Hi On Sun, Feb 10, 2013 at 10:25:27AM -0500, James McCoy wrote: > On Sun, Jan 27, 2013 at 05:43:13PM +0100, Salvatore Bonaccorso wrote: > > Some additional information: In most usual cases where zoneminder is > > set up, there should be authentication first. So this limits somehow > > the vulnerability. > > The attached patch should address the issue, but I don't have a setup to > test.
The patches look they address the issue mentioned. What I've done: - Build both for Squeeze and unstable (debdiffs attached) - Installed zoneminder in a VM, confirmed that for both stable and unstable version zoneminder is vulnerable. - Installed the patched packages to verifiy the vulnerability. NOTE: I was not able to test setDeviceStatusX10 part, but the code fix is going the same by James: > +--- a/web/includes/functions.php > ++++ b/web/includes/functions.php > +@@ -905,7 +905,7 @@ > + > + function packageControl( $command ) > + { > +- $string = ZM_PATH_BIN."/zmpkg.pl $command"; > ++ $string = ZM_PATH_BIN."/zmpkg.pl ".escapeshellarg( $command ); > + $string .= " 2>/dev/null >&- <&- >/dev/null"; > + exec( $string ); > + } > +@@ -2145,7 +2145,8 @@ > + else > + { > + // Can't connect so use script > +- $command = ZM_PATH_BIN."/zmx10.pl --command $status --unit-code > $key"; > ++ $command = ZM_PATH_BIN.'/zmx10.pl --command '.escapeshellarg( > $status ); > ++ $command .= ' --unit-code '.escapeshellarg( $key ); > + //$command .= " 2>/dev/null >&- <&- >/dev/null"; > + $x10Response = exec( $command ); > + } Security Team, how to proceed? Can/will a DSA be released for it? Regards, Salvatore
diff -Nru zoneminder-1.24.2/debian/changelog zoneminder-1.24.2/debian/changelog --- zoneminder-1.24.2/debian/changelog 2011-01-16 04:40:08.000000000 +0100 +++ zoneminder-1.24.2/debian/changelog 2013-02-11 22:38:45.000000000 +0100 @@ -1,3 +1,12 @@ +zoneminder (1.24.2-8+squeeze1) stable-security; urgency=high + + * Non-maintainer upload. + * Add CVE-2013-0232 patch + [SECURITY] CVE-2013-0232: Shell escape commands with untrusted content. + Thanks to James McCoy <james...@debian.org> (Closes: #698910) + + -- Salvatore Bonaccorso <car...@debian.org> Mon, 11 Feb 2013 22:32:17 +0100 + zoneminder (1.24.2-8) unstable; urgency=medium [ Vagrant Cascadian ] diff -Nru zoneminder-1.24.2/debian/patches/CVE-2013-0232 zoneminder-1.24.2/debian/patches/CVE-2013-0232 --- zoneminder-1.24.2/debian/patches/CVE-2013-0232 1970-01-01 01:00:00.000000000 +0100 +++ zoneminder-1.24.2/debian/patches/CVE-2013-0232 2013-02-11 22:38:45.000000000 +0100 @@ -0,0 +1,24 @@ +From: James McCoy <james...@debian.org> +Bug-Debian: http://bugs.debian.org/698910 +Subject: shell escape commands with untrusted content +--- a/web/includes/functions.php ++++ b/web/includes/functions.php +@@ -905,7 +905,7 @@ + + function packageControl( $command ) + { +- $string = ZM_PATH_BIN."/zmpkg.pl $command"; ++ $string = ZM_PATH_BIN."/zmpkg.pl ".escapeshellarg( $command ); + $string .= " 2>/dev/null >&- <&- >/dev/null"; + exec( $string ); + } +@@ -2145,7 +2145,8 @@ + else + { + // Can't connect so use script +- $command = ZM_PATH_BIN."/zmx10.pl --command $status --unit-code $key"; ++ $command = ZM_PATH_BIN.'/zmx10.pl --command '.escapeshellarg( $status ); ++ $command .= ' --unit-code '.escapeshellarg( $key ); + //$command .= " 2>/dev/null >&- <&- >/dev/null"; + $x10Response = exec( $command ); + } diff -Nru zoneminder-1.24.2/debian/patches/series zoneminder-1.24.2/debian/patches/series --- zoneminder-1.24.2/debian/patches/series 2011-01-14 21:01:53.000000000 +0100 +++ zoneminder-1.24.2/debian/patches/series 2013-02-11 22:38:45.000000000 +0100 @@ -7,3 +7,4 @@ suppported-typo use_libjs-mootools fix_v4l2_cameras_without_crop +CVE-2013-0232
diff -Nru zoneminder-1.25.0/debian/changelog zoneminder-1.25.0/debian/changelog --- zoneminder-1.25.0/debian/changelog 2012-08-28 21:10:05.000000000 +0200 +++ zoneminder-1.25.0/debian/changelog 2013-02-11 22:33:50.000000000 +0100 @@ -1,3 +1,12 @@ +zoneminder (1.25.0-3.1) unstable; urgency=high + + * Non-maintainer upload. + * Add CVE-2013-0232 patch + [SECURITY] CVE-2013-0232: Shell escape commands with untrusted content. + Thanks to James McCoy <james...@debian.org> (Closes: #698910) + + -- Salvatore Bonaccorso <car...@debian.org> Sun, 10 Feb 2013 21:41:28 +0100 + zoneminder (1.25.0-3) unstable; urgency=low * debian/rules: Export CFLAGS, CPPFLAGS, CXXFLAGS and LDFLAGS, to ensure diff -Nru zoneminder-1.25.0/debian/patches/CVE-2013-0232 zoneminder-1.25.0/debian/patches/CVE-2013-0232 --- zoneminder-1.25.0/debian/patches/CVE-2013-0232 1970-01-01 01:00:00.000000000 +0100 +++ zoneminder-1.25.0/debian/patches/CVE-2013-0232 2013-02-11 22:33:50.000000000 +0100 @@ -0,0 +1,24 @@ +From: James McCoy <james...@debian.org> +Bug-Debian: http://bugs.debian.org/698910 +Subject: shell escape commands with untrusted content +--- a/web/includes/functions.php ++++ b/web/includes/functions.php +@@ -905,7 +905,7 @@ + + function packageControl( $command ) + { +- $string = ZM_PATH_BIN."/zmpkg.pl $command"; ++ $string = ZM_PATH_BIN."/zmpkg.pl ".escapeshellarg( $command ); + $string .= " 2>/dev/null >&- <&- >/dev/null"; + exec( $string ); + } +@@ -2145,7 +2145,8 @@ + else + { + // Can't connect so use script +- $command = ZM_PATH_BIN."/zmx10.pl --command $status --unit-code $key"; ++ $command = ZM_PATH_BIN.'/zmx10.pl --command '.escapeshellarg( $status ); ++ $command .= ' --unit-code '.escapeshellarg( $key ); + //$command .= " 2>/dev/null >&- <&- >/dev/null"; + $x10Response = exec( $command ); + } diff -Nru zoneminder-1.25.0/debian/patches/series zoneminder-1.25.0/debian/patches/series --- zoneminder-1.25.0/debian/patches/series 2012-08-23 21:36:42.000000000 +0200 +++ zoneminder-1.25.0/debian/patches/series 2013-02-11 22:33:50.000000000 +0100 @@ -11,3 +11,4 @@ include-avutil-mathematics-header Fix-FTBFS-with-gcc-4.7 do_not_check_for_updates_by_default +CVE-2013-0232
signature.asc
Description: Digital signature