Bug#725757: opu: zabbix/1:1.8.2-1squeeze5
On Fri, 11 Oct 2013 05:00:41 you wrote:
> For the record, that all comes to "8 files changed, 6906 insertions(+),
> 5 deletions(-)", which is considerably more than I was expecting, given
> how close we are to the update window closing.
>
> A lot of it appears to be a (possibly over-cautious) belt and braces
> approach to
>
> > * CVE-2013-5743: fixed SQL injection vulnerability.
>
> escaping basically every use of a string anywhere near an SQL statement.
> I do hope that someone's actually checked that none of those additions
> of zbx_dbstr() introduces any bugs; I certainly don't know what any of
> the variables might contain in order to judge. :-(
Well, that's a heavy patch but it was specifically made by upstream
developers for the very version of Zabbix that we have in Squeeze. I
applied it as-is without any modifications. If you wish we can ask
upstream for comments.
In Squeeze I tested instance of Zabbix-1.8.2 with this patch applied
and couldn't see any regressions. I doubt there is anything more I
could possibly do to ensure the safety of this patch.
> There's also
>
> > * CVE-2011-3263: prevent zabbix_agentd DoS attack with vfs.file.cksum.
>
> patches/ZBX-3794+ZBX-3830.patch | 540 +++
>
> There's quite a lot of noise in that patch, of the general form
>
> ++ int ret = SYSINFO_RET_FAIL;
> [...]
> +- if (num_param(param) > 1)
> +- return SYSINFO_RET_FAIL;
> ++ if (1 < num_param(param))
> ++ goto err;
> [...]
> +- return SYSINFO_RET_OK;
> ++ ret = SYSINFO_RET_OK;
> ++err:
> ++ return ret;
>
> afaics, the net affect of that change is nothing. I realise (having let
> git-svn chew through the branch) that the noise is in upstream's
> original patch, but it really doesn't make it easy to review.
Apologies if this patch is not perfect. This particular patch I
backported long time ago and (unlike SQL injections that I find
difficult to test) I verified that patch fixes DoS attack on
"vfs.file.cksum" on Zabbix-1.8.2/Squeeze. I'm quite confident that it
works as expected. I don't remember whether renaming of those
variables were necessary to apply other patches...
I built Zabbix packages using `qemubuilder` and tested 'em in
dedicated Squeeze VM.
Adam, please advise if you feel more confident with uploading just
patch for SQL injection and leaving all other changes behind.
--
Best wishes,
Dmitry Smirnov.
Reply to: