summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorYogita Urade <yogita.urade@windriver.com>2024-01-15 11:24:16 +0000
committerArmin Kuster <akuster808@gmail.com>2024-02-07 18:41:41 -0500
commitde760c31d1534cf6c0fefbbd455f7e82662913fd (patch)
tree8dfb5525ab05890ed820c46748ce822b1d48a9c3
parent4af7df792940b42378ed9181d8a01bb7c7b09487 (diff)
downloadmeta-openembedded-de760c31d1534cf6c0fefbbd455f7e82662913fd.tar.gz
zabbix: fix CVE-2023-32726 and CVE-2023-32727
CVE-2023-32726: The vulnerability is caused by improper check for check if RDLENGTH does not overflow the buffer in response from DNS server. CVE-2023-32727: An attacker who has the privilege to configure Zabbix items can use function icmpping() with additional malicious command inside it to execute arbitrary code on the current Zabbix server. Refernces: https://nvd.nist.gov/vuln/detail/CVE-2023-32726 https://security-tracker.debian.org/tracker/CVE-2023-32726 https://nvd.nist.gov/vuln/detail/CVE-2023-32727 https://security-tracker.debian.org/tracker/CVE-2023-32727 Signed-off-by: Yogita Urade <yogita.urade@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
Diffstat
-rw-r--r--meta-oe/recipes-connectivity/zabbix/zabbix/CVE-2023-32726.patch160
-rw-r--r--meta-oe/recipes-connectivity/zabbix/zabbix/CVE-2023-32727_0001.patch193
-rw-r--r--meta-oe/recipes-connectivity/zabbix/zabbix/CVE-2023-32727_0002.patch49
-rw-r--r--meta-oe/recipes-connectivity/zabbix/zabbix_5.4.12.bb3
4 files changed, 405 insertions, 0 deletions
diff --git a/meta-oe/recipes-connectivity/zabbix/zabbix/CVE-2023-32726.patch b/meta-oe/recipes-connectivity/zabbix/zabbix/CVE-2023-32726.patch
new file mode 100644
index 0000000000..b9c37bc045
--- /dev/null
+++ b/meta-oe/recipes-connectivity/zabbix/zabbix/CVE-2023-32726.patch
@@ -0,0 +1,160 @@
1From 53ef2b7119f57f4140e6bd9c5cd2d3c6af228179 Mon Sep 17 00:00:00 2001
2From: Armands Arseniuss Skolmeisters <armands.skolmeisters@zabbix.com>
3Date: Thu, 11 Jan 2024 12:00:24 +0000
4Subject: [PATCH] ...G...... [DEV-2702] fixed buffer overread in DNS response
5
6* commit '893902999ab7f0b15cce91e8555cb251b32b6df4':
7 ...G...... [DEV-2702] fixed DNS record data length check
8 ...G...... [DEV-2702] improved DNS error messages
9 ...G...... [DEV-2702] fixed DNS error messages
10 ...G...... [DEV-2702] improved DNS error messages
11 ...G...... [DEV-2702] fixed buffer overread in DNS response
12
13CVE: CVE-2023-32726
14Upstream-Status: Backport [https://github.com/zabbix/zabbix/commit/53ef2b7119f57f4140e6bd9c5cd2d3c6af228179]
15
16Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
17---
18 src/libs/zbxsysinfo/common/dns.c | 65 +++++++++++++++++++++++++++-----
19 1 file changed, 56 insertions(+), 9 deletions(-)
20
21diff --git a/src/libs/zbxsysinfo/common/dns.c b/src/libs/zbxsysinfo/common/dns.c
22index e8938d8..bf456f2 100644
23--- a/src/libs/zbxsysinfo/common/dns.c
24+++ b/src/libs/zbxsysinfo/common/dns.c
25@@ -638,7 +638,8 @@ static int dns_query(AGENT_REQUEST *request, AGENT_RESULT *result, int short_ans
26 {
