Mark J Cox of the Red Hat Security Response team discovered following flaw
ZoneMinder prior to version 1.23.3 contains unescaped PHP exec() calls which can
allow an authorised remote user the ability to run arbitrary code as the Apache
Further details in Mark's blog:
Fixed upstream in 1.23.3:
I have backported the patch to the version currently in rawhide and have
commited an update to the devel branch. I have not yet tested it; I just wanted
to get something started.
One hunk in the upstream patch does not correspond to any existing code in
1.22.3; this portion alters $filter['query'] and $filter['fields'] and filters
are not constructed that way in 1.22.3. Honestly I don't quite understand what
security issue is being fixed by that portion of the patch; it looks to be an
unrelated bugfix. In any case, it would be great is someone could double-check
what I've done.
That part of the patch really seems like unrelated bug fix.
$filter['fields'] change seems uninteresting, as it just moves where quote is
added to name= option ("name= --> name=").
$filter['query'] change looks like following bug fix mentioned on the
Change_History page linked in comment #0:
FIX : Fixed an issue where filter queries were sometimes url encoded twice
meaning that clicking onto subsequent pages from a filtered view lost the
filter and displayed all events instead of ust the filtered set.
zoneminder-1.22.3-10.fc8 has been submitted as an update for Fedora 8
zoneminder-1.22.3-8.fc7 has been submitted as an update for Fedora 7
Jason, thanks v much for backporting the patch. I've pushed to testing for all
apart from F9 which I'll do later.
Actually, if you build for F9 now and ask firstname.lastname@example.org to tag it
into the release, you might be able to get the updated version into F9 itself
and not have to push an update.
This issue got duplicate CVE id - CVE-2008-2033:
Multiple unspecified vulnerabilities in ZoneMinder before 1.23.3 allow remote
authenticated users to execute arbitrary code via unknown attack vectors.
Does this duplicate CVE require any separate action? Does the update notice
need to be modified, or does a separate update noting that this CVE is already
fixed by the previous update?
Also, I noticed that in Mark Cox's blog, he indicated that the issue was
discovered some time ago and that vendors were notified then. Does anyone have
any idea why Fedora was not notified until the CVE was made public, leaving us
to scramble for a fix and most likely forcing this fix to be released as an
update for F9 instead of having it in the actual release?
(In reply to comment #9)
> Does this duplicate CVE require any separate action? Does the update notice
> need to be modified, or does a separate update noting that this CVE is already
> fixed by the previous update?
No action needed. Mitre will reject one as dupe of the other. CVE-2008-2033
will probably be rejected.
> Also, I noticed that in Mark Cox's blog, he indicated that the issue was
> discovered some time ago and that vendors were notified then. Does anyone
> have any idea why Fedora was not notified until the CVE was made public,
> leaving us to scramble for a fix and most likely forcing this fix to be
> released as an update for F9 instead of having it in the actual release?
Mark did not create a patch for the issue and ZoneMinder upstream did not
provide us with patch in advance. However, the problem with fixing security
issues in Fedora while they are under embargo is more complicated. As both CVS
and build system is public, fixes can not be committed and updates built before
issue is made public (in this case by upstream releasing fixed version).
I pushed the update for F7 and F8 back on 29th April, but it is still pending.
Any idea why it is stuck?
F9 is building and will be submitted to bodhi soon.
zoneminder-1.22.3-14.fc9 has been submitted as an update for Fedora 9
(In reply to comment #11)
> I pushed the update for F7 and F8 back on 29th April, but it is still pending.
> Any idea why it is stuck?
Waiting for release engineering to sign and push them. Currently, there are only
1 or 2 rel-eng team members able to sign new rpms, resulting in a bottleneck in
zoneminder-1.22.3-8.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.
zoneminder-1.22.3-10.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
zoneminder-1.22.3-14.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
FYI Regarding #9, this flaw is only of moderate consequence, so a little delay
for Fedora packages after publication was expected and acceptable. It's
moderate because of the nature of the privilege boundary being crossed : you
shouldn't allow untrusted users the ability to view and control your ZoneMinder
installation, so this flaw is limited to being exploitable by ZoneMinder