Debian Bug report logs -
#698910
zoneminder: CVE-2013-0232: arbitrary command execution vulnerability
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Peter Howard <pjh@northern-ridge.com.au>
:
Bug#698910
; Package src:zoneminder
.
(Fri, 25 Jan 2013 07:00:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Peter Howard <pjh@northern-ridge.com.au>
.
(Fri, 25 Jan 2013 07:00:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: zoneminder
Severity: grave
Tags: security
Justification: user security hole
Hi
The following arbitrary command execution vulnerability was disclosed
for zoneminder:
http://itsecuritysolutions.org/2013-01-22-ZoneMinder-Video-Server-arbitrary-command-execution-vulnerability/
Regards,
Salvatore
Marked as found in versions zoneminder/1.24.2-8.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Fri, 25 Jan 2013 08:12:03 GMT) (full text, mbox, link).
Marked as found in versions zoneminder/1.25.0-3.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Fri, 25 Jan 2013 08:12:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Peter Howard <pjh@northern-ridge.com.au>
:
Bug#698910
; Package src:zoneminder
.
(Sun, 27 Jan 2013 16:45:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Extra info received and forwarded to list. Copy sent to Peter Howard <pjh@northern-ridge.com.au>
.
(Sun, 27 Jan 2013 16:45:03 GMT) (full text, mbox, link).
Message #14 received at 698910@bugs.debian.org (full text, mbox, reply):
Some additional information: In most usual cases where zoneminder is
set up, there should be authentication first. So this limits somehow
the vulnerability.
There is also a forum post on this, but still witout reply:
http://www.zoneminder.com/forums/viewtopic.php?f=29&t=20771
Regards,
Salvatore
Changed Bug title to 'zoneminder: CVE-2013-0232: arbitrary command execution vulnerability' from 'zoneminder: arbitrary command execution vulnerability'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Tue, 29 Jan 2013 04:48:03 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Peter Howard <pjh@northern-ridge.com.au>
:
Bug#698910
; Package src:zoneminder
.
(Sun, 10 Feb 2013 15:27:06 GMT) (full text, mbox, link).
Acknowledgement sent
to James McCoy <jamessan@debian.org>
:
Extra info received and forwarded to list. Copy sent to Peter Howard <pjh@northern-ridge.com.au>
.
(Sun, 10 Feb 2013 15:27:06 GMT) (full text, mbox, link).
Message #23 received at 698910@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Control: tag -1 patch
On Sun, Jan 27, 2013 at 05:43:13PM +0100, Salvatore Bonaccorso wrote:
> Some additional information: In most usual cases where zoneminder is
> set up, there should be authentication first. So this limits somehow
> the vulnerability.
The attached patch should address the issue, but I don't have a setup to
test.
Cheers,
--
James
GPG Key: 4096R/331BA3DB 2011-12-05 James McCoy <jamessan@debian.org>
[cve-2013-0232.patch (text/x-diff, attachment)]
[signature.asc (application/pgp-signature, inline)]
Added tag(s) patch.
Request was from James McCoy <jamessan@debian.org>
to 698910-submit@bugs.debian.org
.
(Sun, 10 Feb 2013 15:27:06 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Peter Howard <pjh@northern-ridge.com.au>
:
Bug#698910
; Package src:zoneminder
.
(Sun, 10 Feb 2013 21:27:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Extra info received and forwarded to list. Copy sent to Peter Howard <pjh@northern-ridge.com.au>
.
(Sun, 10 Feb 2013 21:27:03 GMT) (full text, mbox, link).
Message #30 received at 698910@bugs.debian.org (full text, mbox, reply):
Hi James
Disclaimer: Only did a quick check.
On Sun, Feb 10, 2013 at 10:25:27AM -0500, James McCoy wrote:
> Control: tag -1 patch
>
> On Sun, Jan 27, 2013 at 05:43:13PM +0100, Salvatore Bonaccorso wrote:
> > Some additional information: In most usual cases where zoneminder is
> > set up, there should be authentication first. So this limits somehow
> > the vulnerability.
>
> The attached patch should address the issue, but I don't have a setup to
> test.
I rebuilded the package with your patch and tested it shortly in a VM
installing zoneminder. It now does not seem possible anymore to inject
a command to be executed with webserver user rights.
Thanks for working on this James.
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Peter Howard <pjh@northern-ridge.com.au>
:
Bug#698910
; Package src:zoneminder
.
(Mon, 11 Feb 2013 22:06:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Extra info received and forwarded to list. Copy sent to Peter Howard <pjh@northern-ridge.com.au>
.
(Mon, 11 Feb 2013 22:06:03 GMT) (full text, mbox, link).
Message #35 received at 698910@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi
On Sun, Feb 10, 2013 at 10:25:27AM -0500, James McCoy wrote:
> On Sun, Jan 27, 2013 at 05:43:13PM +0100, Salvatore Bonaccorso wrote:
> > Some additional information: In most usual cases where zoneminder is
> > set up, there should be authentication first. So this limits somehow
> > the vulnerability.
>
> The attached patch should address the issue, but I don't have a setup to
> test.
The patches look they address the issue mentioned. What I've done:
- Build both for Squeeze and unstable (debdiffs attached)
- Installed zoneminder in a VM, confirmed that for both stable and
unstable version zoneminder is vulnerable.
- Installed the patched packages to verifiy the vulnerability.
NOTE: I was not able to test setDeviceStatusX10 part, but the code fix
is going the same by James:
> +--- a/web/includes/functions.php
> ++++ b/web/includes/functions.php
> +@@ -905,7 +905,7 @@
> +
> + function packageControl( $command )
> + {
> +- $string = ZM_PATH_BIN."/zmpkg.pl $command";
> ++ $string = ZM_PATH_BIN."/zmpkg.pl ".escapeshellarg( $command );
> + $string .= " 2>/dev/null >&- <&- >/dev/null";
> + exec( $string );
> + }
> +@@ -2145,7 +2145,8 @@
> + else
> + {
> + // Can't connect so use script
> +- $command = ZM_PATH_BIN."/zmx10.pl --command $status --unit-code $key";
> ++ $command = ZM_PATH_BIN.'/zmx10.pl --command '.escapeshellarg( $status );
> ++ $command .= ' --unit-code '.escapeshellarg( $key );
> + //$command .= " 2>/dev/null >&- <&- >/dev/null";
> + $x10Response = exec( $command );
> + }
Security Team, how to proceed? Can/will a DSA be released for it?
Regards,
Salvatore
[zoneminder_1.24.2-8+squeeze1.debdiff (text/plain, attachment)]
[zoneminder_1.25.0-3.1.debdiff (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Peter Howard <pjh@northern-ridge.com.au>
:
Bug#698910
; Package src:zoneminder
.
(Mon, 11 Feb 2013 22:45:10 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>
:
Extra info received and forwarded to list. Copy sent to Peter Howard <pjh@northern-ridge.com.au>
.
(Mon, 11 Feb 2013 22:45:10 GMT) (full text, mbox, link).
Message #40 received at 698910@bugs.debian.org (full text, mbox, reply):
On Mon, Feb 11, 2013 at 11:03:32PM +0100, Salvatore Bonaccorso wrote:
> Hi
>
> On Sun, Feb 10, 2013 at 10:25:27AM -0500, James McCoy wrote:
> > On Sun, Jan 27, 2013 at 05:43:13PM +0100, Salvatore Bonaccorso wrote:
> > > Some additional information: In most usual cases where zoneminder is
> > > set up, there should be authentication first. So this limits somehow
> > > the vulnerability.
> >
> > The attached patch should address the issue, but I don't have a setup to
> > test.
>
> The patches look they address the issue mentioned. What I've done:
>
> - Build both for Squeeze and unstable (debdiffs attached)
>
> - Installed zoneminder in a VM, confirmed that for both stable and
> unstable version zoneminder is vulnerable.
>
> - Installed the patched packages to verifiy the vulnerability.
>
> NOTE: I was not able to test setDeviceStatusX10 part, but the code fix
> is going the same by James:
>
> Security Team, how to proceed? Can/will a DSA be released for it?
We should fix this in a DSA.
Vagrant, James or Peter, can you do real-world testing of the proposed squeeze
package?
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org
:
Bug#698910
; Package src:zoneminder
.
(Mon, 11 Feb 2013 22:51:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Peter Howard <pjh@northern-ridge.com.au>
:
Extra info received and forwarded to list.
(Mon, 11 Feb 2013 22:51:03 GMT) (full text, mbox, link).
Message #45 received at 698910@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Mon, 2013-02-11 at 23:03 +0100, Salvatore Bonaccorso wrote:
> Hi
>
> On Sun, Feb 10, 2013 at 10:25:27AM -0500, James McCoy wrote:
> > On Sun, Jan 27, 2013 at 05:43:13PM +0100, Salvatore Bonaccorso wrote:
> > > Some additional information: In most usual cases where zoneminder is
> > > set up, there should be authentication first. So this limits somehow
> > > the vulnerability.
> >
> > The attached patch should address the issue, but I don't have a setup to
> > test.
>
> The patches look they address the issue mentioned. What I've done:
>
> - Build both for Squeeze and unstable (debdiffs attached)
>
> - Installed zoneminder in a VM, confirmed that for both stable and
> unstable version zoneminder is vulnerable.
>
> - Installed the patched packages to verifiy the vulnerability.
