Control: tag -1 patch On Sun, Jan 27, 2013 at 05:43:13PM +0100, Salvatore Bonaccorso wrote: > Some additional information: In most usual cases where zoneminder is > set up, there should be authentication first. So this limits somehow > the vulnerability.
The attached patch should address the issue, but I don't have a setup to test. Cheers, -- James GPG Key: 4096R/331BA3DB 2011-12-05 James McCoy <james...@debian.org>
# HG changeset patch # User James McCoy <james...@debian.org> # Date 1360509613 18000 # Node ID 8ad5cdabf2d65cc2a382b86259b216623d0a6f48 # Parent b87e27c0fee8bf1437cd1806bbd52d58a67b1089 shell escape commands with untrusted content (CVE-2013-0232) diff --git a/debian/patches/CVE-2013-0232 b/debian/patches/CVE-2013-0232 new file mode 100644 --- /dev/null +++ b/debian/patches/CVE-2013-0232 @@ -0,0 +1,24 @@ +From: James McCoy <james...@debian.org> +Bug-Debian: http://bugs.debian.org/698910 +Subject: shell escape commands with untrusted content +--- a/web/includes/functions.php ++++ b/web/includes/functions.php +@@ -905,7 +905,7 @@ + + function packageControl( $command ) + { +- $string = ZM_PATH_BIN."/zmpkg.pl $command"; ++ $string = ZM_PATH_BIN."/zmpkg.pl ".escapeshellarg( $command ); + $string .= " 2>/dev/null >&- <&- >/dev/null"; + exec( $string ); + } +@@ -2145,7 +2145,8 @@ + else + { + // Can't connect so use script +- $command = ZM_PATH_BIN."/zmx10.pl --command $status --unit-code $key"; ++ $command = ZM_PATH_BIN.'/zmx10.pl --command '.escapeshellarg( $status ); ++ $command .= ' --unit-code '.escapeshellarg( $key ); + //$command .= " 2>/dev/null >&- <&- >/dev/null"; + $x10Response = exec( $command ); + } diff --git a/debian/patches/series b/debian/patches/series --- a/debian/patches/series +++ b/debian/patches/series @@ -8,3 +8,4 @@ include-avutil-mathematics-header Fix-FTBFS-with-gcc-4.7 do_not_check_for_updates_by_default +CVE-2013-0232
signature.asc
Description: Digital signature
