Bug#479034: intent to NMU

Sun, 04 May 2008 05:46:46 -0700 

tags 479034 + patch
thanks

Hi,
I intent to NMU this bug. Attached is a patch to fix this 
issue. It will be also archived on:
http://people.debian.org/~nion/nmu-diff/zoneminder-1.23.2-2_1.23.2-2.1.patch

Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

diff -u zoneminder-1.23.2/debian/patches/00list zoneminder-1.23.2/debian/patches/00list
--- zoneminder-1.23.2/debian/patches/00list
+++ zoneminder-1.23.2/debian/patches/00list
@@ -3,0 +4 @@
+CVE-2008-1381.dpatch
diff -u zoneminder-1.23.2/debian/changelog zoneminder-1.23.2/debian/changelog
--- zoneminder-1.23.2/debian/changelog
+++ zoneminder-1.23.2/debian/changelog
@@ -1,3 +1,12 @@
+zoneminder (1.23.2-2.1) unstable; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * Fix arbitrary code execution with privileges of the
+    webserver user via crafted URLs because of unescaped user
+    input (CVE-2008-1381.dpatch; Closes: #479034).
+
+ -- Nico Golde <[EMAIL PROTECTED]>  Sun, 04 May 2008 14:34:07 +0200
+
 zoneminder (1.23.2-2) unstable; urgency=low
 