>
> NOTE: I was not able to test setDeviceStatusX10 part, but the code fix
> is going the same by James:
>
> > +--- a/web/includes/functions.php
> > ++++ b/web/includes/functions.php
> > +@@ -905,7 +905,7 @@
> > +
> > + function packageControl( $command )
> > + {
> > +- $string = ZM_PATH_BIN."/zmpkg.pl $command";
> > ++ $string = ZM_PATH_BIN."/zmpkg.pl ".escapeshellarg( $command );
> > + $string .= " 2>/dev/null >&- <&- >/dev/null";
> > + exec( $string );
> > + }
> > +@@ -2145,7 +2145,8 @@
> > + else
> > + {
> > + // Can't connect so use script
> > +- $command = ZM_PATH_BIN."/zmx10.pl --command $status --unit-code $key";
> > ++ $command = ZM_PATH_BIN.'/zmx10.pl --command '.escapeshellarg( $status );
> > ++ $command .= ' --unit-code '.escapeshellarg( $key );
> > + //$command .= " 2>/dev/null >&- <&- >/dev/null";
> > + $x10Response = exec( $command );
> > + }
>
> Security Team, how to proceed? Can/will a DSA be released for it?
>
Better late than never . . .
Sorry for leaving this (zoneminder has slipped down my focus list in
recent times) . . . I can apply the patch to the (debian) zoneminder
repo and have an updated package out quickly. However I've never had
upload rights; I've always gone through an intermediary for the final
upload. So what's the easiest way forward - I just get it uploaded in
my normal way, I leave it for a security release, or "other"?
Also, I assume I need to get an updated 1.24.2 release too?
> Regards,
> Salvatore
--
Peter Howard <pjh@northern-ridge.com.au>
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Peter Howard <pjh@northern-ridge.com.au>
:
Bug#698910
; Package src:zoneminder
.
(Mon, 11 Feb 2013 23:33:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Vagrant Cascadian <vagrant@debian.org>
:
Extra info received and forwarded to list. Copy sent to Peter Howard <pjh@northern-ridge.com.au>
.
(Mon, 11 Feb 2013 23:33:03 GMT) (full text, mbox, link).
Message #50 received at 698910@bugs.debian.org (full text, mbox, reply):
On Mon, Feb 11, 2013 at 11:41:13PM +0100, Moritz Mühlenhoff wrote:
> On Mon, Feb 11, 2013 at 11:03:32PM +0100, Salvatore Bonaccorso wrote:
> > On Sun, Feb 10, 2013 at 10:25:27AM -0500, James McCoy wrote:
> > > On Sun, Jan 27, 2013 at 05:43:13PM +0100, Salvatore Bonaccorso wrote:
...
> > The patches look they address the issue mentioned. What I've done:
> >
> > - Build both for Squeeze and unstable (debdiffs attached)
> >
> > - Installed zoneminder in a VM, confirmed that for both stable and
> > unstable version zoneminder is vulnerable.
> >
> > - Installed the patched packages to verifiy the vulnerability.
> >
> > NOTE: I was not able to test setDeviceStatusX10 part, but the code fix
> > is going the same by James:
> >
> > Security Team, how to proceed? Can/will a DSA be released for it?
>
> We should fix this in a DSA.
>
> Vagrant, James or Peter, can you do real-world testing of the proposed squeeze
> package?
I should be able to dedicate some time to testing on squeeze and wheezy and
hopefully upload tomorrow, although I don't have a setup where I can test the
setDeviceStatusX10 part either.
Peter, if you have some time to get the VCS repository ready and do some
testing, I'd be more confident in being able to upload.
Thanks everyone for the looking into this issue, and especially the patch.
live well,
vagrant
Reply sent
to Peter Howard <pjh@northern-ridge.com.au>
:
You have taken responsibility.
(Tue, 12 Feb 2013 20:51:04 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Tue, 12 Feb 2013 20:51:04 GMT) (full text, mbox, link).
Message #55 received at 698910-close@bugs.debian.org (full text, mbox, reply):
Source: zoneminder
Source-Version: 1.25.0-4
We believe that the bug you reported is fixed in the latest version of
zoneminder, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 698910@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Peter Howard <pjh@northern-ridge.com.au> (supplier of updated zoneminder package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 12 Jun 2013 12:02:10 +1000
Source: zoneminder
Binary: zoneminder
Architecture: source i386
Version: 1.25.0-4
Distribution: unstable
Urgency: high
Maintainer: Peter Howard <pjh@northern-ridge.com.au>
Changed-By: Peter Howard <pjh@northern-ridge.com.au>
Description:
zoneminder - Linux video camera security and surveillance solution
Closes: 698910
Changes:
zoneminder (1.25.0-4) unstable; urgency=high
.
