Debian Bug report logs - #700912
zoneminder: CVE-2013-0332: local file inclusion vulnerability

version graph

Package: zoneminder; Maintainer for zoneminder is Peter Howard <pjh@northern-ridge.com.au>; Source for zoneminder is src:zoneminder.

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Tue, 19 Feb 2013 08:57:01 UTC

Severity: grave

Tags: patch, security

Found in version zoneminder/1.24.2-8

Fixed in versions zoneminder/1.25.0-1, zoneminder/1.24.2-8+squeeze1

Done: Vagrant Cascadian <vagrant@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Peter Howard <pjh@northern-ridge.com.au>:
Bug#700912; Package zoneminder. (Tue, 19 Feb 2013 08:57:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Peter Howard <pjh@northern-ridge.com.au>. (Tue, 19 Feb 2013 08:57:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: zoneminder: local file inclusion vulnerability
Date: Tue, 19 Feb 2013 09:53:37 +0100
[Message part 1 (text/plain, inline)]
Package: zoneminder
Version: 1.24.2-8
Severity: grave
Tags: security patch
Justification: user security hole
Control: fixed -1 1.25.0-1

Hi

In zoneminder forum there is the following security patch announce:

 http://www.zoneminder.com/forums/viewtopic.php?f=1&t=17979

1.24.2-8 is affected by this file inclusion vulnerability.

Attached are the patches from svn, r3483 and r3488.

Note: upstream 1.25.0 has a sligthly modified detaint function:

function detaintPath( $path )
{
    // Remove any absolute paths, or relative ones that want to go up
    $path = preg_replace( '/\.(?:\.+[\\/][\\/]*)+/', '', $path );
    $path = preg_replace( '/^[\\/]+/', '', $path );
    return( $path );
}

Regards
Salvatore
[zoneminder_r3483.patch (text/x-diff, attachment)]
[zoneminder_r3488.patch (text/x-diff, attachment)]

Marked as fixed in versions zoneminder/1.25.0-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to submit@bugs.debian.org. (Tue, 19 Feb 2013 08:57:04 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Peter Howard <pjh@northern-ridge.com.au>:
Bug#700912; Package zoneminder. (Thu, 21 Feb 2013 08:27:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Peter Howard <pjh@northern-ridge.com.au>. (Thu, 21 Feb 2013 08:27:03 GMT) Full text and rfc822 format available.

Message #12 received at 700912@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: 700912@bugs.debian.org
Subject: Re: Bug#700912: zoneminder: local file inclusion vulnerability
Date: Thu, 21 Feb 2013 09:23:02 +0100
Control: retitle -1 zoneminder: CVE-2013-0332: local file inclusion vulnerability

Hi

A CVE was assigned now to this issue: CVE-2013-0332.

Regards,
Salvatore



Changed Bug title to 'zoneminder: CVE-2013-0332: local file inclusion vulnerability' from 'zoneminder: local file inclusion vulnerability' Request was from Salvatore Bonaccorso <carnil@debian.org> to 700912-submit@bugs.debian.org. (Thu, 21 Feb 2013 08:27:03 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Peter Howard <pjh@northern-ridge.com.au>:
Bug#700912; Package zoneminder. (Mon, 25 Feb 2013 11:33:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Peter Howard <pjh@northern-ridge.com.au>. (Mon, 25 Feb 2013 11:33:05 GMT) Full text and rfc822 format available.

Message #19 received at 700912@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Vagrant Cascadian <vagrant@debian.org>, 698910@bugs.debian.org
Cc: Moritz Mühlenhoff <jmm@inutil.org>, team@security.debian.org, Peter Howard <pjh@northern-ridge.com.au>, 700912@bugs.debian.org
Subject: Re: Bug#698910: zoneminder: arbitrary command execution vulnerability
Date: Mon, 25 Feb 2013 12:28:33 +0100
Hi Vagrant and Peter

On Thu, Feb 14, 2013 at 11:35:31AM -0800, Vagrant Cascadian wrote:
> Anything more needed for the security team? Which queue should it be
> uploaded to?

Apologies for the delay. Could you also adress #700912 (CVE-2013-0332)
for the stable-security update.

I think we can proceed afterwards.

Thank you for preparing updated packages!

Regards,
Salvatore



Information forwarded to debian-bugs-dist@lists.debian.org, Peter Howard <pjh@northern-ridge.com.au>:
Bug#700912; Package zoneminder. (Wed, 27 Feb 2013 01:45:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Vagrant Cascadian <vagrant@debian.org>:
Extra info received and forwarded to list. Copy sent to Peter Howard <pjh@northern-ridge.com.au>. (Wed, 27 Feb 2013 01:45:05 GMT) Full text and rfc822 format available.

Message #24 received at 700912@bugs.debian.org (full text, mbox):

From: Vagrant Cascadian <vagrant@debian.org>
To: Salvatore Bonaccorso <carnil@debian.org>
Cc: 698910@bugs.debian.org, Moritz Mühlenhoff <jmm@inutil.org>, team@security.debian.org, Peter Howard <pjh@northern-ridge.com.au>, 700912@bugs.debian.org
Subject: Re: Bug#698910: zoneminder: arbitrary command execution vulnerability
Date: Tue, 26 Feb 2013 17:41:52 -0800
On Mon, Feb 25, 2013 at 12:28:33PM +0100, Salvatore Bonaccorso wrote:
> On Thu, Feb 14, 2013 at 11:35:31AM -0800, Vagrant Cascadian wrote:
> > Anything more needed for the security team? Which queue should it be
> > uploaded to?
> 
> Apologies for the delay. Could you also adress #700912 (CVE-2013-0332)
> for the stable-security update.
> 
> I think we can proceed afterwards.

I've prepared an upload in the "squeeze" branch of the hg repository, which
required a little backporting of the patches, but haven't yet tested it... hope
to test tomorrow, or I may not get to it till the following week...

  http://anonscm.debian.org/hg/collab-maint/zoneminder/

or a debdiff:

diff -Nru zoneminder-1.24.2/debian/changelog zoneminder-1.24.2/debian/changelog
--- zoneminder-1.24.2/debian/changelog  2011-01-15 19:40:08.000000000 -0800
+++ zoneminder-1.24.2/debian/changelog  2013-02-26 17:20:05.000000000 -0800
@@ -1,3 +1,15 @@
+zoneminder (1.24.2-8+squeeze1) UNRELEASED; urgency=high
+
+  * Add CVE-2013-0232 patch
+    [SECURITY] CVE-2013-0232: Shell escape commands with untrusted content.
+    Thanks to James McCoy <jamessan@debian.org> (Closes: #698910)
+    Thanks also to Salvatore Bonaccorso <carnil@debian.org>
+  * Add CVE-2013-0332 patch
+    [SECURITY] CVE-2013-0332: local file inclusion (Closes: #700912).
+    Thanks to Salvatore Bonaccorso <carnil@debian.org> for the patch.
+
+ -- Vagrant Cascadian <vagrant@debian.org>  Tue, 26 Feb 2013 17:20:02 -0800
+
 zoneminder (1.24.2-8) unstable; urgency=medium

