Your message dated Thu, 17 Jul 2014 21:40:23 +0000 with message-id <e1x7tpb-0001zp...@franck.debian.org> and subject line Bug#751910: fixed in zabbix 1:2.2.5+dfsg-1 has caused the Debian Bug report #751910, regarding zabbix: CVE-2014-3005: local file inclusion via XXE to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 751910: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=751910 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: zabbix Version: 1:2.2.3+dfsg-1 Severity: grave Tags: security Advisory: http://seclists.org/fulldisclosure/2014/Jun/87 Below might be the fix, but please verify. --- Henri Salo svn diff -r46596:46600 Index: frontends/php/include/defines.inc.php =================================================================== --- frontends/php/include/defines.inc.php (revision 46596) +++ frontends/php/include/defines.inc.php (revision 46600) @@ -835,6 +835,9 @@ define('ZBX_DEFAULT_IMPORT_HOST_GROUP', 'Imported hosts'); +// XML import flags +define('LIBXML_IMPORT_FLAGS', LIBXML_NONET); + // API errors define('ZBX_API_ERROR_INTERNAL', 111); define('ZBX_API_ERROR_PARAMETERS', 100); Index: frontends/php/include/classes/import/readers/CXmlImportReader.php =================================================================== --- frontends/php/include/classes/import/readers/CXmlImportReader.php (revision 46596) +++ frontends/php/include/classes/import/readers/CXmlImportReader.php (revision 46600) @@ -32,7 +32,8 @@ */ public function read($string) { libxml_use_internal_errors(true); - $result = simplexml_load_string($string); + libxml_disable_entity_loader(true); + $result = simplexml_load_string($string, null, LIBXML_IMPORT_FLAGS); if (!$result) { $errors = libxml_get_errors(); libxml_clear_errors(); Index: frontends/php/include/classes/import/CXmlImport18.php =================================================================== --- frontends/php/include/classes/import/CXmlImport18.php (revision 46596) +++ frontends/php/include/classes/import/CXmlImport18.php (revision 46600) @@ -390,12 +390,13 @@ return $array; } - public static function import($file) { + public static function import($source) { libxml_use_internal_errors(true); + libxml_disable_entity_loader(true); $xml = new DOMDocument(); - if (!$xml->loadXML($file)) { + if (!$xml->loadXML($source, LIBXML_IMPORT_FLAGS)) { $text = ''; foreach (libxml_get_errors() as $error) { switch ($error->level) {
signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---Source: zabbix Source-Version: 1:2.2.5+dfsg-1 We believe that the bug you reported is fixed in the latest version of zabbix, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 751...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Dmitry Smirnov <only...