern-ridge.com.au>

To: 497640-close@bugs.debian.org

Subject: Bug#497640: fixed in zoneminder 1.24.1-1

Date: Tue, 02 Jun 2009 05:17:05 +0000

Source: zoneminder
Source-Version: 1.24.1-1

We believe that the bug you reported is fixed in the latest version of
zoneminder, which is due to be installed in the Debian FTP archive:

zoneminder_1.24.1-1.diff.gz
  to pool/main/z/zoneminder/zoneminder_1.24.1-1.diff.gz
zoneminder_1.24.1-1.dsc
  to pool/main/z/zoneminder/zoneminder_1.24.1-1.dsc
zoneminder_1.24.1-1_i386.deb
  to pool/main/z/zoneminder/zoneminder_1.24.1-1_i386.deb
zoneminder_1.24.1.orig.tar.gz
  to pool/main/z/zoneminder/zoneminder_1.24.1.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 497640@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Peter Howard <pjh@northern-ridge.com.au> (supplier of updated zoneminder package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 16 May 2009 07:02:50 +1000
Source: zoneminder
Binary: zoneminder
Architecture: source i386
Version: 1.24.1-1
Distribution: unstable
Urgency: high
Maintainer: Peter Howard <pjh@northern-ridge.com.au>
Changed-By: Peter Howard <pjh@northern-ridge.com.au>
Description: 
 zoneminder - Linux video camera security and surveillance solution
Closes: 486064 497640 526918 528252
Changes: 
 zoneminder (1.24.1-1) unstable; urgency=high
 .
   * Initial release of zoneminder 1.24.1, closing CVE-2008-3882,
     CVE-2008-3881, CVE-2008-3880
     (closes: #497640)
   * Change syslog dependency to rsyslog.
     (closes: #526918)
   * Add missing perl depenency.
   * Restore patch to disable "check for updates" by default.
   * Removed spurious '$' in init script.
     (closes: #486064)
   * Change permission of zm.conf from 0600 to 0400 for CVE-2008-6755
     (closes: #528252)
Checksums-Sha1: 
 cf1110cd5560c692a3b6651de4558a55d72cf690 1358 zoneminder_1.24.1-1.dsc
 dbfc665434913564993403711e9dd3a85a72158c 894667 zoneminder_1.24.1.orig.tar.gz
 e33036cb76d819e77209055e8f79c1861cd8ced8 34335 zoneminder_1.24.1-1.diff.gz
 b3cf4c223d9bceb497640a9f1545feca21eb6846 1409582 zoneminder_1.24.1-1_i386.deb
Checksums-Sha256: 
 1d4578fdeb98b6edc18a9734799f33810d5c2aa980d73ac0da6a5b5193959486 1358 zoneminder_1.24.1-1.dsc
 53a1514413cb401e0945fad009483e560a9a4d2e0ba40350988ca87fbb860ab2 894667 zoneminder_1.24.1.orig.tar.gz
 b5ae1df341ae295d1c64eed348498bb86fbc2be1d1d3268541508c98ed40f70e 34335 zoneminder_1.24.1-1.diff.gz
 577f7d113cd3abed23af98ed4aa8524b35c6589f2b967cbb4213374a3369e47e 1409582 zoneminder_1.24.1-1_i386.deb
Files: 
 cab6c87427894ae5a8cf13f07e7c7d09 1358 net optional zoneminder_1.24.1-1.dsc
 1e4ce392d645cbb28037ecebc5a56584 894667 net optional zoneminder_1.24.1.orig.tar.gz
 b16b05e0148974f30224c41f85817073 34335 net optional zoneminder_1.24.1-1.diff.gz
 413f13e249d32e110aed83ab2e41c83e 1409582 net optional zoneminder_1.24.1-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkoksi4ACgkQCfB0CMh//C+UnQCeIhFae6h8jdDy6v2LWz8SSjkB
88MAoKAhjaN3XLY3ROhbEmJmmgTR7/0H
=23sC
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.