Acknowledgement sent to metaur@telia.com:
New Bug report received and forwarded. Copy sent to Zabbix Maintainers <kobold-zabbix@debian.org>.
(full text, mbox, link).
Subject: zabbix-server-mysql: remote security problems
Package: zabbix-server-mysql
Version: 1:1.1.2-2
Severity: grave
Justification: user security hole
Tags: security patch
Hello,
Max Vozeler and Ulf Harnhammar from the Debian Security Audit Project
have found a number of format string bugs and buffer overflows
affecting zabbix. They allow malicious attackers to cause crashes or
remote execution of arbitrary code.
Here is a test exploit in Perl. If it is run on a machine instead of
the zabbix agent, a format string bug allows the agent to use "%n"
in the format string to crash the server or to write to arbitrary
memory locations, allowing for code execution. I have also attached
a patch which corrects all known security issues in zabbix-1.1.2.
// Max Vozeler and Ulf Harnhammar for the Debian Security Audit Project
http://www.debian.org/security/audit/
-- System Information:
Debian Release: testing/unstable
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.12-1-686
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)
Versions of packages zabbix-server-mysql depends on:
ii adduser 3.97 Add and remove users and groups
ii dbconfig-common 1.8.23 common framework for packaging dat
ii debconf [debconf-2.0] 1.5.5 Debian configuration management sy
ii fping 2.4b2-to-ipv6-14 sends ICMP ECHO_REQUEST packets to
ii libc6 2.3.6.ds1-4 GNU C Library: Shared libraries
ii libldap2 2.1.30-13+b1 OpenLDAP libraries
ii libmysqlclient15off 5.0.24a-4 mysql database client library
ii libsnmp9 5.2.3-1 NET SNMP (Simple Network Managemen
ii logrotate 3.7.1-3 Log rotation utility
Versions of packages zabbix-server-mysql recommends:
ii mysql-server 5.0.24a-4 mysql database server (current ver
ii mysql-server-5.0 [mysql-serve 5.0.24a-4 mysql database server binaries
ii snmpd 5.2.3-1 NET SNMP (Simple Network Managemen
-- debconf information:
zabbix-server-mysql/upgrade-error: abort
zabbix-server-mysql/dbconfig-reinstall: false
zabbix-server-mysql/upgrade-backup: true
zabbix-server-mysql/mysql/admin-user: root
zabbix-server-mysql/remote/port:
zabbix-server-mysql/remote/host:
zabbix-server-mysql/db/dbname: zabbix
zabbix-server-mysql/dbconfig-remove:
zabbix-server-mysql/db/app-user: zabbix
zabbix-server-mysql/database-type: mysql
zabbix-server-mysql/remove-error: abort
zabbix-server-mysql/remote/newhost:
zabbix-server-mysql/purge: false
zabbix-server-mysql/internal/reconfiguring: false
zabbix-server-mysql/install-error: retry
zabbix-server-mysql/passwords-do-not-match:
* zabbix-server-mysql/dbconfig-install: true
zabbix-server-mysql/mysql/method: unix socket
zabbix-server-mysql/dbconfig-upgrade: true
Subject: [abi@debian.org: Accepted zabbix 1:1.1.2-4 (source all amd64)]
Date: Fri, 6 Oct 2006 14:39:30 +0200
hi,
zabbix 1.1.2-4 has been uploaded to unstable just a few minutes ago :)
----- Forwarded message from Michael Ablassmeier <abi@debian.org> -----
From: Michael Ablassmeier <abi@debian.org>
Date: Fri, 06 Oct 2006 04:48:47 -0700
To: debian-devel-changes@lists.debian.org
Subject: Accepted zabbix 1:1.1.2-4 (source all amd64)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Wed, 20 Sep 2006 15:18:55 +0200
Source: zabbix
Binary: zabbix-server-mysql zabbix-agent zabbix-frontend-php
Architecture: source amd64 all
Version: 1:1.1.2-4
Distribution: unstable
Urgency: high
Maintainer: Zabbix Maintainers <kobold-zabbix@debian.org>
Changed-By: Michael Ablassmeier <abi@debian.org>
Description:
zabbix-agent - software for monitoring of your networks -- agent
zabbix-frontend-php - software for monitoring of your servers -- php frontend
zabbix-server-mysql - software for monitoring of your networks -- server
Changes:
zabbix (1:1.1.2-4) unstable; urgency=high
.
* Move #DEBHELPER# stanza in zabbix-server-mysql.prerm
above dbconfig-common call. Server prozess should be
stopped before database is removed.
* debian/patches/07_security.dpatch: add patch for security
issues discovered by the Debian Audit Project. Thanks Ulf
Harnhammar for the audit.
Files:
6f68fa24772cc0afac0fce677c1374a0 806 net optional zabbix_1.1.2-4.dsc
3449490dda27e9076c8f45290ded15aa 33955 net optional zabbix_1.1.2-4.diff.gz
e042d86bbd7c20d433867a609e907a90 119096 net optional zabbix-agent_1.1.2-4_amd64.deb
ff8af003b858b7caecc1eaa1cd9b730d 210228 net optional zabbix-server-mysql_1.1.2-4_amd64.deb
5e32a7b682a326625f612018ecc8d158 312066 net optional zabbix-frontend-php_1.1.2-4_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iD8DBQFFJj9eEFV7g4B8rCURAtEmAJ48It6qafzWLdrcwjpRX1Zw8tgUKgCgyeMJ
A/tLhJIYp+PRigecknsGkKE=
=D9nR
-----END PGP SIGNATURE-----
Accepted:
zabbix-agent_1.1.2-4_amd64.deb
to pool/main/z/zabbix/zabbix-agent_1.1.2-4_amd64.deb
zabbix-frontend-php_1.1.2-4_all.deb
to pool/main/z/zabbix/zabbix-frontend-php_1.1.2-4_all.deb
zabbix-server-mysql_1.1.2-4_amd64.deb
to pool/main/z/zabbix/zabbix-server-mysql_1.1.2-4_amd64.deb
zabbix_1.1.2-4.diff.gz
to pool/main/z/zabbix/zabbix_1.1.2-4.diff.gz
zabbix_1.1.2-4.dsc
to pool/main/z/zabbix/zabbix_1.1.2-4.dsc
----- End forwarded message -----
bye,
- michael
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 19 Jun 2007 01:17:09 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.