* Add CVE-2013-0232 patch
[SECURITY] CVE-2013-0232: Shell escape commands with untrusted content.
Thanks to James McCoy <jamessan@debian.org> (Closes: #698910)
Thanks also to Salvatore Bonaccorso <carnil@debian.org>
Checksums-Sha1:
24d52e754f16893c5e77ea0017da324881541344 2220 zoneminder_1.25.0-4.dsc
b4fc7d566a9858b2b99fc8ae634848e4e84e073b 13809 zoneminder_1.25.0-4.debian.tar.gz
6cdf453c884f85a9fe6ddcbbf250884c8afd1748 1906622 zoneminder_1.25.0-4_i386.deb
Checksums-Sha256:
a30c94dd96c0ac3c1b9127263fa81f6d0e96ef7b048b6cbb0b923532c78cd59b 2220 zoneminder_1.25.0-4.dsc
03a655a9a3af5dbec2612a99041ab16639556c660ecddad526def49ef1b1cc0d 13809 zoneminder_1.25.0-4.debian.tar.gz
dbd70731bfe632b5e8fc210f5608c47b32c25bbd90746a838e34387dcda41c25 1906622 zoneminder_1.25.0-4_i386.deb
Files:
f7c61ec1053b5a8984fbe268c6e48561 2220 net optional zoneminder_1.25.0-4.dsc
8bdab9d4255711d0bd4ceafec9779dd0 13809 net optional zoneminder_1.25.0-4.debian.tar.gz
9bbc8a61a11fc4665e9d917de3518068 1906622 net optional zoneminder_1.25.0-4_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCgAGBQJRGp2rAAoJELeLgtSBS5G2kLgQAIJq88uregRlbv/10WAAAtHj
Z9YqZiBXWffvP1ed1J9kD3DojvboQ6ewyDbfyFRS0UqMCbJvy70Qbqqj7U9fZANW
hGn60c6XWZyNDxGW8gGQwWez3EcU3s6LrJqIbdFnKNHz1ljCabXU7tXIcWB6k6wn
igz8qUdC0ZYGMgOxOyCXZ/qMv+lj+wFy7ee3JwE7dZfzsmh45Je3+rl8RCPyeZkh
SZB1DyIAq4HSn1JIkauSBJXHn0Jhzafem71iVJdA0F7SaN1VzQRY5POZ8xtM3V+x
CVJIk/n1p/Gg/8OpgWOF9/JgcmL8t1I69b6xPl5k0XtufIVtR9j2zVzK7oOnXMhU
xrNxdPGqobOBUM/qnVJ6+tsc6ydp0t8iZOpVESxKW3kIFPFDRldTLz/7+1oBSLpi
/A1s8dTdw451KoVH33c32j5lgZwcYWQD0xN1KZYRR8B45vTuIsrpb4c3KjSH0go+
WUdoBHDGa7JVPxky7Y28+wH044ORleqrOy9kucvtBudRF00BdGpl7UUvemmoTGCi
vrxDq1Y649btnRK0azEyGBtkatGgmrWfD+ddmxE2/td1ShIPKMuZyBt2FQjSzdvn
pQMapYguU0jotvniiw4SBgUP47q3L9aNg6lawjt+yTgD3ieroODDWTfFjzzHiB9h
iy0CyGr067FqOOOJkUDG
=TrZb
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Peter Howard <pjh@northern-ridge.com.au>
:
Bug#698910
; Package src:zoneminder
.
(Thu, 14 Feb 2013 19:39:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Vagrant Cascadian <vagrant@debian.org>
:
Extra info received and forwarded to list. Copy sent to Peter Howard <pjh@northern-ridge.com.au>
.
(Thu, 14 Feb 2013 19:39:03 GMT) (full text, mbox, link).
Message #60 received at 698910@bugs.debian.org (full text, mbox, reply):
On Mon, Feb 11, 2013 at 03:29:05PM -0800, Vagrant Cascadian wrote:
> On Mon, Feb 11, 2013 at 11:41:13PM +0100, Moritz Mühlenhoff wrote:
> > On Mon, Feb 11, 2013 at 11:03:32PM +0100, Salvatore Bonaccorso wrote:
> > > On Sun, Feb 10, 2013 at 10:25:27AM -0500, James McCoy wrote:
> > > > On Sun, Jan 27, 2013 at 05:43:13PM +0100, Salvatore Bonaccorso wrote:
> > > Security Team, how to proceed? Can/will a DSA be released for it?
> >
> > We should fix this in a DSA.
> >
> > Vagrant, James or Peter, can you do real-world testing of the proposed squeeze
> > package?
>
> I should be able to dedicate some time to testing on squeeze and wheezy and
> hopefully upload tomorrow, although I don't have a setup where I can test the
> setDeviceStatusX10 part either.
Should already be fixed in sid, and soon hit wheezy.
I've prepared a security update for squeeze.
I've manually tested the security exploit described at:
http://itsecuritysolutions.org/2013-01-22-ZoneMinder-Video-Server-arbitrary-command-execution-vulnerability/
Using:
wget -O - 'http://127.0.0.1/zm/index.php?view=none&action=state&runState=start;nc+-l+-p+1337+-e+/bin/sh%26'
Which allowed a shell accessible via netcat on port 1337 with the version
present in squeeze (1.24.2-8).
With a package built with the patch applied, I was not able to reproduce this
problem. I haven't noticed any side-effects, running on a couple zoneminder
machines for almost 24 hours...
diff -Nru zoneminder-1.24.2/debian/changelog zoneminder-1.24.2/debian/changelog
--- zoneminder-1.24.2/debian/changelog 2011-01-15 19:40:08.000000000 -0800
+++ zoneminder-1.24.2/debian/changelog 2013-02-13 16:04:34.000000000 -0800
@@ -1,3 +1,12 @@
+zoneminder (1.24.2-8+squeeze1) stable-security; urgency=high
+
+ * Add CVE-2013-0232 patch
+ [SECURITY] CVE-2013-0232: Shell escape commands with untrusted content.
+ Thanks to James McCoy <jamessan@debian.org> (Closes: #698910)
+ Thanks also to Salvatore Bonaccorso <carnil@debian.org>
+
+ -- Vagrant Cascadian <vagrant@debian.org> Wed, 13 Feb 2013 15:49:34 -0800
+
zoneminder (1.24.2-8) unstable; urgency=medium
[ Vagrant Cascadian ]
diff -Nru zoneminder-1.24.2/debian/patches/cve-2013-0232 zoneminder-1.24.2/debian/patches/cve-2013-0232
--- zoneminder-1.24.2/debian/patches/cve-2013-0232 1969-12-31 16:00:00.000000000 -0800
+++ zoneminder-1.24.2/debian/patches/cve-2013-0232 2013-02-13 15:43:30.000000000 -0800
@@ -0,0 +1,24 @@
+From: James McCoy <jamessan@debian.org>
+Bug-Debian: http://bugs.debian.org/698910
+Subject: shell escape commands with untrusted content
+--- a/web/includes/functions.php
++++ b/web/includes/functions.php
+@@ -905,7 +905,7 @@
+
+ function packageControl( $command )
+ {
+- $string = ZM_PATH_BIN."/zmpkg.pl $command";
++ $string = ZM_PATH_BIN."/zmpkg.pl ".escapeshellarg( $command );
+ $string .= " 2>/dev/null >&- <&- >/dev/null";
+ exec( $string );
+ }
+@@ -2145,7 +2145,8 @@
+ else
+ {
+ // Can't connect so use script
+- $command = ZM_PATH_BIN."/zmx10.pl --command $status --unit-code $key";
++ $command = ZM_PATH_BIN.'/zmx10.pl --command '.escapeshellarg( $status );
++ $command .= ' --unit-code '.escapeshellarg( $key );
+ //$command .= " 2>/dev/null >&- <&- >/dev/null";
+ $x10Response = exec( $command );
+ }
diff -Nru zoneminder-1.24.2/debian/patches/series zoneminder-1.24.2/debian/patches/series
--- zoneminder-1.24.2/debian/patches/series 2011-01-14 12:01:53.000000000 -0800
+++ zoneminder-1.24.2/debian/patches/series 2013-02-13 15:46:26.000000000 -0800
@@ -7,3 +7,4 @@
suppported-typo
use_libjs-mootools
fix_v4l2_cameras_without_crop
+cve-2013-0232
Anything more needed for the security team? Which queue should it be uploaded
to?
live well,
vagrant
Information forwarded
to debian-bugs-dist@lists.debian.org, Peter Howard <pjh@northern-ridge.com.au>
:
Bug#698910
; Package src:zoneminder
.
(Fri, 15 Feb 2013 20:09:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Extra info received and forwarded to list. Copy sent to Peter Howard <pjh@northern-ridge.com.au>
.
(Fri, 15 Feb 2013 20:09:03 GMT) (full text, mbox, link).
Message #65 received at 698910@bugs.debian.org (full text, mbox, reply):
Hi
(Hmm, strange I have not recieved this followup)
On Thu, Feb 14, 2013 at 11:35:31AM -0800, Vagrant Cascadian wrote:
> Which allowed a shell accessible via netcat on port 1337 with the version
> present in squeeze (1.24.2-8).
>
> With a package built with the patch applied, I was not able to reproduce this
> problem. I haven't noticed any side-effects, running on a couple zoneminder
> machines for almost 24 hours...
I can confirm this, I did the same on my testing. (but as said I was
not able to test the setDeviceStatusX10 part, but is fixed with same
approach).
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Peter Howard <pjh@northern-ridge.com.au>
:
Bug#698910
; Package src:zoneminder
.
(Mon, 25 Feb 2013 11:33:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Extra info received and forwarded to list. Copy sent to Peter Howard <pjh@northern-ridge.com.au>
.
(Mon, 25 Feb 2013 11:33:03 GMT) (full text, mbox, link).
Message #70 received at 698910@bugs.debian.org (full text, mbox, reply):
Hi Vagrant and Peter
On Thu, Feb 14, 2013 at 11:35:31AM -0800, Vagrant Cascadian wrote:
> Anything more needed for the security team? Which queue should it be
> uploaded to?
Apologies for the delay. Could you also adress #700912 (CVE-2013-0332)
for the stable-security update.
I think we can proceed afterwards.
Thank you for preparing updated packages!
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Peter Howard <pjh@northern-ridge.com.au>
:
Bug#698910
; Package src:zoneminder
.
(Wed, 27 Feb 2013 01:45:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Vagrant Cascadian <vagrant@debian.org>
:
Extra info received and forwarded to list. Copy sent to Peter Howard <pjh@northern-ridge.com.au>
.
(Wed, 27 Feb 2013 01:45:03 GMT) (full text, mbox, link).
Message #75 received at 698910@bugs.debian.org (full text, mbox, reply):
On Mon, Feb 25, 2013 at 12:28:33PM +0100, Salvatore Bonaccorso wrote:
> On Thu, Feb 14, 2013 at 11:35:31AM -0800, Vagrant Cascadian wrote:
> > Anything more needed for the security team? Which queue should it be
> > uploaded to?
>
> Apologies for the delay. Could you also adress #700912 (CVE-2013-0332)
> for the stable-security update.
>
> I think we can proceed afterwards.
I've prepared an upload in the "squeeze" branch of the hg repository, which
required a little backporting of the patches, but haven't yet tested it... hope
to test tomorrow, or I may not get to it till the following week...
http://anonscm.debian.org/hg/collab-maint/zoneminder/
or a debdiff:
diff -Nru zoneminder-1.24.2/debian/changelog zoneminder-1.24.2/debian/changelog
--- zoneminder-1.24.2/debian/changelog 2011-01-15 19:40:08.000000000 -0800
+++ zoneminder-1.24.2/debian/changelog 2013-02-26 17:20:05.000000000 -0800
@@ -1,3 +1,15 @@
+zoneminder (1.24.2-8+squeeze1) UNRELEASED; urgency=high
+
+ * Add CVE-2013-0232 patch
+ [SECURITY] CVE-2013-0232: Shell escape commands with untrusted content.
+ Thanks to James McCoy <jamessan@debian.org> (Closes: #698910)
+ Thanks also to Salvatore Bonaccorso <carnil@debian.org>
+ * Add CVE-2013-0332 patch
+ [SECURITY] CVE-2013-0332: local file inclusion (Closes: #700912).
+ Thanks to Salvatore Bonaccorso <carnil@debian.org> for the patch.
+
+ -- Vagrant Cascadian <vagrant@debian.org> Tue, 26 Feb 2013 17:20:02 -0800
+
zoneminder (1.24.2-8) unstable; urgency=medium
[ Vagrant Cascadian ]
diff -Nru zoneminder-1.24.2/debian/patches/cve-2013-0232 zoneminder-1.24.2/debian/patches/cve-2013-0232
--- zoneminder-1.24.2/debian/patches/cve-2013-0232 1969-12-31 16:00:00.000000000 -0800
+++ zoneminder-1.24.2/debian/patches/cve-2013-0232 2013-02-26 16:55:03.000000000 -0800
@@ -0,0 +1,24 @@
+From: James McCoy <jamessan@debian.org>
+Bug-Debian: http://bugs.debian.org/698910
+Subject: shell escape commands with untrusted content
+--- a/web/includes/functions.php
++++ b/web/includes/functions.php
+@@ -905,7 +905,7 @@
+
+ function packageControl( $command )
+ {
+- $string = ZM_PATH_BIN."/zmpkg.pl $command";
++ $string = ZM_PATH_BIN."/zmpkg.pl ".escapeshellarg( $command );
+ $string .= " 2>/dev/null >&- <&- >/dev/null";
+ exec( $string );
+ }
+@@ -2145,7 +2145,8 @@
+ else
+ {
+ // Can't connect so use script
+- $command = ZM_PATH_BIN."/zmx10.pl --command $status --unit-code $key";
++ $command = ZM_PATH_BIN.'/zmx10.pl --command '.escapeshellarg( $status );
++ $command .= ' --unit-code '.escapeshellarg( $key );
+ //$command .= " 2>/dev/null >&- <&- >/dev/null";
+ $x10Response = exec( $command );
+ }
diff -Nru zoneminder-1.24.2/debian/patches/cve-2013-0332 zoneminder-1.24.2/debian/patches/cve-2013-0332
--- zoneminder-1.24.2/debian/patches/cve-2013-0332 1969-12-31 16:00:00.000000000 -0800
+++ zoneminder-1.24.2/debian/patches/cve-2013-0332 2013-02-26 17:18:18.000000000 -0800
@@ -0,0 +1,71 @@
+From: Salvatore Bonaccorso <carnil@debian.org>
+Bug-Debian: http://bugs.debian.org/700912
+Subject: CVE-2013-0332: local file inclusion vulnerability
+Bug-Upstream: http://www.zoneminder.com/forums/viewtopic.php?f=1&t=17979
+
+Backported r3483 and r3488 from upstream svn to fix CVE-2013-0332.
+
+Index: zoneminder/web/includes/functions.php
+===================================================================
+--- zoneminder.orig/web/includes/functions.php 2013-02-26 17:07:02.000000000 -0800
++++ zoneminder/web/includes/functions.php 2013-02-26 17:08:10.806977380 -0800
+@@ -2231,13 +2231,21 @@
+ return( rand( 1, 999999 ) );
+ }
+
++function detaintPath( $path )
++{
++ // Remove any absolute paths, or relative ones that want to go up
++ $path = preg_replace( '/\.\.+\/\/*/', '', $path );
++ $path = preg_replace( '/^\/\/*/', '', $path );
++ return( $path );
++}
++
+ function getSkinFile( $file )
+ {
+ global $skinBase;
+ $skinFile = false;
+ foreach ( $skinBase as $skin )
+ {
+- $tempSkinFile = 'skins'.'/'.$skin.'/'.$file;
++ $tempSkinFile = detaintPath( 'skins'.'/'.$skin.'/'.$file );
+ if ( file_exists( $tempSkinFile ) )
+ $skinFile = $tempSkinFile;
+ }
+@@ -2250,7 +2258,7 @@
+ $skinFile = false;
+ foreach ( $skinBase as $skin )
+ {
+- $tempSkinFile = 'skins'.'/'.$skin.'/'.$file;
++ $tempSkinFile = detaintPath( 'skins'.'/'.$skin.'/'.$file );
+ if ( file_exists( $tempSkinFile ) )
+ $skinFile = $tempSkinFile;
+ }
+Index: zoneminder/web/index.php
+===================================================================
+--- zoneminder.orig/web/index.php 2013-02-26 16:55:04.000000000 -0800
++++ zoneminder/web/index.php 2013-02-26 17:13:03.376428137 -0800
+@@ -96,10 +96,13 @@
+ require_once( 'includes/functions.php' );
+
+ if ( isset($_REQUEST['view']) )
+- $view = validHtmlStr($_REQUEST['view']);
++ $view = detaintPath($_REQUEST['view']);
++
++if ( isset($_REQUEST['request']) )
++ $request = detaintPath($_REQUEST['request']);
+
+ if ( isset($_REQUEST['action']) )
+- $action = validHtmlStr($_REQUEST['action']);
++ $action = detaintPath($_REQUEST['action']);
+
+ require_once( 'includes/actions.php' );
+
+@@ -108,7 +111,6 @@
+
+ if ( isset( $_REQUEST['request'] ) )
+ {
+- $request = validHtmlStr($_REQUEST['request']);
+ foreach ( getSkinIncludes( 'ajax/'.$request.'.php', true, true ) as $includeFile )
+ {
+ if ( !file_exists( $includeFile ) )
diff -Nru zoneminder-1.24.2/debian/patches/series zoneminder-1.24.2/debian/patches/series
--- zoneminder-1.24.2/debian/patches/series 2011-01-14 12:01:53.000000000 -0800
+++ zoneminder-1.24.2/debian/patches/series 2013-02-26 16:56:45.000000000 -0800
@@ -7,3 +7,5 @@
suppported-typo
use_libjs-mootools
fix_v4l2_cameras_without_crop
+cve-2013-0232
+cve-2013-0332
live well,
vagrant
Reply sent
to Vagrant Cascadian <vagrant@debian.org>
:
You have taken responsibility.
(Sun, 17 Mar 2013 00:51:12 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Sun, 17 Mar 2013 00:51:12 GMT) (full text, mbox, link).
