On Mon, Feb 25, 2013 at 12:28:33PM +0100, Salvatore Bonaccorso wrote: > On Thu, Feb 14, 2013 at 11:35:31AM -0800, Vagrant Cascadian wrote: > > Anything more needed for the security team? Which queue should it be > > uploaded to? > > Apologies for the delay. Could you also adress #700912 (CVE-2013-0332) > for the stable-security update. > > I think we can proceed afterwards.
I've prepared an upload in the "squeeze" branch of the hg repository, which required a little backporting of the patches, but haven't yet tested it... hope to test tomorrow, or I may not get to it till the following week... http://anonscm.debian.org/hg/collab-maint/zoneminder/ or a debdiff: diff -Nru zoneminder-1.24.2/debian/changelog zoneminder-1.24.2/debian/changelog --- zoneminder-1.24.2/debian/changelog 2011-01-15 19:40:08.000000000 -0800 +++ zoneminder-1.24.2/debian/changelog 2013-02-26 17:20:05.000000000 -0800 @@ -1,3 +1,15 @@ +zoneminder (1.24.2-8+squeeze1) UNRELEASED; urgency=high + + * Add CVE-2013-0232 patch + [SECURITY] CVE-2013-0232: Shell escape commands with untrusted content. + Thanks to James McCoy <james...@debian.org> (Closes: #698910) + Thanks also to Salvatore Bonaccorso <car...@debian.org> + * Add CVE-2013-0332 patch + [SECURITY] CVE-2013-0332: local file inclusion (Closes: #700912). + Thanks to Salvatore Bonaccorso <car...@debian.org> for the patch. + + -- Vagrant Cascadian <vagr...@debian.org> Tue, 26 Feb 2013 17:20:02 -0800 + zoneminder (1.24.2-8) unstable; urgency=medium [ Vagrant Cascadian ] diff -Nru zoneminder-1.24.2/debian/patches/cve-2013-0232 zoneminder-1.24.2/debian/patches/cve-2013-0232 --- zoneminder-1.24.2/debian/patches/cve-2013-0232 1969-12-31 16:00:00.000000000 -0800 +++ zoneminder-1.24.2/debian/patches/cve-2013-0232 2013-02-26 16:55:03.000000000 -0800 @@ -0,0 +1,24 @@ +From: James McCoy <james...@debian.org> +Bug-Debian: http://bugs.debian.org/698910 +Subject: shell escape commands with untrusted content +--- a/web/includes/functions.php ++++ b/web/includes/functions.php +@@ -905,7 +905,7 @@ + + function packageControl( $command ) + { +- $string = ZM_PATH_BIN."/zmpkg.pl $command"; ++ $string = ZM_PATH_BIN."/zmpkg.pl ".escapeshellarg( $command ); + $string .= " 2>/dev/null >&- <&- >/dev/null"; + exec( $string ); + } +@@ -2145,7 +2145,8 @@ + else + { + // Can't connect so use script +- $command = ZM_PATH_BIN."/zmx10.pl --command $status --unit-code $key"; ++ $command = ZM_PATH_BIN.'/zmx10.pl --command '.escapeshellarg( $status ); ++ $command .= ' --unit-code '.escapeshellarg( $key ); + //$command .= " 2>/dev/null >&- <&- >/dev/null"; + $x10Response = exec( $command ); + } diff -Nru zoneminder-1.24.2/debian/patches/cve-2013-0332 zoneminder-1.24.2/debian/patches/cve-2013-0332 --- zoneminder-1.24.2/debian/patches/cve-2013-0332 1969-12-31 16:00:00.000000000 -0800 +++ zoneminder-1.24.2/debian/patches/cve-2013-0332 2013-02-26 17:18:18.000000000 -0800 @@ -0,0 +1,71 @@ +From: Salvatore Bonaccorso <car...@debian.org> +Bug-Debian: http://bugs.debian.org/700912 +Subject: CVE-2013-0332: local file inclusion vulnerability +Bug-Upstream: http://www.zoneminder.com/forums/viewtopic.php?f=1&t=17979 + +Backported r3483 and r3488 from upstream svn to fix CVE-2013-0332. + +Index: zoneminder/web/includes/functions.php +=================================================================== +--- zoneminder.orig/web/includes/functions.php 2013-02-26 17:07:02.000000000 -0800 ++++ zoneminder/web/includes/functions.php 2013-02-26 17:08:10.806977380 -0800 +@@ -2231,13 +2231,21 @@ + return( rand( 1, 999999 ) ); + } + ++function detaintPath( $path ) ++{ ++ // Remove any absolute paths, or relative ones that want to go up ++ $path = preg_replace( '/\.\.+\/\/*/', '', $path ); ++ $path = preg_replace( '/^\/\/*/', '', $path ); ++ return( $path ); ++} ++ + function getSkinFile( $file ) + { + global $skinBase; + $skinFile = false; + foreach ( $skinBase as $skin ) + { +- $tempSkinFile = 'skins'.'/'.$skin.'/'.$file; ++ $tempSkinFile = detaintPath( 'skins'.'/'.$skin.'/'.$file ); + if ( file_exists( $tempSkinFile ) ) + $skinFile = $tempSkinFile; + } +@@ -2250,7 +2258,7 @@ + $skinFile = false; + foreach ( $skinBase as $skin ) + { +- $tempSkinFile = 'skins'.'/'.$skin.'/'.$file; ++ $tempSkinFile = detaintPath( 'skins'.'/'.$skin.'/'.$file ); + if ( file_exists( $tempSkinFile ) ) + $skinFile = $tempSkinFile; + } +Index: zoneminder/web/index.php +=================================================================== +--- zoneminder.orig/web/index.php 2013-02-26 16:55:04.000000000 -0800 ++++ zoneminder/web/index.php 2013-02-26 17:13:03.376428137 -0800 +@@ -96,10 +96,13 @@ + require_once( 'includes/functions.php' ); + + if ( isset($_REQUEST['view']) ) +- $view = validHtmlStr($_REQUEST['view']); ++ $view = detaintPath($_REQUEST['view']); ++ ++if ( isset($_REQUEST['request']) ) ++ $request = detaintPath($_REQUEST['request']); + + if ( isset($_REQUEST['action']) ) +- $action = validHtmlStr($_REQUEST['action']); ++ $action = detaintPath($_REQUEST['action']); + + require_once( 'includes/actions.php' ); + +@@ -108,7 +111,6 @@ + + if ( isset( $_REQUEST['request'] ) ) + { +- $request = validHtmlStr($_REQUEST['request']); + foreach ( getSkinIncludes( 'ajax/'.$request.'.php', true, true ) as $includeFile ) + { + if ( !file_exists( $includeFile ) ) diff -Nru zoneminder-1.24.2/debian/patches/series zoneminder-1.24.2/debian/patches/series --- zoneminder-1.24.2/debian/patches/series 2011-01-14 12:01:53.000000000 -0800 +++ zoneminder-1.24.2/debian/patches/series 2013-02-26 16:56:45.000000000 -0800 @@ -7,3 +7,5 @@ suppported-typo use_libjs-mootools fix_v4l2_cameras_without_crop +cve-2013-0232 +cve-2013-0332 live well, vagrant -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