@debian.org> (supplier of updated zabbix package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Fri, 18 Jul 2014 03:16:47 +1000 Source: zabbix Binary: zabbix-agent zabbix-frontend-php zabbix-java-gateway zabbix-proxy-mysql zabbix-proxy-pgsql zabbix-proxy-sqlite3 zabbix-server-mysql zabbix-server-pgsql Architecture: source amd64 all Version: 1:2.2.5+dfsg-1 Distribution: unstable Urgency: medium Maintainer: Christoph Haas <h...@debian.org> Changed-By: Dmitry Smirnov <only...@debian.org> Description: zabbix-agent - network monitoring solution - agent zabbix-frontend-php - network monitoring solution - PHP front-end zabbix-java-gateway - network monitoring solution - Java gateway zabbix-proxy-mysql - network monitoring solution - proxy (using MySQL) zabbix-proxy-pgsql - network monitoring solution - proxy (using PostgreSQL) zabbix-proxy-sqlite3 - network monitoring solution - proxy (using SQLite3) zabbix-server-mysql - network monitoring solution - server (using MySQL) zabbix-server-pgsql - network monitoring solution - server (using PostgreSQL) Closes: 744385 749707 751910 752627 754271 Changes: zabbix (1:2.2.5+dfsg-1) unstable; urgency=medium . * New upstream release [July 2014] (Closes: #754271). - fixed CVE-2014-3005: local file inclusion via XXE (Closes: #751910). - removed PHP-licensed code (Closes: #752627). - don't use deprecated function "mbstring.internal_encoding" (Closes: #749707). * zabbix-agent: Depends: +pciutils; Recommends: +usbutils (Closes: #744385). * Added "debian/gbp.conf". * Build-Depends: + "libgcrypt-dev" --> "libgcrypt20-dev | libgcrypt-dev". + "pkg-config". * Replace source-less minified .js files on build-time; added "source-is-missing" lintian-overrides; updated "debian/copyright". Checksums-Sha1: fb074adef42adfa6690c1f9129483957957ace6c 2752 zabbix_2.2.5+dfsg-1.dsc f35d5831563a51b8376a573e1729d44eeba1cd0e 5907528 zabbix_2.2.5+dfsg.orig.tar.xz c04d4ed2bc9165b73f8e043b3fd2fc59e6b010a9 187992 zabbix_2.2.5+dfsg-1.debian.tar.xz 552a538487ec461100642322f7b94cdecdd62524 315730 zabbix-agent_2.2.5+dfsg-1_amd64.deb 817abfc68610567b1a054b0246ca0d126b5b36d7 2909488 zabbix-frontend-php_2.2.5+dfsg-1_all.deb 1d5483ddc593ebe0db9fbcb4338b1924e75ba83b 182528 zabbix-java-gateway_2.2.5+dfsg-1_all.deb 07167f8f1902fe63680980ab81976d7cf9316ed3 555886 zabbix-proxy-mysql_2.2.5+dfsg-1_amd64.deb b153a4d2959855348027671ba176acecc31e3de3 559134 zabbix-proxy-pgsql_2.2.5+dfsg-1_amd64.deb 9a05a073f4f38b268bd847aba343bc3997e4fccf 542226 zabbix-proxy-sqlite3_2.2.5+dfsg-1_amd64.deb 91b9adc4c9b557681786e17863caffc17ec5188d 1732974 zabbix-server-mysql_2.2.5+dfsg-1_amd64.deb fdd42f71455248be99d4f02e7eb6c7e16676dc1c 1734762 zabbix-server-pgsql_2.2.5+dfsg-1_amd64.deb Checksums-Sha256: c3cc4bc4df0342601470b47496fa3a52fd2024bcdd5410098ed29bac9e41e25f 2752 zabbix_2.2.5+dfsg-1.dsc 7cd16787fb4f4f1285166677990b211284009e5d87c665806cdf982d0f1f8f93 5907528 zabbix_2.2.5+dfsg.orig.tar.xz 337269f624afabb37e42be8b3159414dd183ec277e4a5f7add8881e5645a65d2 187992 zabbix_2.2.5+dfsg-1.debian.tar.xz 7f7c3b7d812636f2f3b2d55cf21965f4f5baad395af69f704c3cc06a8edeba7c 315730 zabbix-agent_2.2.5+dfsg-1_amd64.deb 4a6e529986a9b3c9ba3d4385c3fe64ac121de093884a0bb6de67d6736c0daa4d 2909488 zabbix-frontend-php_2.2.5+dfsg-1_all.deb ba7b16d612ca0f7b61c92fe5ed3094342afe28058f6a8b75d27be1694b682253 182528 zabbix-java-gateway_2.2.5+dfsg-1_all.deb a6ba5558a1c7783669bf0f9b7485b777284476f66e9fce4a3695b1df277e6723 555886 zabbix-proxy-mysql_2.2.5+dfsg-1_amd64.deb 40b15ab4f109af49ff8601d7ea8663574d27b6f2d89bb6f4833e4e1bb7013760 559134 zabbix-proxy-pgsql_2.2.5+dfsg-1_amd64.deb ca6d9b045502af64facf6ae35974a540a4686aa05c2a9b867861bdafe0e72dc2 542226 zabbix-proxy-sqlite3_2.2.5+dfsg-1_amd64.deb c1ebaad6914a0b36c743b005a5a5a4a8365ca75497e52c6c102f20a9012e3fc5 1732974 zabbix-server-mysql_2.2.5+dfsg-1_amd64.deb 8af583046a81a742b4932a44450f37b28cf50db7454b10010846ee330c543224 1734762 zabbix-server-pgsql_2.2.5+dfsg-1_amd64.deb Files: 541fb503cbd9c0d59692aaed3ca3ace0 315730 net optional zabbix-agent_2.2.5+dfsg-1_amd64.deb e30ad15c3adb3e67328723cc1e8ddb0a 2909488 net optional zabbix-frontend-php_2.2.5+dfsg-1_all.deb e22899bcba4a646090c6c028d7ee8ef1 182528 net optional zabbix-java-gateway_2.2.5+dfsg-1_all.deb 7294906f8b0a3b6d36d07add8e49fa30 555886 net optional zabbix-proxy-mysql_2.2.5+dfsg-1_amd64.deb f8be05275927612fc135b6e3b06812ec 559134 net optional zabbix-proxy-pgsql_2.2.5+dfsg-1_amd64.deb 9c67e85e521e1f2c1458ec734b5b3e2a 542226 net optional zabbix-proxy-sqlite3_2.2.5+dfsg-1_amd64.deb 988ddbd0bebdb628bf7442b7491e4d26 1732974 net optional zabbix-server-mysql_2.2.5+dfsg-1_amd64.deb 2c152fffbcc78ba557bd5714460bd8a3 1734762 net optional zabbix-server-pgsql_2.2.5+dfsg-1_amd64.deb e40a6a4f522212a03713068e93295f48 2752 net optional zabbix_2.2.5+dfsg-1.dsc eb1d48cebd0493d34eafc375a1967145 5907528 net optional zabbix_2.2.5+dfsg.orig.tar.xz 9922cbd49937ba1b9cd91ec5578e1b10 187992 net optional zabbix_2.2.5+dfsg-1.debian.tar.xz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJTyDn9AAoJEFK2u9lTlo0btKoP/ipKvRDSiU2pdBt4B77crEvR nHiWehjSaQyisxhr0gvyOcqeTuTEIilicMf6erK6FJraCXJwk17BhIjsLLGQcioM IeIWp/HLxBXMshC7wlTJWyfHvfvPWqj/0dTy6uxw8eyHaNrnQyMloeLlaRtBoIem xHzMbV/m1GhN2X2WlVnbkUcS4EXxCVRGFwOjR4LmL0oAOM/3q9+mOdsvTJTihdd+ GuYCnbgwG2U5Q/iJL1nw8+X687hLGwwPovn9uN9si7syiTtKnjm80q+DwB0FqL6t cAmqzMB9gQHHLGKezHnvFUETdoy+58/RsYR1IrUoVE6Q+DhjxFqcRWRsxjBO/fL/ 662YglQBGe4ot+OWg9FOBS/9Utztq/Ha4itrCre0wJDpcZho6kWSH7FvThBLxvQZ V/bLQ+knqi9l5rPuVIKpOlgHK+Cd9lWprGjSTq/0VV5NQYQfPq0qDyXrW/vu33K4 hh4rHmNjhR4y+/y4V9KDCdbE4+aOpudJCEoCRLSCTMNp74f4JCWxujaa1zcsskKt bAI5RQ9nUeQQjKnh++7htbk4dBq47z4/g5YVFT2JCsA2+QkHTw8vfr7e1uhMUW5P uC9YFuF1SlFBUETCgiGlnNfpjyAtU/UGABWSQmTwqogNKp7iB4h2LrcxCHrSTGXy 4213lrcvkdQoOzw1fGD5 =WM+C -----END PGP SIGNATURE-----
--- End Message ---