Message #80 received at 698910-close@bugs.debian.org (full text, mbox, reply):
Source: zoneminder
Source-Version: 1.24.2-8+squeeze1
We believe that the bug you reported is fixed in the latest version of
zoneminder, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 698910@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Vagrant Cascadian <vagrant@debian.org> (supplier of updated zoneminder package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 05 Mar 2013 11:29:20 -0800
Source: zoneminder
Binary: zoneminder
Architecture: source i386
Version: 1.24.2-8+squeeze1
Distribution: stable-security
Urgency: high
Maintainer: Peter Howard <pjh@northern-ridge.com.au>
Changed-By: Vagrant Cascadian <vagrant@debian.org>
Description:
zoneminder - Linux video camera security and surveillance solution
Closes: 698910 700912
Changes:
zoneminder (1.24.2-8+squeeze1) stable-security; urgency=high
.
* Add CVE-2013-0232 patch
[SECURITY] CVE-2013-0232: Shell escape commands with untrusted content.
Thanks to James McCoy <jamessan@debian.org> (Closes: #698910)
Thanks also to Salvatore Bonaccorso <carnil@debian.org>
* Add CVE-2013-0332 patch
[SECURITY] CVE-2013-0332: local file inclusion (Closes: #700912).
Thanks to Salvatore Bonaccorso <carnil@debian.org> for the patch.
Checksums-Sha1:
ae8f0f4b6efe78716884bc1e7c90d7540e953160 2163 zoneminder_1.24.2-8+squeeze1.dsc
ea854c941b83374a352d7d794a4462e279fea487 965521 zoneminder_1.24.2.orig.tar.gz
e48447bcbc7dff2fc0298df6bc945c228a2a3f02 16354 zoneminder_1.24.2-8+squeeze1.debian.tar.gz
52df39684bdf4a824093307f08e4feb0f6089634 1452144 zoneminder_1.24.2-8+squeeze1_i386.deb
Checksums-Sha256:
fcf53e1f74a319e01b5ebc27bac5fbd6206361a1009bb71b838408375bd6a30a 2163 zoneminder_1.24.2-8+squeeze1.dsc
fd8475138ccee8870534f1210a3d1e3e1990e963dd73146a6d310dc71c463dca 965521 zoneminder_1.24.2.orig.tar.gz
49dc4eca5d00d895a66d69429624dbf1c6bcd292a24869ea198a1ac49a07113b 16354 zoneminder_1.24.2-8+squeeze1.debian.tar.gz
076ea52707b213172ddde42420d27dc0de7d5c0d865651700d50d48af589a1f8 1452144 zoneminder_1.24.2-8+squeeze1_i386.deb
Files:
5948f712a603d4ea59dff82b3c0cd13d 2163 net optional zoneminder_1.24.2-8+squeeze1.dsc
550d2f8f08852134028c3b1cf8fa437f 965521 net optional zoneminder_1.24.2.orig.tar.gz
65fc0a8d14f672dd3c6cf8586abdf086 16354 net optional zoneminder_1.24.2-8+squeeze1.debian.tar.gz
df954eec140564bac3f36dcb5c8e4fc9 1452144 net optional zoneminder_1.24.2-8+squeeze1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCgAGBQJRNlGIAAoJELeLgtSBS5G2j2UP/20Y4yz7on6jQvEZhh6AS7I0
rzGODYx9YZj/EJcUwlXR9g8dmrRnbFi8tpOOA+0EXUVqeJwOj3wq+ch+7aPYuzgK
/WKT3tp+H/qxcqXcKHD1+vDvDKds2qjRIBQHLev4pWqaqY+s8ocvne63oRqRKb9q
u3zdo3wn7nJoiPbQKvCB0SlQWxV5fGyOJ0YQ0CYOF2qjYViUEge0XUhCWi9IhudL
ukuQR+KSuAS4N2i8Z/+32edCBdOgBL9uYCsMJ5LUSi4A0m8g08O5Jghg6foClLAh
ur3JDAfmamBEHMvTw1+qfw1Ek3xwUjqjKXjlGpxOilvgCfOAVml3KY3JZ3rTE+5g
xA570W2oDEuFO7ZHxxzg5EMCI5gGlyJWDhs6u1gJbk8bbBz7bKCyvqduC+tK5www
XglushHPUGtOPuhFcbG5nHYklJL01S0nIPoFEXxAzjiPBp+URql7+EYMJGVfibHc
wTKFs1ks7TjjDrmQkyc0XJrZWvg3QQgGy5E2cxt8amBfuBEzR9pHTTzK95iO18cc
mKNE1vqc5q/cyjp+5IlIl9Pmjyg1UDrgz1exICbJTIZq/3XrNZCzlGHM367eOXeY
lVEOx7oJkwMZ5L0zQVwgn0bj8ui9A5w6FHiy9t6YEufhi+5BVAqSPJqQ4032tMv4
njXHyQV4scz8PdHjrcTF
=ZGx8
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Sun, 02 Jun 2013 07:34:44 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:03:44 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.