Bug 444434 - (CVE-2008-1381) CVE-2008-1381 zoneminder: command injection via unescaped php exec() calls
CVE-2008-1381 zoneminder: command injection via unescaped php exec() calls
Status: CLOSED CURRENTRELEASE
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
source=redhat,reported=20080411,publi...
: Security
Depends On: 444435 444436 444437
Blocks:
  Show dependency treegraph
 
Reported: 2008-04-28 08:40 EDT by Tomas Hoger
Modified: 2008-05-15 06:25 EDT (History)
2 users (show)

See Also:
Fixed In Version: 1.22.3-14.fc9
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-05-13 11:23:32 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Tomas Hoger 2008-04-28 08:40:01 EDT
Mark J Cox of the Red Hat Security Response team discovered following flaw
affecting ZoneMinder:

ZoneMinder prior to version 1.23.3 contains unescaped PHP exec() calls which can
allow an authorised remote user the ability to run arbitrary code as the Apache
httpd user.

Further details in Mark's blog:
http://www.awe.com/mark/blog/200804272230.html

Fixed upstream in 1.23.3:
http://www.zoneminder.com/index.php?id=20&type=0&backPID=20&tt_news=59
http://www.zoneminder.com/wiki/index.php/Change_History#Release_1.23.3

Upstream patch:
http://www.zoneminder.com/wiki/index.php/1.23.2_Patches
Comment 2 Jason Tibbitts 2008-04-28 11:29:30 EDT
I have backported the patch to the version currently in rawhide and have
commited an update to the devel branch.  I have not yet tested it; I just wanted
to get something started.

One hunk in the upstream patch does not correspond to any existing code in
1.22.3; this portion alters $filter['query'] and $filter['fields'] and filters
are not constructed that way in 1.22.3.  Honestly I don't quite understand what
security issue is being fixed by that portion of the patch; it looks to be an
unrelated bugfix.  In any case, it would be great is someone could double-check
what I've done.
Comment 3 Tomas Hoger 2008-04-29 11:00:07 EDT
That part of the patch really seems like unrelated bug fix.

$filter['fields'] change seems uninteresting, as it just moves where quote is
added to name= option ("name= --> name=").

$filter['query'] change looks like following bug fix mentioned on the
Change_History page linked in comment #0:

  FIX : Fixed an issue where filter queries were sometimes url encoded twice
  meaning that clicking onto subsequent pages from a filtered view lost the
  filter and displayed all events instead of ust the filtered set.
Comment 4 Fedora Update System 2008-04-29 19:19:33 EDT
zoneminder-1.22.3-10.fc8 has been submitted as an update for Fedora 8
Comment 5 Fedora Update System 2008-04-29 19:27:31 EDT
zoneminder-1.22.3-8.fc7 has been submitted as an update for Fedora 7
Comment 6 Martin Ebourne 2008-04-29 19:31:24 EDT
Jason, thanks v much for backporting the patch. I've pushed to testing for all
apart from F9 which I'll do later.
Comment 7 Jason Tibbitts 2008-04-30 16:12:00 EDT
Actually, if you build for F9 now and ask rel-eng@fedoraproject.org to tag it
into the release, you might be able to get the updated version into F9 itself
and not have to push an update.
Comment 8 Tomas Hoger 2008-05-02 04:42:24 EDT
This issue got duplicate CVE id - CVE-2008-2033:

Multiple unspecified vulnerabilities in ZoneMinder before 1.23.3 allow remote
authenticated users to execute arbitrary code via unknown attack vectors.

References:
http://secunia.com/advisories/29995
http://www.zoneminder.com/wiki/index.php/Change_History#Release_1.23.3
Comment 9 Jason Tibbitts 2008-05-02 11:20:20 EDT
Does this duplicate CVE require any separate action?  Does the update notice
need to be modified, or does a separate update noting that this CVE is already
fixed by the previous update?

Also, I noticed that in Mark Cox's blog, he indicated that the issue was
discovered some time ago and that vendors were notified then.  Does anyone have
any idea why Fedora was not notified until the CVE was made public, leaving us
to scramble for a fix and most likely forcing this fix to be released as an
update for F9 instead of having it in the actual release?
Comment 10 Tomas Hoger 2008-05-02 12:10:48 EDT
(In reply to comment #9)
> Does this duplicate CVE require any separate action?  Does the update notice
> need to be modified, or does a separate update noting that this CVE is already
> fixed by the previous update?

No action needed.  Mitre will reject one as dupe of the other.  CVE-2008-2033
will probably be rejected.

> Also, I noticed that in Mark Cox's blog, he indicated that the issue was
> discovered some time ago and that vendors were notified then.  Does anyone
> have any idea why Fedora was not notified until the CVE was made public,
> leaving us to scramble for a fix and most likely forcing this fix to be
> released as an update for F9 instead of having it in the actual release?

Mark did not create a patch for the issue and ZoneMinder upstream did not
provide us with patch in advance.  However, the problem with fixing security
issues in Fedora while they are under embargo is more complicated.  As both CVS
and build system is public, fixes can not be committed and updates built before
issue is made public (in this case by upstream releasing fixed version).
Comment 11 Martin Ebourne 2008-05-06 18:25:26 EDT
I pushed the update for F7 and F8 back on 29th April, but it is still pending.
Any idea why it is stuck?

F9 is building and will be submitted to bodhi soon.
Comment 12 Fedora Update System 2008-05-06 18:30:21 EDT
zoneminder-1.22.3-14.fc9 has been submitted as an update for Fedora 9
Comment 13 Tomas Hoger 2008-05-07 02:24:18 EDT
(In reply to comment #11)
> I pushed the update for F7 and F8 back on 29th April, but it is still pending.
> Any idea why it is stuck?

Waiting for release engineering to sign and push them. Currently, there are only
1 or 2 rel-eng team members able to sign new rpms, resulting in a bottleneck in
the process.

Comment 14 Fedora Update System 2008-05-10 09:55:16 EDT
zoneminder-1.22.3-8.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 15 Fedora Update System 2008-05-10 09:56:02 EDT
zoneminder-1.22.3-10.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 16 Fedora Update System 2008-05-13 11:23:20 EDT
zoneminder-1.22.3-14.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 17 Mark J. Cox (Product Security) 2008-05-15 06:25:18 EDT
FYI Regarding #9, this flaw is only of moderate consequence, so a little delay
for Fedora packages after publication was expected and acceptable.  It's
moderate because of the nature of the privilege boundary being crossed : you
shouldn't allow untrusted users the ability to view and control your ZoneMinder
installation, so this flaw is limited to being exploitable by ZoneMinder
administrators.

Note You need to log in before you can comment on or make changes to this bug.