   * Update to init.d
only in patch2:
unchanged:
--- zoneminder-1.23.2.orig/debian/patches/CVE-2008-1381.dpatch
+++ zoneminder-1.23.2/debian/patches/CVE-2008-1381.dpatch
@@ -0,0 +1,167 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## CVE-2008-1381.dpatch by Nico Golde <[EMAIL PROTECTED]>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: No description.
+
[EMAIL PROTECTED]@
+diff -urNad zoneminder-1.23.2~/web/zm_export_funcs.php zoneminder-1.23.2/web/zm_export_funcs.php
+--- zoneminder-1.23.2~/web/zm_export_funcs.php	2007-09-17 15:47:13.000000000 +0200
++++ zoneminder-1.23.2/web/zm_export_funcs.php	2008-05-04 14:36:46.000000000 +0200
+@@ -304,7 +304,7 @@
+ 		{
+ 			$archive = "temp/".$export_root.".tar.gz";
+ 			@unlink( $archive );
+-			$command = "tar --create --gzip --file=$archive --files-from=$list_file";
++			$command = "tar --create --gzip --file=".escapeshellarg($archive)." --files-from=".escapeshellarg($list_file);
+ 			exec( $command, $output, $status );
+ 			if ( $status )
+ 			{
+@@ -319,7 +319,7 @@
+ 			$archive = "temp/zm_export.zip";
+ 			$archive = "temp/".$export_root.".zip";
+ 			@unlink( $archive );
+-			$command = "cat $list_file | zip -q $archive -@";
++			$command = "cat ".escapeshellarg($list_file)." | zip -q ".escapeshellarg($archive)." -@";
+ 			exec( $command, $output, $status );
+ 			if ( $status )
+ 			{
+diff -urNad zoneminder-1.23.2~/web/zm_funcs.php zoneminder-1.23.2/web/zm_funcs.php
+--- zoneminder-1.23.2~/web/zm_funcs.php	2008-02-21 00:11:24.000000000 +0100
++++ zoneminder-1.23.2/web/zm_funcs.php	2008-05-04 14:36:46.000000000 +0200
+@@ -792,20 +792,20 @@
+ 
+ function packageControl( $command )
+ {
+-	$string = ZM_PATH_BIN."/zmpkg.pl $command";
++	$string = ZM_PATH_BIN."/zmpkg.pl ".escapeshellarg( $command );
+ 	$string .= " 2>/dev/null >&- <&- >/dev/null";
+ 	exec( $string );
+ }
+ 
+ function daemonControl( $command, $daemon=false, $args=false )
+ {
+-	$string = ZM_PATH_BIN."/zmdc.pl $command";
++	$string = ZM_PATH_BIN."/zmdc.pl ".escapeshellarg( $command );
+ 	if ( $daemon )
+ 	{
+-		$string .= " $daemon";
++		$string .= " ".escapeshellarg( $daemon );
+ 		if ( $args )
+ 		{
+-			$string .= " $args";
++			$string .= " ".escapeshellarg( $args );
+ 		}
+ 	}
+ 	$string .= " 2>/dev/null >&- <&- >/dev/null";
+@@ -955,9 +955,9 @@
+ 	$string = ZM_PATH_BIN."/zmdc.pl check";
+ 	if ( $daemon )
+ 	{
+-		$string .= " $daemon";
++		$string .= " ".escapeshellarg( $daemon );
+ 		if ( $args )
+-			$string .= " $args";
++			$string .= " ".escapeshellarg( $args );
+ 	}
+ 	$result = exec( $string );
+ 	return( preg_match( '/running/', $result ) );
+@@ -1035,7 +1035,7 @@
+ 		{
+ 			if ( ZM_WEB_SCALE_THUMBS )
+ 			{
+-				$command = ZM_PATH_NETPBM."/jpegtopnm -quiet -dct fast $image_path | ".ZM_PATH_NETPBM."/pnmscalefixed -quiet $fraction | ".ZM_PATH_NETPBM."/pnmtojpeg -quiet -dct=fast > $thumb_path";
++				$command = ZM_PATH_NETPBM."/jpegtopnm -quiet -dct fast ".escapeshellarg( $image_path )." | ".ZM_PATH_NETPBM."/pnmscalefixed -quiet ".escapeshellarg( $fraction )." | ".ZM_PATH_NETPBM."/pnmtojpeg -quiet -dct=fast > ".escapeshellarg( $thumb_path );
+ 				exec( $command );
+ 			}
+ 			else
+@@ -1099,7 +1099,7 @@
+ 		$command = ZM_PATH_BIN."/zmvideo.pl -e ".$event['Id']." -f ".$format." -r ".sprintf( "%.2f", ($rate/RATE_BASE) )." -s ".sprintf( "%.2f", ($scale/SCALE_BASE) );
+ 	if ( $overwrite )
+ 		$command .= " -o";
+-	$result = exec( $command, $output, $status );
++	$result = exec( escapeshellcmd( $command ), $output, $status );
+ 	return( $status?"":rtrim($result) );
+ }
+ 
+@@ -1121,7 +1121,7 @@
+ 
+ function executeFilter( $filter )
+ {
+-	$command = ZM_PATH_BIN."/zmfilter.pl --filter ".$filter;
++	$command = ZM_PATH_BIN."/zmfilter.pl --filter ".escapeshellarg( $filter );
+ 	$result = exec( $command, $output, $status );
+ 	dbQuery( "delete from Filters where Name like '_TempFilter%'" );
+ 	return( $status );
+@@ -1339,14 +1339,14 @@
+ 
+ 				$filter['query'] .= $term_sep."filter[terms][$i][op]=".urlencode($filter['terms'][$i]['op']);
+ 				$filter['fields'] .= "<input type=\"hidden\" name=\"filter[terms][$i][op]\" value=\"".htmlspecialchars($filter['terms'][$i]['op'])."\"/>\n";
+-				$filter['query'] .= $term_sep."filter[terms][$i][val]=".urlencode(urlencode($filter['terms'][$i]['val']));
++				$filter['query'] .= $term_sep."filter[terms][$i][val]=".urlencode($filter['terms'][$i]['val']);
+ 				$filter['fields'] .= "<input type=\"hidden\" name=\"filter[terms][$i][val]\" value=\"".htmlspecialchars($filter['terms'][$i]['val'])."\"/>\n";
+ 			}
+ 			if ( isset($filter['terms'][$i]['cbr']) )
+ 			{
+ 				$filter['query'] .= $term_sep."filter[terms][$i][cbr]=".urlencode($filter['terms'][$i]['cbr']);
+ 				$filter['sql'] .= " ".str_repeat( ")", $filter['terms'][$i]['cbr'] )." ";
+-				$filter['fields'] .= "<input type=\"hidden\" \"name=filter[terms][$i][cbr]\" value=\"".htmlspecialchars($filter['terms'][$i]['cbr'])."\"/>\n";
++				$filter['fields'] .= "<input type=\"hidden\" name=\"filter[terms][$i][cbr]\" value=\"".htmlspecialchars($filter['terms'][$i]['cbr'])."\"/>\n";
+ 			}
+ 		}
+         if ( $filter['sql'] )
+@@ -1927,13 +1927,7 @@
+     {
+         // Can't connect so use script
+     	$command = ZM_PATH_BIN."/zmx10.pl --command $status --key $key";
+-	    //$command .= " 2>/dev/null >&- <&- >/dev/null";
+-	    $result = exec( $string );
+-	    if ( preg_match( '/^'.$key.'\s+(.*)/', $result, $matches ) )
+-		    $status = $matches[1];
+-	    else
+-		    $status = "unknown";
+-        $x10_response = exec( escapeshellcmd( $x10_command ) );
++        $x10_response = exec( escapeshellcmd( $command ) );
+     }
+ 	if ( preg_match( '/^'.$key.'\s+(.*)/', $x10_response, $matches ) )
+ 		$status = $matches[1];
+diff -urNad zoneminder-1.23.2~/web/zm_xhtml_view_event.php zoneminder-1.23.2/web/zm_xhtml_view_event.php
+--- zoneminder-1.23.2~/web/zm_xhtml_view_event.php	2008-02-21 00:11:24.000000000 +0100
++++ zoneminder-1.23.2/web/zm_xhtml_view_event.php	2008-05-04 14:36:46.000000000 +0200
+@@ -260,10 +260,9 @@
+ 		{
+ 			$anal_image = preg_replace( "/capture/", "analyse", $capt_image );
+ 			if ( file_exists( $anal_image ) )
+-				$command = ZM_PATH_NETPBM."/jpegtopnm -dct fast $anal_image | ".ZM_PATH_NETPBM."/pnmscalefixed $fraction | ".ZM_PATH_NETPBM."/ppmtojpeg --dct=fast > $thumb_image";
++				$command = ZM_PATH_NETPBM."/jpegtopnm -dct fast ".escapeshellarg($anal_image)." | ".ZM_PATH_NETPBM."/pnmscalefixed ".escapeshellarg($fraction)." | ".ZM_PATH_NETPBM."/ppmtojpeg --dct=fast > ".escapeshellarg($thumb_image);
+ 			else
+-				$command = ZM_PATH_NETPBM."/jpegtopnm -dct fast $capt_image | ".ZM_PATH_NETPBM."/pnmscalefixed $fraction | ".ZM_PATH_NETPBM."/ppmtojpeg --dct=fast > $thumb_image";
+-			#exec( escapeshellcmd( $command ) );
++				$command = ZM_PATH_NETPBM."/jpegtopnm -dct fast ".escapeshellarg($capt_image)." | ".ZM_PATH_NETPBM."/pnmscalefixed ".escapeshellarg($fraction)." | ".ZM_PATH_NETPBM."/ppmtojpeg --dct=fast > ".escapeshellarg($thumb_image);
+ 			exec( $command );
+ 		}
+ 	}
+diff -urNad zoneminder-1.23.2~/web/zm_xhtml_view_eventdetails.php zoneminder-1.23.2/web/zm_xhtml_view_eventdetails.php
+--- zoneminder-1.23.2~/web/zm_xhtml_view_eventdetails.php	2008-02-21 00:11:24.000000000 +0100
++++ zoneminder-1.23.2/web/zm_xhtml_view_eventdetails.php	2008-05-04 14:36:46.000000000 +0200
+@@ -67,7 +67,7 @@
+ 				$fraction = sprintf( "%.2f", $scale/100 );
+ 			if ( file_exists( $image_path ) )
+ 			{
+-				$command = ZM_PATH_NETPBM."/jpegtopnm -dct fast $image_path | ".ZM_PATH_NETPBM."/pnmscalefixed $fraction | ".ZM_PATH_NETPBM."/ppmtojpeg --dct=fast > $thumb_image";
++				$command = ZM_PATH_NETPBM."/jpegtopnm -dct fast ".escapeshellarg($image_path)." | ".ZM_PATH_NETPBM."/pnmscalefixed ".escapeshellarg($fraction)." | ".ZM_PATH_NETPBM."/ppmtojpeg --dct=fast > ".escapeshellarg($thumb_image);
+ 				exec( $command );
+ 			}
+ 		}
+diff -urNad zoneminder-1.23.2~/web/zm_xhtml_view_video.php zoneminder-1.23.2/web/zm_xhtml_view_video.php
+--- zoneminder-1.23.2~/web/zm_xhtml_view_video.php	2008-02-21 00:11:25.000000000 +0100
++++ zoneminder-1.23.2/web/zm_xhtml_view_video.php	2008-05-04 14:36:46.000000000 +0200
+@@ -98,7 +98,7 @@
+ 		$command = ZM_PATH_BIN."/zmvideo.pl -e ".$event['Id']." -f ".$video_format." -r ".sprintf( "%.2f", ($rate/RATE_BASE) )." -S ".$video_size;
+ 	if ( $overwrite )
+ 		$command .= " -o";
+-	$generated = exec( $command, $output, $status );
++	$generated = exec( escapeshellcmd( $command ), $output, $status );
+ }
+ 
+ $video_files = array();

Attachment: pgpEQKvqRI4fl.pgp
Description: PGP signature

Reply via email to