Debian Bug report logs - #391388
zabbix-server-mysql: remote security problems

version graph

Package: zabbix-server-mysql; Maintainer for zabbix-server-mysql is Dmitry Smirnov <onlyjob@debian.org>; Source for zabbix-server-mysql is src:zabbix (PTS, buildd, popcon).

Reported by: metaur@telia.com

Date: Fri, 6 Oct 2006 12:18:07 UTC

Severity: grave

Tags: patch, security

Found in version zabbix/1:1.1.2-2

Done: Michael Ablassmeier <abi@grinser.de>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Zabbix Maintainers <kobold-zabbix@debian.org>:
Bug#391388; Package zabbix-server-mysql. (full text, mbox, link).


Acknowledgement sent to metaur@telia.com:
New Bug report received and forwarded. Copy sent to Zabbix Maintainers <kobold-zabbix@debian.org>. (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Ulf Harnhammar <metaur@telia.com>
To: submit@bugs.debian.org
Subject: zabbix-server-mysql: remote security problems
Date: Fri, 6 Oct 2006 13:37:53 +0200
[Message part 1 (text/plain, inline)]
Subject: zabbix-server-mysql: remote security problems
Package: zabbix-server-mysql
Version: 1:1.1.2-2
Severity: grave
Justification: user security hole
Tags: security patch

Hello,

Max Vozeler and Ulf Harnhammar from the Debian Security Audit Project
have found a number of format string bugs and buffer overflows
affecting zabbix. They allow malicious attackers to cause crashes or
remote execution of arbitrary code.

Here is a test exploit in Perl. If it is run on a machine instead of
the zabbix agent, a format string bug allows the agent to use "%n"
in the format string to crash the server or to write to arbitrary
memory locations, allowing for code execution. I have also attached
a patch which corrects all known security issues in zabbix-1.1.2.

// Max Vozeler and Ulf Harnhammar for the Debian Security Audit Project
   http://www.debian.org/security/audit/

-- System Information:
Debian Release: testing/unstable
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.12-1-686
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)

Versions of packages zabbix-server-mysql depends on:
ii  adduser                 3.97             Add and remove users and groups
ii  dbconfig-common         1.8.23           common framework for packaging dat
ii  debconf [debconf-2.0]   1.5.5            Debian configuration management sy
ii  fping                   2.4b2-to-ipv6-14 sends ICMP ECHO_REQUEST packets to
ii  libc6                   2.3.6.ds1-4      GNU C Library: Shared libraries
ii  libldap2                2.1.30-13+b1     OpenLDAP libraries
ii  libmysqlclient15off     5.0.24a-4        mysql database client library
ii  libsnmp9                5.2.3-1          NET SNMP (Simple Network Managemen
ii  logrotate               3.7.1-3          Log rotation utility

Versions of packages zabbix-server-mysql recommends:
ii  mysql-server                  5.0.24a-4  mysql database server (current ver
ii  mysql-server-5.0 [mysql-serve 5.0.24a-4  mysql database server binaries
ii  snmpd                         5.2.3-1    NET SNMP (Simple Network Managemen

-- debconf information:
  zabbix-server-mysql/upgrade-error: abort
  zabbix-server-mysql/dbconfig-reinstall: false
  zabbix-server-mysql/upgrade-backup: true
  zabbix-server-mysql/mysql/admin-user: root
  zabbix-server-mysql/remote/port:
  zabbix-server-mysql/remote/host:
  zabbix-server-mysql/db/dbname: zabbix
  zabbix-server-mysql/dbconfig-remove:
  zabbix-server-mysql/db/app-user: zabbix
  zabbix-server-mysql/database-type: mysql
  zabbix-server-mysql/remove-error: abort
  zabbix-server-mysql/remote/newhost:
  zabbix-server-mysql/purge: false
  zabbix-server-mysql/internal/reconfiguring: false
  zabbix-server-mysql/install-error: retry
  zabbix-server-mysql/passwords-do-not-match:
* zabbix-server-mysql/dbconfig-install: true
  zabbix-server-mysql/mysql/method: unix socket
  zabbix-server-mysql/dbconfig-upgrade: true

[zabbix.security.patch (text/plain, attachment)]
[zabbix-exploiter.pl (text/x-perl, attachment)]

Reply sent to Michael Ablassmeier <abi@grinser.de>:
You have taken responsibility. (full text, mbox, link).


Notification sent to metaur@telia.com:
Bug acknowledged by developer. (full text, mbox, link).


Message #10 received at 391388-done@bugs.debian.org (full text, mbox, reply):

From: Michael Ablassmeier <abi@grinser.de>
To: 391388-done@bugs.debian.org
Subject: [abi@debian.org: Accepted zabbix 1:1.1.2-4 (source all amd64)]
Date: Fri, 6 Oct 2006 14:39:30 +0200
hi,

zabbix 1.1.2-4 has been uploaded to unstable just a few minutes ago :)

----- Forwarded message from Michael Ablassmeier <abi@debian.org> -----

From: Michael Ablassmeier <abi@debian.org>
Date: Fri, 06 Oct 2006 04:48:47 -0700
To: debian-devel-changes@lists.debian.org
Subject: Accepted zabbix 1:1.1.2-4 (source all amd64)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed, 20 Sep 2006 15:18:55 +0200
Source: zabbix
Binary: zabbix-server-mysql zabbix-agent zabbix-frontend-php
Architecture: source amd64 all
Version: 1:1.1.2-4
Distribution: unstable
Urgency: high
Maintainer: Zabbix Maintainers <kobold-zabbix@debian.org>
Changed-By: Michael Ablassmeier <abi@debian.org>
Description: 
 zabbix-agent - software for monitoring of your networks -- agent
 zabbix-frontend-php - software for monitoring of your servers -- php frontend
 zabbix-server-mysql - software for monitoring of your networks -- server
Changes: 
 zabbix (1:1.1.2-4) unstable; urgency=high
 .
   * Move #DEBHELPER# stanza in zabbix-server-mysql.prerm
     above dbconfig-common call. Server prozess should be
     stopped before database is removed.
   * debian/patches/07_security.dpatch: add patch for security
     issues discovered by the Debian Audit Project. Thanks Ulf
     Harnhammar for the audit.
Files: 
 6f68fa24772cc0afac0fce677c1374a0 806 net optional zabbix_1.1.2-4.dsc
 3449490dda27e9076c8f45290ded15aa 33955 net optional zabbix_1.1.2-4.diff.gz
 e042d86bbd7c20d433867a609e907a90 119096 net optional zabbix-agent_1.1.2-4_amd64.deb
 ff8af003b858b7caecc1eaa1cd9b730d 210228 net optional zabbix-server-mysql_1.1.2-4_amd64.deb
 5e32a7b682a326625f612018ecc8d158 312066 net optional zabbix-frontend-php_1.1.2-4_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFFJj9eEFV7g4B8rCURAtEmAJ48It6qafzWLdrcwjpRX1Zw8tgUKgCgyeMJ
A/tLhJIYp+PRigecknsGkKE=
=D9nR
-----END PGP SIGNATURE-----


Accepted:
zabbix-agent_1.1.2-4_amd64.deb
  to pool/main/z/zabbix/zabbix-agent_1.1.2-4_amd64.deb
zabbix-frontend-php_1.1.2-4_all.deb
  to pool/main/z/zabbix/zabbix-frontend-php_1.1.2-4_all.deb
zabbix-server-mysql_1.1.2-4_amd64.deb
  to pool/main/z/zabbix/zabbix-server-mysql_1.1.2-4_amd64.deb
zabbix_1.1.2-4.diff.gz
  to pool/main/z/zabbix/zabbix_1.1.2-4.diff.gz
zabbix_1.1.2-4.dsc
  to pool/main/z/zabbix/zabbix_1.1.2-4.dsc


----- End forwarded message -----


bye,
    - michael



Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 19 Jun 2007 01:17:09 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Aug 1 23:53:04 2024; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.