Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Peter Howard <pjh@northern-ridge.com.au>: Bug#700912; Package zoneminder.
(Tue, 19 Feb 2013 08:57:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Peter Howard <pjh@northern-ridge.com.au>.
(Tue, 19 Feb 2013 08:57:04 GMT) (full text, mbox, link).
Package: zoneminder
Version: 1.24.2-8
Severity: grave
Tags: security patch
Justification: user security hole
Control: fixed -1 1.25.0-1
Hi
In zoneminder forum there is the following security patch announce:
http://www.zoneminder.com/forums/viewtopic.php?f=1&t=17979
1.24.2-8 is affected by this file inclusion vulnerability.
Attached are the patches from svn, r3483 and r3488.
Note: upstream 1.25.0 has a sligthly modified detaint function:
function detaintPath( $path )
{
// Remove any absolute paths, or relative ones that want to go up
$path = preg_replace( '/\.(?:\.+[\\/][\\/]*)+/', '', $path );
$path = preg_replace( '/^[\\/]+/', '', $path );
return( $path );
}
Regards
Salvatore
Marked as fixed in versions zoneminder/1.25.0-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Tue, 19 Feb 2013 08:57:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Peter Howard <pjh@northern-ridge.com.au>: Bug#700912; Package zoneminder.
(Thu, 21 Feb 2013 08:27:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Peter Howard <pjh@northern-ridge.com.au>.
(Thu, 21 Feb 2013 08:27:03 GMT) (full text, mbox, link).
Subject: Re: Bug#700912: zoneminder: local file inclusion vulnerability
Date: Thu, 21 Feb 2013 09:23:02 +0100
Control: retitle -1 zoneminder: CVE-2013-0332: local file inclusion vulnerability
Hi
A CVE was assigned now to this issue: CVE-2013-0332.
Regards,
Salvatore
Changed Bug title to 'zoneminder: CVE-2013-0332: local file inclusion vulnerability' from 'zoneminder: local file inclusion vulnerability'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 700912-submit@bugs.debian.org.
(Thu, 21 Feb 2013 08:27:03 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Peter Howard <pjh@northern-ridge.com.au>: Bug#700912; Package zoneminder.
(Mon, 25 Feb 2013 11:33:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Peter Howard <pjh@northern-ridge.com.au>.
(Mon, 25 Feb 2013 11:33:05 GMT) (full text, mbox, link).
Hi Vagrant and Peter
On Thu, Feb 14, 2013 at 11:35:31AM -0800, Vagrant Cascadian wrote:
> Anything more needed for the security team? Which queue should it be
> uploaded to?
Apologies for the delay. Could you also adress #700912 (CVE-2013-0332)
for the stable-security update.
I think we can proceed afterwards.
Thank you for preparing updated packages!
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Peter Howard <pjh@northern-ridge.com.au>: Bug#700912; Package zoneminder.
(Wed, 27 Feb 2013 01:45:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Vagrant Cascadian <vagrant@debian.org>:
Extra info received and forwarded to list. Copy sent to Peter Howard <pjh@northern-ridge.com.au>.
(Wed, 27 Feb 2013 01:45:05 GMT) (full text, mbox, link).
Cc: 698910@bugs.debian.org,
Moritz Mühlenhoff <jmm@inutil.org>,
team@security.debian.org, Peter Howard <pjh@northern-ridge.com.au>,
700912@bugs.debian.org
Subject: Bug#700912: fixed in zoneminder 1.24.2-8+squeeze1
Date: Sun, 17 Mar 2013 00:47:39 +0000
Source: zoneminder
Source-Version: 1.24.2-8+squeeze1
We believe that the bug you reported is fixed in the latest version of
zoneminder, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 700912@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Vagrant Cascadian <vagrant@debian.org> (supplier of updated zoneminder package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 05 Mar 2013 11:29:20 -0800
Source: zoneminder
Binary: zoneminder
Architecture: source i386
Version: 1.24.2-8+squeeze1
Distribution: stable-security
Urgency: high
Maintainer: Peter Howard <pjh@northern-ridge.com.au>
Changed-By: Vagrant Cascadian <vagrant@debian.org>
Description:
zoneminder - Linux video camera security and surveillance solution
Closes: 698910700912
Changes:
zoneminder (1.24.2-8+squeeze1) stable-security; urgency=high
.
