Bug#725757: opu: zabbix/1:1.8.2-1squeeze5
On Tue, 2013-10-08 at 12:13 +1000, Dmitry Smirnov wrote:
> I'd like to deliver several security fixes to Zabbix in Squeeze.
>
> (Security team advised to proceed through OPU "since the oldstable
> point update happens very soon anyway and we have many other open
> issues with higher priority").
"Yay".
> Below is a new changelog section, full diff is attached.
For the record, that all comes to "8 files changed, 6906 insertions(+),
5 deletions(-)", which is considerably more than I was expecting, given
how close we are to the update window closing.
A lot of it appears to be a (possibly over-cautious) belt and braces
approach to
> * CVE-2013-5743: fixed SQL injection vulnerability.
escaping basically every use of a string anywhere near an SQL statement.
I do hope that someone's actually checked that none of those additions
of zbx_dbstr() introduces any bugs; I certainly don't know what any of
the variables might contain in order to judge. :-(
There's also
> * CVE-2011-3263: prevent zabbix_agentd DoS attack with vfs.file.cksum.
patches/ZBX-3794+ZBX-3830.patch | 540 +++
There's quite a lot of noise in that patch, of the general form
++ int ret = SYSINFO_RET_FAIL;
[...]
+- if (num_param(param) > 1)
+- return SYSINFO_RET_FAIL;
++ if (1 < num_param(param))
++ goto err;
[...]
+- return SYSINFO_RET_OK;
++ ret = SYSINFO_RET_OK;
++err:
++ return ret;
afaics, the net affect of that change is nothing. I realise (having let
git-svn chew through the branch) that the noise is in upstream's
original patch, but it really doesn't make it easy to review.
Regards,
Adam
Reply to: