Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker
Commits: 36e9a771 by Tobias Frost at 2024-01-23T20:13:31+01:00 CVE-2023-32727/zabbix - buster is not affected. The vulnerability is a format-string vulnerability, a user provided input (dst - intented to be a target host for fping) is passed to a shell without saniziting. the key line for the patch for CVE-2023-32727 is in function get_interval_option(): - zbx_snprintf(tmp, sizeof(tmp), "%s -c1 -t50 -i%u %s", fping, intervals[j], dst); + zbx_snprintf(tmp, sizeof(tmp), "%s -c1 -t50 -i%u", fping, intervals[j]); "dst" is the ping target, and the resulting tmp is the complete command to be executed in the vulnerable version. (via execl("/bin/sh", "sh", "-c", command, (char *)NULL); in zbx_execute()) Bisecting upstream brings the following commits introducing this: Commit: 57abe5a1f2c208d05cc59029026098c2f13ed464 [1] + zbx_snprintf(tmp, sizeof(tmp), "%s -c1 -t50 -i0 %s", fping, dst); [1] https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/57abe5a1f2c208d05cc59029026098c2f13ed464#src/libs/zbxicmpping/icmpping.c line 102 List of affected versions, where the commit is seen first time: git tag --contains 57abe5a1f2c208d05cc59029026098c2f13ed464 (manually filtered to show only first tag of every affected version) 4.4.0alpha3 5.0.0alpha1 5.2.0alpha1 5.4.0alpha1 6.0.0alpha1 6.2.0alpha1 6.4.0alpha1 7.0.0alpha1 - - - - - 1 changed file: - data/CVE/list Changes: ===================================== data/CVE/list ===================================== @@ -6428,12 +6428,14 @@ CVE-2023-32728 (The Zabbix Agent 2 item key smart.disk.get does not sanitize its NOTE: https://github.com/zabbix/zabbix/commit/09fa80bb16b094e4c17c036868c817f411efe4a0 (6.0.24rc1) NOTE: https://github.com/zabbix/zabbix/commit/7c00b48ab998066962e5275efa50007cb72ea1ac (6.0.24rc1) NOTE: https://github.com/zabbix/zabbix/commit/245fbae6039ebfbd720ab33c0349c82bae242fc9 (6.0.24rc1) - NOTE: Vulnerable feature introduced with version 5.0.9rc1 resp. 5.4.0alpha2 https://support.zabbix.com/browse/ZBXNEXT-6339 + NOTE: Vulnerable feature introduced with versions 5.0.9rc1, 5.3.5rc1 and 5.4.0alpha2 https://support.zabbix.com/browse/ZBXNEXT-6339 CVE-2023-32727 (An attacker who has the privilege to configure Zabbix items can use fu ...) - zabbix 1:6.0.23+dfsg-1 + [buster] - zabbix <not-affected> (Vulnerable code introduced later) NOTE: https://support.zabbix.com/browse/ZBX-23857 NOTE: https://github.com/zabbix/zabbix/commit/93e090592fc6de7ec5d3d42c1bb9074ad1f3ba34 (6.0.23rc1) NOTE: https://github.com/zabbix/zabbix/commit/610f9fdbb86667f4094972547deb936c6cdfc6d5 (6.0.23rc1) + NOTE: introduced in ttps://git.zabbix.com/projects/ZBX/repos/zabbix/commits/57abe5a1f2c208d05cc59029026098c2f13ed464 (4.4.0alpha3) CVE-2023-32726 (The vulnerability is caused by improper check for check if RDLENGTH do ...) - zabbix 1:6.0.24+dfsg-1 NOTE: https://support.zabbix.com/browse/ZBX-23855 @@ -6442,7 +6444,7 @@ CVE-2023-32725 (The website configured in the URL widget will receive a session - zabbix 1:6.0.23+dfsg-1 [bullseye] - zabbix <not-affected> (Vulnerable code not present) [buster] - zabbix <not-affected> (vulnerable code introduced later) - NOTE: https://support.zabbix.com/browse/ZBX-23854 + NOTE: https://support.zabbix.com/browse/ZBX-2354 NOTE: https://github.com/zabbix/zabbix/commit/89e0cd6ea93a097671d6bcfbfa674047a3096b26 (6.0.22rc1) NOTE: report_manager introduced with: https://github.com/zabbix/zabbix/commit/a06a08111546081e8256267bc0062cbd74dc3309 (6.0.0alpha1) CVE-2023-32230 (An improper handling of a malformed API request to an API server in Bo ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/36e9a77145dd28bbc338686e27d75ada2c9f7279 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/36e9a77145dd28bbc338686e27d75ada2c9f7279 You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits