Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu
Control: affects -1 zabbix
Dear release team,
I'd like to upload fix for
CVE-2016-4338 / ZBX-10741: mysql.size shell command injection
in zabbix-agent (Closes: #823329).
Diff is attached, please advise if upload is authorised.
Thanks.
--
Best wishes,
Dmitry Smirnov.
---
Human beings, who are almost unique in having the ability to learn from the
experience of others, are also remarkable for their apparent disinclination
to do so.
-- Mahatma Gandhi
Attachment:
signature.asc
Description: This is a digitally signed message part.
>From 2ffd39e5afbee52833e911f869df975a904b48f1 Mon Sep 17 00:00:00 2001 From: Dmitry Smirnov <onlyjob@member.fsf.org> Date: Sat, 28 May 2016 17:35:08 +1000 Subject: [PATCH] Upstream patch to fix CVE-2016-4338: mysql.size shell command injection in zabbix-agent --- debian/changelog | 7 +++++++ debian/patches/ZBX-10741.patch | 21 +++++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 29 insertions(+) create mode 100644 debian/patches/ZBX-10741.patch diff --git a/debian/changelog b/debian/changelog index b5d9188..9e6a32c 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +zabbix (1:2.2.7+dfsg-2+deb8u1) stable; urgency=medium + + * CVE-2016-4338 / ZBX-10741: fixed mysql.size shell command injection + in zabbix-agent (Closes: #823329). + + -- Dmitry Smirnov <onlyjob@debian.org> Sat, 28 May 2016 17:04:31 +1000 + zabbix (1:2.2.7+dfsg-2) unstable; urgency=high * CVE-2014-9450 (ZBX-8582) fixed SQL injection vulnerability diff --git a/debian/patches/ZBX-10741.patch b/debian/patches/ZBX-10741.patch new file mode 100644 index 0000000..19b6716 --- /dev/null +++ b/debian/patches/ZBX-10741.patch @@ -0,0 +1,21 @@ +Last-Update: 2016-05-09 +Forwarded: not-needed +Origin: upstream, svn://svn.zabbix.com/branches/2.2@59942 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=823329 +Bug-Zabbix: https://support.zabbix.com/browse/ZBX-10741 +Description: CVE-2016-4338 fix zabbix-agent/mysql.size shell command injection + enforced bash usage in mysql.size user parameter configuration script to + avoid issues with different default shells + +--- a/conf/zabbix_agentd/userparameter_mysql.conf ++++ b/conf/zabbix_agentd/userparameter_mysql.conf +@@ -11,8 +11,8 @@ + # Type may be "data", "index", "free" or "both". Both is a sum of data and index. Default is "both". + # Database is mandatory if a table is specified. Type may be specified always. + # Returns value in bytes. + # 'sum' on data_length or index_length alone needed when we are getting this information for whole database instead of a single table +-UserParameter=mysql.size[*],echo "select sum($(case "$3" in both|"") echo "data_length+index_length";; data|index) echo "$3_length";; free) echo "data_free";; esac)) from information_schema.tables$([[ "$1" = "all" || ! "$1" ]] || echo " where table_schema='$1'")$([[ "$2" = "all" || ! "$2" ]] || echo "and table_name='$2'");" | HOME=/var/lib/zabbix mysql -N ++UserParameter=mysql.size[*],bash -c 'echo "select sum($(case "$3" in both|"") echo "data_length+index_length";; data|index) echo "$3_length";; free) echo "data_free";; esac)) from information_schema.tables$([[ "$1" = "all" || ! "$1" ]] || echo " where table_schema=\"$1\"")$([[ "$2" = "all" || ! "$2" ]] || echo "and table_name=\"$2\"");" | HOME=/var/lib/zabbix mysql -N' + + UserParameter=mysql.ping,HOME=/var/lib/zabbix mysqladmin ping | grep -c alive + UserParameter=mysql.version,mysql -V diff --git a/debian/patches/series b/debian/patches/series index 0e81f68..d296cba 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,3 +1,4 @@ +ZBX-10741.patch ZBX-8582.patch config_debianisation.patch config_frontend-conffile-in-etc.patch -- 2.8.1