On Fri, 11 Oct 2013 05:00:41 you wrote: > For the record, that all comes to "8 files changed, 6906 insertions(+), > 5 deletions(-)", which is considerably more than I was expecting, given > how close we are to the update window closing. > > A lot of it appears to be a (possibly over-cautious) belt and braces > approach to > > > * CVE-2013-5743: fixed SQL injection vulnerability. > > escaping basically every use of a string anywhere near an SQL statement. > I do hope that someone's actually checked that none of those additions > of zbx_dbstr() introduces any bugs; I certainly don't know what any of > the variables might contain in order to judge. :-(
Well, that's a heavy patch but it was specifically made by upstream developers for the very version of Zabbix that we have in Squeeze. I applied it as-is without any modifications. If you wish we can ask upstream for comments. In Squeeze I tested instance of Zabbix-1.8.2 with this patch applied and couldn't see any regressions. I doubt there is anything more I could possibly do to ensure the safety of this patch. > There's also > > > * CVE-2011-3263: prevent zabbix_agentd DoS attack with vfs.file.cksum. > > patches/ZBX-3794+ZBX-3830.patch | 540 +++ > > There's quite a lot of noise in that patch, of the general form > > ++ int ret = SYSINFO_RET_FAIL; > [...] > +- if (num_param(param) > 1) > +- return SYSINFO_RET_FAIL; > ++ if (1 < num_param(param)) > ++ goto err; > [...] > +- return SYSINFO_RET_OK; > ++ ret = SYSINFO_RET_OK; > ++err: > ++ return ret; > > afaics, the net affect of that change is nothing. I realise (having let > git-svn chew through the branch) that the noise is in upstream's > original patch, but it really doesn't make it easy to review. Apologies if this patch is not perfect. This particular patch I backported long time ago and (unlike SQL injections that I find difficult to test) I verified that patch fixes DoS attack on "vfs.file.cksum" on Zabbix-1.8.2/Squeeze. I'm quite confident that it works as expected. I don't remember whether renaming of those variables were necessary to apply other patches... I built Zabbix packages using `qemubuilder` and tested 'em in dedicated Squeeze VM. Adam, please advise if you feel more confident with uploading just patch for SQL injection and leaving all other changes behind. -- Best wishes, Dmitry Smirnov. -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