* Add CVE-2013-0232 patch
[SECURITY] CVE-2013-0232: Shell escape commands with untrusted content.
Thanks to James McCoy <jamessan@debian.org> (Closes: #698910)
Thanks also to Salvatore Bonaccorso <carnil@debian.org>
* Add CVE-2013-0332 patch
[SECURITY] CVE-2013-0332: local file inclusion (Closes: #700912).
Thanks to Salvatore Bonaccorso <carnil@debian.org> for the patch.
Checksums-Sha1:
ae8f0f4b6efe78716884bc1e7c90d7540e953160 2163 zoneminder_1.24.2-8+squeeze1.dsc
ea854c941b83374a352d7d794a4462e279fea487 965521 zoneminder_1.24.2.orig.tar.gz
e48447bcbc7dff2fc0298df6bc945c228a2a3f02 16354 zoneminder_1.24.2-8+squeeze1.debian.tar.gz
52df39684bdf4a824093307f08e4feb0f6089634 1452144 zoneminder_1.24.2-8+squeeze1_i386.deb
Checksums-Sha256:
fcf53e1f74a319e01b5ebc27bac5fbd6206361a1009bb71b838408375bd6a30a 2163 zoneminder_1.24.2-8+squeeze1.dsc
fd8475138ccee8870534f1210a3d1e3e1990e963dd73146a6d310dc71c463dca 965521 zoneminder_1.24.2.orig.tar.gz
49dc4eca5d00d895a66d69429624dbf1c6bcd292a24869ea198a1ac49a07113b 16354 zoneminder_1.24.2-8+squeeze1.debian.tar.gz
076ea52707b213172ddde42420d27dc0de7d5c0d865651700d50d48af589a1f8 1452144 zoneminder_1.24.2-8+squeeze1_i386.deb
Files:
5948f712a603d4ea59dff82b3c0cd13d 2163 net optional zoneminder_1.24.2-8+squeeze1.dsc
550d2f8f08852134028c3b1cf8fa437f 965521 net optional zoneminder_1.24.2.orig.tar.gz
65fc0a8d14f672dd3c6cf8586abdf086 16354 net optional zoneminder_1.24.2-8+squeeze1.debian.tar.gz
df954eec140564bac3f36dcb5c8e4fc9 1452144 net optional zoneminder_1.24.2-8+squeeze1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCgAGBQJRNlGIAAoJELeLgtSBS5G2j2UP/20Y4yz7on6jQvEZhh6AS7I0
rzGODYx9YZj/EJcUwlXR9g8dmrRnbFi8tpOOA+0EXUVqeJwOj3wq+ch+7aPYuzgK
/WKT3tp+H/qxcqXcKHD1+vDvDKds2qjRIBQHLev4pWqaqY+s8ocvne63oRqRKb9q
u3zdo3wn7nJoiPbQKvCB0SlQWxV5fGyOJ0YQ0CYOF2qjYViUEge0XUhCWi9IhudL
ukuQR+KSuAS4N2i8Z/+32edCBdOgBL9uYCsMJ5LUSi4A0m8g08O5Jghg6foClLAh
ur3JDAfmamBEHMvTw1+qfw1Ek3xwUjqjKXjlGpxOilvgCfOAVml3KY3JZ3rTE+5g
xA570W2oDEuFO7ZHxxzg5EMCI5gGlyJWDhs6u1gJbk8bbBz7bKCyvqduC+tK5www
XglushHPUGtOPuhFcbG5nHYklJL01S0nIPoFEXxAzjiPBp+URql7+EYMJGVfibHc
wTKFs1ks7TjjDrmQkyc0XJrZWvg3QQgGy5E2cxt8amBfuBEzR9pHTTzK95iO18cc
mKNE1vqc5q/cyjp+5IlIl9Pmjyg1UDrgz1exICbJTIZq/3XrNZCzlGHM367eOXeY
lVEOx7oJkwMZ5L0zQVwgn0bj8ui9A5w6FHiy9t6YEufhi+5BVAqSPJqQ4032tMv4
njXHyQV4scz8PdHjrcTF
=ZGx8
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 02 Jun 2013 07:36:02 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.