Bug#725757: opu: zabbix/1:1.8.2-1squeeze5

To: "Adam D. Barratt" <adam@adam-barratt.org.uk>, 725757@bugs.debian.org
Subject: Bug#725757: opu: zabbix/1:1.8.2-1squeeze5
From: Dmitry Smirnov <onlyjob@debian.org>
Date: Fri, 11 Oct 2013 13:16:11 +1100
Message-id: <[🔎] 201310111316.11689.onlyjob@debian.org>
Reply-to: Dmitry Smirnov <onlyjob@debian.org>, 725757@bugs.debian.org
In-reply-to: <[🔎] 1381428041.19154.18.camel@jacala.jungle.funky-badger.org>
References: <[🔎] 201310081313.46628.onlyjob@debian.org> <[🔎] 1381428041.19154.18.camel@jacala.jungle.funky-badger.org>

On Fri, 11 Oct 2013 05:00:41 you wrote:
> For the record, that all comes to "8 files changed, 6906 insertions(+),
> 5 deletions(-)", which is considerably more than I was expecting, given
> how close we are to the update window closing.
> 
> A lot of it appears to be a (possibly over-cautious) belt and braces
> approach to
> 
> >   * CVE-2013-5743: fixed SQL injection vulnerability.
> 
> escaping basically every use of a string anywhere near an SQL statement.
> I do hope that someone's actually checked that none of those additions
> of zbx_dbstr() introduces any bugs; I certainly don't know what any of
> the variables might contain in order to judge. :-(

Well, that's a heavy patch but it was specifically made by upstream
developers for the very version of Zabbix that we have in Squeeze.  I
applied it as-is without any modifications. If you wish we can ask
upstream for comments.

In Squeeze I tested instance of Zabbix-1.8.2 with this patch applied
and couldn't see any regressions. I doubt there is anything more I
could possibly do to ensure the safety of this patch.

> There's also
> 
> >   * CVE-2011-3263: prevent zabbix_agentd DoS attack with vfs.file.cksum.
> 
>  patches/ZBX-3794+ZBX-3830.patch      |  540 +++
> 
> There's quite a lot of noise in that patch, of the general form
> 
> ++	int		ret = SYSINFO_RET_FAIL;
> [...]
> +-	if (num_param(param) > 1)
> +-		return SYSINFO_RET_FAIL;
> ++	if (1 < num_param(param))
> ++		goto err;
> [...]
> +-	return SYSINFO_RET_OK;
> ++	ret = SYSINFO_RET_OK;
> ++err:
> ++	return ret;
> 
> afaics, the net affect of that change is nothing. I realise (having let
> git-svn chew through the branch) that the noise is in upstream's
> original patch, but it really doesn't make it easy to review.

Apologies if this patch is not perfect. This particular patch I
backported long time ago and (unlike SQL injections that I find
difficult to test) I verified that patch fixes DoS attack on
"vfs.file.cksum" on Zabbix-1.8.2/Squeeze. I'm quite confident that it
works as expected. I don't remember whether renaming of those
variables were necessary to apply other patches...

I built Zabbix packages using `qemubuilder` and tested 'em in
dedicated Squeeze VM.

Adam, please advise if you feel more confident with uploading just
patch for SQL injection and leaving all other changes behind.

-- 
Best wishes,
 Dmitry Smirnov.

Reply to:

Follow-Ups:
- Bug#725757: opu: zabbix/1:1.8.2-1squeeze5
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

References:
- Bug#725757: opu: zabbix/1:1.8.2-1squeeze5
  - From: Dmitry Smirnov <onlyjob@debian.org>
- Bug#725757: opu: zabbix/1:1.8.2-1squeeze5
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Prev by Date: Re: 2 debian-installer uploads this week?!
Next by Date: Bug#726013: opu: package ia32-libs/20131011
Previous by thread: Bug#725757: opu: zabbix/1:1.8.2-1squeeze5
Next by thread: Bug#725757: opu: zabbix/1:1.8.2-1squeeze5
Index(es):
- Date
- Thread