[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#826443: marked as done (jessie-pu: package zabbix/1:2.2.7+dfsg-2+deb8u1)

Your message dated Sat, 17 Sep 2016 13:08:06 +0100
with message-id <1474114086.2011.126.camel@adam-barratt.org.uk>
and subject line Closing p-u bugs for updates in 8.6
has caused the Debian Bug report #826443,
regarding jessie-pu: package zabbix/1:2.2.7+dfsg-2+deb8u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
826443: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=826443
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu
Control: affects -1 zabbix

Dear release team,

I'd like to upload fix for

  CVE-2016-4338 / ZBX-10741: mysql.size shell command injection
  in zabbix-agent (Closes: #823329).

Diff is attached, please advise if upload is authorised.

Thanks.

-- 
Best wishes,
 Dmitry Smirnov.

---

Human beings, who are almost unique in having the ability to learn from the
experience of others, are also remarkable for their apparent disinclination
to do so.
        -- Mahatma Gandhi

Attachment: signature.asc
Description: This is a digitally signed message part.

>From 2ffd39e5afbee52833e911f869df975a904b48f1 Mon Sep 17 00:00:00 2001
From: Dmitry Smirnov <onlyjob@member.fsf.org>
Date: Sat, 28 May 2016 17:35:08 +1000
Subject: [PATCH] Upstream patch to fix CVE-2016-4338: mysql.size shell command
 injection in zabbix-agent

---
 debian/changelog               |  7 +++++++
 debian/patches/ZBX-10741.patch | 21 +++++++++++++++++++++
 debian/patches/series          |  1 +
 3 files changed, 29 insertions(+)
 create mode 100644 debian/patches/ZBX-10741.patch

diff --git a/debian/changelog b/debian/changelog
index b5d9188..9e6a32c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+zabbix (1:2.2.7+dfsg-2+deb8u1) stable; urgency=medium
+
+  * CVE-2016-4338 / ZBX-10741: fixed mysql.size shell command injection
+    in zabbix-agent (Closes: #823329).
+
+ -- Dmitry Smirnov <onlyjob@debian.org>  Sat, 28 May 2016 17:04:31 +1000
+
 zabbix (1:2.2.7+dfsg-2) unstable; urgency=high
 
   * CVE-2014-9450 (ZBX-8582) fixed SQL injection vulnerability
diff --git a/debian/patches/ZBX-10741.patch b/debian/patches/ZBX-10741.patch
new file mode 100644
index 0000000..19b6716
--- /dev/null
+++ b/debian/patches/ZBX-10741.patch
@@ -0,0 +1,21 @@
+Last-Update: 2016-05-09
+Forwarded: not-needed
+Origin: upstream, svn://svn.zabbix.com/branches/2.2@59942
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=823329
+Bug-Zabbix: https://support.zabbix.com/browse/ZBX-10741
+Description: CVE-2016-4338 fix zabbix-agent/mysql.size shell command injection
+ enforced bash usage in mysql.size user parameter configuration script to
+ avoid issues with different default shells
+
+--- a/conf/zabbix_agentd/userparameter_mysql.conf
++++ b/conf/zabbix_agentd/userparameter_mysql.conf
+@@ -11,8 +11,8 @@
+ # Type may be "data", "index", "free" or "both". Both is a sum of data and index. Default is "both".
+ # Database is mandatory if a table is specified. Type may be specified always.
+ # Returns value in bytes.
+ # 'sum' on data_length or index_length alone needed when we are getting this information for whole database instead of a single table
+-UserParameter=mysql.size[*],echo "select sum($(case "$3" in both|"") echo "data_length+index_length";; data|index) echo "$3_length";; free) echo "data_free";; esac)) from information_schema.tables$([[ "$1" = "all" || ! "$1" ]] || echo " where table_schema='$1'")$([[ "$2" = "all" || ! "$2" ]] || echo "and table_name='$2'");" | HOME=/var/lib/zabbix mysql -N
++UserParameter=mysql.size[*],bash -c 'echo "select sum($(case "$3" in both|"") echo "data_length+index_length";; data|index) echo "$3_length";; free) echo "data_free";; esac)) from information_schema.tables$([[ "$1" = "all" || ! "$1" ]] || echo " where table_schema=\"$1\"")$([[ "$2" = "all" || ! "$2" ]] || echo "and table_name=\"$2\"");" | HOME=/var/lib/zabbix mysql -N'
+ 
+ UserParameter=mysql.ping,HOME=/var/lib/zabbix mysqladmin ping | grep -c alive
+ UserParameter=mysql.version,mysql -V
diff --git a/debian/patches/series b/debian/patches/series
index 0e81f68..d296cba 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,4 @@
+ZBX-10741.patch
 ZBX-8582.patch
 config_debianisation.patch
 config_frontend-conffile-in-etc.patch
-- 
2.8.1

--- End Message ---
--- Begin Message --- 
Version: 8.6

The updates referred to in each of these bugs were included in today's
stable point release.

Regards,

Adam

--- End Message ---
Reply to: