On Mon, Feb 11, 2013 at 03:29:05PM -0800, Vagrant Cascadian wrote: > On Mon, Feb 11, 2013 at 11:41:13PM +0100, Moritz Mühlenhoff wrote: > > On Mon, Feb 11, 2013 at 11:03:32PM +0100, Salvatore Bonaccorso wrote: > > > On Sun, Feb 10, 2013 at 10:25:27AM -0500, James McCoy wrote: > > > > On Sun, Jan 27, 2013 at 05:43:13PM +0100, Salvatore Bonaccorso wrote:
> > > Security Team, how to proceed? Can/will a DSA be released for it? > > > > We should fix this in a DSA. > > > > Vagrant, James or Peter, can you do real-world testing of the proposed > > squeeze > > package? > > I should be able to dedicate some time to testing on squeeze and wheezy and > hopefully upload tomorrow, although I don't have a setup where I can test the > setDeviceStatusX10 part either. Should already be fixed in sid, and soon hit wheezy. I've prepared a security update for squeeze. I've manually tested the security exploit described at: http://itsecuritysolutions.org/2013-01-22-ZoneMinder-Video-Server-arbitrary-command-execution-vulnerability/ Using: wget -O - 'http://127.0.0.1/zm/index.php?view=none&action=state&runState=start;nc+-l+-p+1337+-e+/bin/sh%26' Which allowed a shell accessible via netcat on port 1337 with the version present in squeeze (1.24.2-8). With a package built with the patch applied, I was not able to reproduce this problem. I haven't noticed any side-effects, running on a couple zoneminder machines for almost 24 hours... diff -Nru zoneminder-1.24.2/debian/changelog zoneminder-1.24.2/debian/changelog --- zoneminder-1.24.2/debian/changelog 2011-01-15 19:40:08.000000000 -0800 +++ zoneminder-1.24.2/debian/changelog 2013-02-13 16:04:34.000000000 -0800 @@ -1,3 +1,12 @@ +zoneminder (1.24.2-8+squeeze1) stable-security; urgency=high + + * Add CVE-2013-0232 patch + [SECURITY] CVE-2013-0232: Shell escape commands with untrusted content. + Thanks to James McCoy <james...@debian.org> (Closes: #698910) + Thanks also to Salvatore Bonaccorso <car...@debian.org> + + -- Vagrant Cascadian <vagr...@debian.org> Wed, 13 Feb 2013 15:49:34 -0800 + zoneminder (1.24.2-8) unstable; urgency=medium [ Vagrant Cascadian ] diff -Nru zoneminder-1.24.2/debian/patches/cve-2013-0232 zoneminder-1.24.2/debian/patches/cve-2013-0232 --- zoneminder-1.24.2/debian/patches/cve-2013-0232 1969-12-31 16:00:00.000000000 -0800 +++ zoneminder-1.24.2/debian/patches/cve-2013-0232 2013-02-13 15:43:30.000000000 -0800 @@ -0,0 +1,24 @@ +From: James McCoy <james...@debian.org> +Bug-Debian: http://bugs.debian.org/698910 +Subject: shell escape commands with untrusted content +--- a/web/includes/functions.php ++++ b/web/includes/functions.php +@@ -905,7 +905,7 @@ + + function packageControl( $command ) + { +- $string = ZM_PATH_BIN."/zmpkg.pl $command"; ++ $string = ZM_PATH_BIN."/zmpkg.pl ".escapeshellarg( $command ); + $string .= " 2>/dev/null >&- <&- >/dev/null"; + exec( $string ); + } +@@ -2145,7 +2145,8 @@ + else + { + // Can't connect so use script +- $command = ZM_PATH_BIN."/zmx10.pl --command $status --unit-code $key"; ++ $command = ZM_PATH_BIN.'/zmx10.pl --command '.escapeshellarg( $status ); ++ $command .= ' --unit-code '.escapeshellarg( $key ); + //$command .= " 2>/dev/null >&- <&- >/dev/null"; + $x10Response = exec( $command ); + } diff -Nru zoneminder-1.24.2/debian/patches/series zoneminder-1.24.2/debian/patches/series --- zoneminder-1.24.2/debian/patches/series 2011-01-14 12:01:53.000000000 -0800 +++ zoneminder-1.24.2/debian/patches/series 2013-02-13 15:46:26.000000000 -0800 @@ -7,3 +7,4 @@ suppported-typo use_libjs-mootools fix_v4l2_cameras_without_crop +cve-2013-0232 Anything more needed for the security team? Which queue should it be uploaded to? live well, vagrant -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