   [ Vagrant Cascadian ]
diff -Nru zoneminder-1.24.2/debian/patches/cve-2013-0232 zoneminder-1.24.2/debian/patches/cve-2013-0232
--- zoneminder-1.24.2/debian/patches/cve-2013-0232      1969-12-31 16:00:00.000000000 -0800
+++ zoneminder-1.24.2/debian/patches/cve-2013-0232      2013-02-26 16:55:03.000000000 -0800
@@ -0,0 +1,24 @@
+From: James McCoy <jamessan@debian.org>
+Bug-Debian: http://bugs.debian.org/698910
+Subject: shell escape commands with untrusted content
+--- a/web/includes/functions.php
++++ b/web/includes/functions.php
+@@ -905,7 +905,7 @@
+
+ function packageControl( $command )
+ {
+-    $string = ZM_PATH_BIN."/zmpkg.pl $command";
++    $string = ZM_PATH_BIN."/zmpkg.pl ".escapeshellarg( $command );
+     $string .= " 2>/dev/null >&- <&- >/dev/null";
+     exec( $string );
+ }
+@@ -2145,7 +2145,8 @@
+     else
+     {
+         // Can't connect so use script
+-        $command = ZM_PATH_BIN."/zmx10.pl --command $status --unit-code $key";
++        $command = ZM_PATH_BIN.'/zmx10.pl --command '.escapeshellarg( $status );
++        $command .= ' --unit-code '.escapeshellarg( $key );
+         //$command .= " 2>/dev/null >&- <&- >/dev/null";
+         $x10Response = exec( $command );
+     }
diff -Nru zoneminder-1.24.2/debian/patches/cve-2013-0332 zoneminder-1.24.2/debian/patches/cve-2013-0332
--- zoneminder-1.24.2/debian/patches/cve-2013-0332      1969-12-31 16:00:00.000000000 -0800
+++ zoneminder-1.24.2/debian/patches/cve-2013-0332      2013-02-26 17:18:18.000000000 -0800
@@ -0,0 +1,71 @@
+From: Salvatore Bonaccorso <carnil@debian.org>
+Bug-Debian: http://bugs.debian.org/700912
+Subject: CVE-2013-0332: local file inclusion vulnerability
+Bug-Upstream: http://www.zoneminder.com/forums/viewtopic.php?f=1&t=17979
+
+Backported r3483 and r3488 from upstream svn to fix CVE-2013-0332.
+
+Index: zoneminder/web/includes/functions.php
+===================================================================
+--- zoneminder.orig/web/includes/functions.php 2013-02-26 17:07:02.000000000 -0800
++++ zoneminder/web/includes/functions.php      2013-02-26 17:08:10.806977380 -0800
+@@ -2231,13 +2231,21 @@
+     return( rand( 1, 999999 ) );
+ }
+
++function detaintPath( $path )
++{
++    // Remove any absolute paths, or relative ones that want to go up
++    $path = preg_replace( '/\.\.+\/\/*/', '', $path );
++    $path = preg_replace( '/^\/\/*/', '', $path );
++    return( $path );
++}
++
+ function getSkinFile( $file )
+ {
+     global $skinBase;
+     $skinFile = false;
+     foreach ( $skinBase as $skin )
+     {
+-        $tempSkinFile = 'skins'.'/'.$skin.'/'.$file;
++        $tempSkinFile = detaintPath( 'skins'.'/'.$skin.'/'.$file );
+         if ( file_exists( $tempSkinFile ) )
+             $skinFile = $tempSkinFile;
+     }
+@@ -2250,7 +2258,7 @@
+     $skinFile = false;
+     foreach ( $skinBase as $skin )
+     {
+-        $tempSkinFile = 'skins'.'/'.$skin.'/'.$file;
++        $tempSkinFile = detaintPath( 'skins'.'/'.$skin.'/'.$file );
+         if ( file_exists( $tempSkinFile ) )
+             $skinFile = $tempSkinFile;
+     }
+Index: zoneminder/web/index.php
+===================================================================
+--- zoneminder.orig/web/index.php      2013-02-26 16:55:04.000000000 -0800
++++ zoneminder/web/index.php   2013-02-26 17:13:03.376428137 -0800
+@@ -96,10 +96,13 @@
+ require_once( 'includes/functions.php' );
+
+ if ( isset($_REQUEST['view']) )
+-    $view = validHtmlStr($_REQUEST['view']);
++    $view = detaintPath($_REQUEST['view']);
++
++if ( isset($_REQUEST['request']) )
++    $request = detaintPath($_REQUEST['request']);
+
+ if ( isset($_REQUEST['action']) )
+-    $action = validHtmlStr($_REQUEST['action']);
++    $action = detaintPath($_REQUEST['action']);
+
+ require_once( 'includes/actions.php' );
+
+@@ -108,7 +111,6 @@
+
+ if ( isset( $_REQUEST['request'] ) )
+ {
+-    $request = validHtmlStr($_REQUEST['request']);
+     foreach ( getSkinIncludes( 'ajax/'.$request.'.php', true, true ) as $includeFile )
+     {
+         if ( !file_exists( $includeFile ) )
diff -Nru zoneminder-1.24.2/debian/patches/series zoneminder-1.24.2/debian/patches/series
--- zoneminder-1.24.2/debian/patches/series     2011-01-14 12:01:53.000000000 -0800
+++ zoneminder-1.24.2/debian/patches/series     2013-02-26 16:56:45.000000000 -0800
@@ -7,3 +7,5 @@
 suppported-typo
 use_libjs-mootools
 fix_v4l2_cameras_without_crop
+cve-2013-0232
+cve-2013-0332


live well,
  vagrant



Reply sent to Vagrant Cascadian <vagrant@debian.org>:
You have taken responsibility. (Sun, 17 Mar 2013 00:51:15 GMT) Full text and rfc822 format available.

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Sun, 17 Mar 2013 00:51:15 GMT) Full text and rfc822 format available.

Message #29 received at 700912-close@bugs.debian.org (full text, mbox):

From: Vagrant Cascadian <vagrant@debian.org>
To: 700912-close@bugs.debian.org
Subject: Bug#700912: fixed in zoneminder 1.24.2-8+squeeze1
Date: Sun, 17 Mar 2013 00:47:39 +0000
Source: zoneminder
Source-Version: 1.24.2-8+squeeze1

We believe that the bug you reported is fixed in the latest version of
zoneminder, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 700912@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Vagrant Cascadian <vagrant@debian.org> (supplier of updated zoneminder package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 05 Mar 2013 11:29:20 -0800
Source: zoneminder
Binary: zoneminder
Architecture: source i386
Version: 1.24.2-8+squeeze1
Distribution: stable-security
Urgency: high
Maintainer: Peter Howard <pjh@northern-ridge.com.au>
Changed-By: Vagrant Cascadian <vagrant@debian.org>
Description: 
 zoneminder - Linux video camera security and surveillance solution
Closes: 698910 700912
Changes: 
 zoneminder (1.24.2-8+squeeze1) stable-security; urgency=high
 .
   * Add CVE-2013-0232 patch
     [SECURITY] CVE-2013-0232: Shell escape commands with untrusted content.
     Thanks to James McCoy <jamessan@debian.org> (Closes: #698910)
     Thanks also to Salvatore Bonaccorso <carnil@debian.org>
   * Add CVE-2013-0332 patch
     [SECURITY] CVE-2013-0332: local file inclusion (Closes: #700912).
     Thanks to Salvatore Bonaccorso <carnil@debian.org> for the patch.
Checksums-Sha1: 
 ae8f0f4b6efe78716884bc1e7c90d7540e953160 2163 zoneminder_1.24.2-8+squeeze1.dsc
 ea854c941b83374a352d7d794a4462e279fea487 965521 zoneminder_1.24.2.orig.tar.gz
 e48447bcbc7dff2fc0298df6bc945c228a2a3f02 16354 zoneminder_1.24.2-8+squeeze1.debian.tar.gz
 52df39684bdf4a824093307f08e4feb0f6089634 1452144 zoneminder_1.24.2-8+squeeze1_i386.deb
Checksums-Sha256: 
 fcf53e1f74a319e01b5ebc27bac5fbd6206361a1009bb71b838408375bd6a30a 2163 zoneminder_1.24.2-8+squeeze1.dsc
 fd8475138ccee8870534f1210a3d1e3e1990e963dd73146a6d310dc71c463dca 965521 zoneminder_1.24.2.orig.tar.gz
 49dc4eca5d00d895a66d69429624dbf1c6bcd292a24869ea198a1ac49a07113b 16354 zoneminder_1.24.2-8+squeeze1.debian.tar.gz
 076ea52707b213172ddde42420d27dc0de7d5c0d865651700d50d48af589a1f8 1452144 zoneminder_1.24.2-8+squeeze1_i386.deb
Files: 
 5948f712a603d4ea59dff82b3c0cd13d 2163 net optional zoneminder_1.24.2-8+squeeze1.dsc
 550d2f8f08852134028c3b1cf8fa437f 965521 net optional zoneminder_1.24.2.orig.tar.gz
 65fc0a8d14f672dd3c6cf8586abdf086 16354 net optional zoneminder_1.24.2-8+squeeze1.debian.tar.gz
 df954eec140564bac3f36dcb5c8e4fc9 1452144 net optional zoneminder_1.24.2-8+squeeze1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCgAGBQJRNlGIAAoJELeLgtSBS5G2j2UP/20Y4yz7on6jQvEZhh6AS7I0
rzGODYx9YZj/EJcUwlXR9g8dmrRnbFi8tpOOA+0EXUVqeJwOj3wq+ch+7aPYuzgK
/WKT3tp+H/qxcqXcKHD1+vDvDKds2qjRIBQHLev4pWqaqY+s8ocvne63oRqRKb9q
u3zdo3wn7nJoiPbQKvCB0SlQWxV5fGyOJ0YQ0CYOF2qjYViUEge0XUhCWi9IhudL
ukuQR+KSuAS4N2i8Z/+32edCBdOgBL9uYCsMJ5LUSi4A0m8g08O5Jghg6foClLAh
ur3JDAfmamBEHMvTw1+qfw1Ek3xwUjqjKXjlGpxOilvgCfOAVml3KY3JZ3rTE+5g
xA570W2oDEuFO7ZHxxzg5EMCI5gGlyJWDhs6u1gJbk8bbBz7bKCyvqduC+tK5www
XglushHPUGtOPuhFcbG5nHYklJL01S0nIPoFEXxAzjiPBp+URql7+EYMJGVfibHc
wTKFs1ks7TjjDrmQkyc0XJrZWvg3QQgGy5E2cxt8amBfuBEzR9pHTTzK95iO18cc
mKNE1vqc5q/cyjp+5IlIl9Pmjyg1UDrgz1exICbJTIZq/3XrNZCzlGHM367eOXeY
lVEOx7oJkwMZ5L0zQVwgn0bj8ui9A5w6FHiy9t6YEufhi+5BVAqSPJqQ4032tMv4
njXHyQV4scz8PdHjrcTF
=ZGx8
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 02 Jun 2013 07:36:02 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Apr 21 03:06:18 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.