|Summary:||CVE-2008-1381 zoneminder: command injection via unescaped php exec() calls|
|Product:||[Other] Security Response||Reporter:||Tomas Hoger <thoger>|
|Component:||vulnerability||Assignee:||Red Hat Product Security <security-response-team>|
|Status:||CLOSED CURRENTRELEASE||QA Contact:|
|Fixed In Version:||1.22.3-14.fc9||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2008-05-13 15:23:32 UTC||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Cloudforms Team:||---||Target Upstream Version:|
|Bug Depends On:||444435, 444436, 444437|
Description Tomas Hoger 2008-04-28 12:40:01 UTC
Mark J Cox of the Red Hat Security Response team discovered following flaw affecting ZoneMinder: ZoneMinder prior to version 1.23.3 contains unescaped PHP exec() calls which can allow an authorised remote user the ability to run arbitrary code as the Apache httpd user. Further details in Mark's blog: http://www.awe.com/mark/blog/200804272230.html Fixed upstream in 1.23.3: http://www.zoneminder.com/index.php?id=20&type=0&backPID=20&tt_news=59 http://www.zoneminder.com/wiki/index.php/Change_History#Release_1.23.3 Upstream patch: http://www.zoneminder.com/wiki/index.php/1.23.2_Patches
Comment 2 Jason Tibbitts 2008-04-28 15:29:30 UTC
I have backported the patch to the version currently in rawhide and have commited an update to the devel branch. I have not yet tested it; I just wanted to get something started. One hunk in the upstream patch does not correspond to any existing code in 1.22.3; this portion alters $filter['query'] and $filter['fields'] and filters are not constructed that way in 1.22.3. Honestly I don't quite understand what security issue is being fixed by that portion of the patch; it looks to be an unrelated bugfix. In any case, it would be great is someone could double-check what I've done.
Comment 3 Tomas Hoger 2008-04-29 15:00:07 UTC
That part of the patch really seems like unrelated bug fix. $filter['fields'] change seems uninteresting, as it just moves where quote is added to name= option ("name= --> name="). $filter['query'] change looks like following bug fix mentioned on the Change_History page linked in comment #0: FIX : Fixed an issue where filter queries were sometimes url encoded twice meaning that clicking onto subsequent pages from a filtered view lost the filter and displayed all events instead of ust the filtered set.
Comment 4 Fedora Update System 2008-04-29 23:19:33 UTC
zoneminder-1.22.3-10.fc8 has been submitted as an update for Fedora 8
Comment 5 Fedora Update System 2008-04-29 23:27:31 UTC
zoneminder-1.22.3-8.fc7 has been submitted as an update for Fedora 7
Comment 6 Martin Ebourne 2008-04-29 23:31:24 UTC
Jason, thanks v much for backporting the patch. I've pushed to testing for all apart from F9 which I'll do later.
Comment 7 Jason Tibbitts 2008-04-30 20:12:00 UTC
Actually, if you build for F9 now and ask email@example.com to tag it into the release, you might be able to get the updated version into F9 itself and not have to push an update.
Comment 8 Tomas Hoger 2008-05-02 08:42:24 UTC
This issue got duplicate CVE id - CVE-2008-2033: Multiple unspecified vulnerabilities in ZoneMinder before 1.23.3 allow remote authenticated users to execute arbitrary code via unknown attack vectors. References: http://secunia.com/advisories/29995 http://www.zoneminder.com/wiki/index.php/Change_History#Release_1.23.3
Comment 9 Jason Tibbitts 2008-05-02 15:20:20 UTC
Does this duplicate CVE require any separate action? Does the update notice need to be modified, or does a separate update noting that this CVE is already fixed by the previous update? Also, I noticed that in Mark Cox's blog, he indicated that the issue was discovered some time ago and that vendors were notified then. Does anyone have any idea why Fedora was not notified until the CVE was made public, leaving us to scramble for a fix and most likely forcing this fix to be released as an update for F9 instead of having it in the actual release?
Comment 10 Tomas Hoger 2008-05-02 16:10:48 UTC
(In reply to comment #9) > Does this duplicate CVE require any separate action? Does the update notice > need to be modified, or does a separate update noting that this CVE is already > fixed by the previous update? No action needed. Mitre will reject one as dupe of the other. CVE-2008-2033 will probably be rejected. > Also, I noticed that in Mark Cox's blog, he indicated that the issue was > discovered some time ago and that vendors were notified then. Does anyone > have any idea why Fedora was not notified until the CVE was made public, > leaving us to scramble for a fix and most likely forcing this fix to be > released as an update for F9 instead of having it in the actual release? Mark did not create a patch for the issue and ZoneMinder upstream did not provide us with patch in advance. However, the problem with fixing security issues in Fedora while they are under embargo is more complicated. As both CVS and build system is public, fixes can not be committed and updates built before issue is made public (in this case by upstream releasing fixed version).
Comment 11 Martin Ebourne 2008-05-06 22:25:26 UTC
I pushed the update for F7 and F8 back on 29th April, but it is still pending. Any idea why it is stuck? F9 is building and will be submitted to bodhi soon.
Comment 12 Fedora Update System 2008-05-06 22:30:21 UTC
zoneminder-1.22.3-14.fc9 has been submitted as an update for Fedora 9
Comment 13 Tomas Hoger 2008-05-07 06:24:18 UTC
(In reply to comment #11) > I pushed the update for F7 and F8 back on 29th April, but it is still pending. > Any idea why it is stuck? Waiting for release engineering to sign and push them. Currently, there are only 1 or 2 rel-eng team members able to sign new rpms, resulting in a bottleneck in the process.
Comment 14 Fedora Update System 2008-05-10 13:55:16 UTC
zoneminder-1.22.3-8.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.
Comment 15 Fedora Update System 2008-05-10 13:56:02 UTC
zoneminder-1.22.3-10.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
Comment 16 Fedora Update System 2008-05-13 15:23:20 UTC
zoneminder-1.22.3-14.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
Comment 17 Mark J. Cox 2008-05-15 10:25:18 UTC
FYI Regarding #9, this flaw is only of moderate consequence, so a little delay for Fedora packages after publication was expected and acceptable. It's moderate because of the nature of the privilege boundary being crossed : you shouldn't allow untrusted users the ability to view and control your ZoneMinder installation, so this flaw is limited to being exploitable by ZoneMinder administrators.