27 if (NULL == (name = get_name(answer.buffer, msg_end, &msg_ptr)))
28 {
29- SET_MSG_RESULT(result, zbx_strdup(NULL, "Cannot decode DNS response."));
30+ SET_MSG_RESULT(result, zbx_strdup(NULL,
31+ "Cannot decode DNS response: cannot expand domain name."));
32 ret = SYSINFO_RET_FAIL;
33 goto clean;
34 }
35@@ -651,6 +652,13 @@ static int dns_query(AGENT_REQUEST *request, AGENT_RESULT *result, int short_ans
36 GETSHORT(q_len, msg_ptr);
37 offset += zbx_snprintf(buffer + offset, sizeof(buffer) - offset, " %-8s", decode_type(q_type));
38
39+ if (msg_ptr + q_len > msg_end)
40+ {
41+ SET_MSG_RESULT(result, zbx_strdup(NULL, "Cannot decode DNS response: record overflow."));
42+ ret = SYSINFO_RET_FAIL;
43+ goto clean;
44+ }
45+
46 switch (q_type)
47 {
48 case T_A:
49@@ -695,8 +703,40 @@ static int dns_query(AGENT_REQUEST *request, AGENT_RESULT *result, int short_ans
50 case T_PTR:
51 if (NULL == (name = get_name(answer.buffer, msg_end, &msg_ptr)))
52 {
53- SET_MSG_RESULT(result, zbx_strdup(NULL, "Cannot decode DNS response."));
54+#define ERR_MSG_PREFIX "Cannot decode DNS response: cannot expand "
55+ const char *err_msg = NULL;
56+
57+ switch (q_type)
58+ {
59+ case T_NS:
60+ err_msg = ERR_MSG_PREFIX "name server name.";
61+ break;
62+ case T_CNAME:
63+ err_msg = ERR_MSG_PREFIX "canonical name.";
64+ break;
65+ case T_MB:
66+ err_msg = ERR_MSG_PREFIX "mailbox name.";
67+ break;
68+ case T_MD:
69+ err_msg = ERR_MSG_PREFIX "mail destination name.";
70+ break;
71+ case T_MF:
72+ err_msg = ERR_MSG_PREFIX "mail forwarder name.";
73+ break;
74+ case T_MG:
75+ err_msg = ERR_MSG_PREFIX "mail group name.";
76+ break;
77+ case T_MR:
78+ err_msg = ERR_MSG_PREFIX "renamed mailbox name.";
79+ break;
80+ case T_PTR:
81+ err_msg = ERR_MSG_PREFIX "PTR name.";
82+ break;
83+ }
84+
85+ SET_MSG_RESULT(result, zbx_strdup(NULL, err_msg));
86 return SYSINFO_RET_FAIL;
87+#undef ERR_MSG_PREFIX
88 }
89 offset += zbx_snprintf(buffer + offset, sizeof(buffer) - offset, " %s", name);
90 break;
91@@ -706,7 +746,8 @@ static int dns_query(AGENT_REQUEST *request, AGENT_RESULT *result, int short_ans
92
93 if (NULL == (name = get_name(answer.buffer, msg_end, &msg_ptr))) /* exchange */
94 {
95- SET_MSG_RESULT(result, zbx_strdup(NULL, "Cannot decode DNS response."));
96+ SET_MSG_RESULT(result, zbx_strdup(NULL, "Cannot decode DNS response:"
97+ " cannot expand mail exchange name."));
98 return SYSINFO_RET_FAIL;
99 }
100 offset += zbx_snprintf(buffer + offset, sizeof(buffer) - offset, " %s", name);
101@@ -715,14 +756,16 @@ static int dns_query(AGENT_REQUEST *request, AGENT_RESULT *result, int short_ans
102 case T_SOA:
103 if (NULL == (name = get_name(answer.buffer, msg_end, &msg_ptr))) /* source host */
104 {
105- SET_MSG_RESULT(result, zbx_strdup(NULL, "Cannot decode DNS response."));
106+ SET_MSG_RESULT(result, zbx_strdup(NULL, "Cannot decode DNS response:"
107+ " cannot expand source nameserver name."));
108 return SYSINFO_RET_FAIL;
109 }
110 offset += zbx_snprintf(buffer + offset, sizeof(buffer) - offset, " %s", name);
111
112 if (NULL == (name = get_name(answer.buffer, msg_end, &msg_ptr))) /* administrator */
113 {
114- SET_MSG_RESULT(result, zbx_strdup(NULL, "Cannot decode DNS response."));
115+ SET_MSG_RESULT(result, zbx_strdup(NULL, "Cannot decode DNS response:"
116+ " cannot expand administrator mailbox name."));
117 return SYSINFO_RET_FAIL;
118 }
119 offset += zbx_snprintf(buffer + offset, sizeof(buffer) - offset, " %s", name);
120@@ -750,7 +793,8 @@ static int dns_query(AGENT_REQUEST *request, AGENT_RESULT *result, int short_ans
121 case T_WKS:
122 if (INT32SZ + 1 > q_len)
123 {
124- SET_MSG_RESULT(result, zbx_strdup(NULL, "Cannot decode DNS response."));
125+ SET_MSG_RESULT(result, zbx_strdup(NULL, "Cannot decode DNS response:"
126+ " malformed WKS resource record."));
127 return SYSINFO_RET_FAIL;
128 }
129
130@@ -816,14 +860,16 @@ static int dns_query(AGENT_REQUEST *request, AGENT_RESULT *result, int short_ans
131 case T_MINFO:
132 if (NULL == (name = get_name(answer.buffer, msg_end, &msg_ptr))) /* mailbox responsible for mailing lists */
133 {
134- SET_MSG_RESULT(result, zbx_strdup(NULL, "Cannot decode DNS response."));
135+ SET_MSG_RESULT(result, zbx_strdup(NULL, "Cannot decode DNS response:"
136+ " cannot expand mailbox responsible for mailing lists."));
137 return SYSINFO_RET_FAIL;
138 }
139 offset += zbx_snprintf(buffer + offset, sizeof(buffer) - offset, " %s", name);
140
141 if (NULL == (name = get_name(answer.buffer, msg_end, &msg_ptr))) /* mailbox for error messages */
142 {
143- SET_MSG_RESULT(result, zbx_strdup(NULL, "Cannot decode DNS response."));
144+ SET_MSG_RESULT(result, zbx_strdup(NULL, "Cannot decode DNS response:"
145+ " cannot expand mailbox for error messages."));
146 return SYSINFO_RET_FAIL;
147 }
148 offset += zbx_snprintf(buffer + offset, sizeof(buffer) - offset, " %s", name);
149@@ -854,7 +900,8 @@ static int dns_query(AGENT_REQUEST *request, AGENT_RESULT *result, int short_ans
150
151 if (NULL == (name = get_name(answer.buffer, msg_end, &msg_ptr))) /* target */
152 {
153- SET_MSG_RESULT(result, zbx_strdup(NULL, "Cannot decode DNS response."));
154+ SET_MSG_RESULT(result, zbx_strdup(NULL, "Cannot decode DNS response:"
155+ " cannot expand service target hostname."));
156 return SYSINFO_RET_FAIL;
157 }
158 offset += zbx_snprintf(buffer + offset, sizeof(buffer) - offset, " %s", name);
159--
1602.40.0
diff --git a/meta-oe/recipes-connectivity/zabbix/zabbix/CVE-2023-32727_0001.patch b/meta-oe/recipes-connectivity/zabbix/zabbix/CVE-2023-32727_0001.patch
new file mode 100644
index 0000000000..5c1e0c5af6
--- /dev/null
+++ b/meta-oe/recipes-connectivity/zabbix/zabbix/CVE-2023-32727_0001.patch
@@ -0,0 +1,193 @@
1From 93e090592fc6de7ec5d3d42c1bb9074ad1f3ba34 Mon Sep 17 00:00:00 2001
2From: Andris Zeila <andris.zeila@zabbix.com>
3Date: Fri, 12 Jan 2024 05:48:31 +0000
4Subject: [PATCH] .......PS. [DEV-2695] changed fping tests to read address
5 from file
6
7Merge in ZBX/zabbix from feature/DEV-2695-6.0 to release/6.0
8
9* commit '6603893ff94620e28fc543d5d0d4c86b9be3342e':
10 .......PS. [DEV-2695] fixed signal blocking
11 .......PS. [DEV-2695] added target hostname/ip validation in fping feature tests
12 .......PS. [DEV-2695] added error messages when failed to prepare temporary file for fping tests
13 .......PS. [DEV-2695] changed fping tests to read address from file
14
15CVE: CVE-2023-32727
16Upstream-Status: BAckport [https://github.com/zabbix/zabbix/commit/93e090592fc6de7ec5d3d42c1bb9074ad1f3ba34]
17
18Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
19---
20 src/libs/zbxicmpping/icmpping.c | 125 ++++++++++++++++++++++++++++----
21 1 file changed, 112 insertions(+), 13 deletions(-)
22
23diff --git a/src/libs/zbxicmpping/icmpping.c b/src/libs/zbxicmpping/icmpping.c
24index 72f7e86..9a751b7 100644
25--- a/src/libs/zbxicmpping/icmpping.c
26+++ b/src/libs/zbxicmpping/icmpping.c
27@@ -59,6 +59,8 @@ static void get_source_ip_option(const char *fping, const char **option, unsigne
28
29 zbx_snprintf(tmp, sizeof(tmp), "%s -h 2>&1", fping);
30
31+ zabbix_log(LOG_LEVEL_DEBUG, "executing %s", tmp);
32+
33 if (NULL == (f = popen(tmp, "r")))
34 return;
35
36@@ -85,6 +87,110 @@ static void get_source_ip_option(const char *fping, const char **option, unsigne
37 *checked = 1;
38 }
39
40+/******************************************************************************
41+ * *
42+ * Purpose: execute external program and return stdout and stderr values *
43+ * *
44+ * Parameters: fping - [IN] location of fping program *
45+ * out - [OUT] stdout and stderr values *
46+ * error - [OUT] error string if function fails *
47+ * max_error_len - [IN] length of error buffer *
48+ * *
49+ * Return value: SUCCEED if processed successfully or FAIL otherwise *
50+ * *
51+ ******************************************************************************/
52+static int get_fping_out(const char *fping, const char *address, char **out, char *error, size_t max_error_len)
53+{
54+ FILE *f;
55+ size_t buf_size = 0, offset = 0, len;
56+ ssize_t n;
57+ char tmp[MAX_STRING_LEN], *buffer = NULL;
58+ int ret = FAIL, fd;
59+ sigset_t mask, orig_mask;
60+ char filename[MAX_STRING_LEN];
61+
62+ if (FAIL == zbx_validate_hostname(address) && FAIL == is_supported_ip(address))
63+ {
64+ zbx_strlcpy(error, "Invalid host name or IP address", max_error_len);
65+ return FAIL;
66+ }
67+
68+ zbx_snprintf(filename, sizeof(filename), "%s/%s_XXXXXX", CONFIG_TMPDIR, progname);
69+ if (-1 == (fd = mkstemp(filename)))
70+ {
71+ zbx_snprintf(error, max_error_len, "Cannot create temporary file \"%s\": %s", filename,
72+ zbx_strerror(errno));
73+
74+ return FAIL;
75+ }
76+
77+ sigemptyset(&mask);
78+ sigaddset(&mask, SIGINT);
79+ sigaddset(&mask, SIGQUIT);
80+
81+ len = strlen(address);
82+ if (-1 == (n = write(fd, address, len)))
83+ {
84+ zbx_snprintf(error, max_error_len, "Cannot write address into temporary file: %s", zbx_strerror(errno));
85+ (void)close(fd);
86+ goto out;
87+ }
88+
89+ if (n != (ssize_t)len)
90+ {
91+ zbx_strlcpy(error, "Cannot write full address into temporary file", max_error_len);
92+ (void)close(fd);
93+ goto out;
94+ }
95+
96+ if (-1 == close(fd))
97+ {
98+ zbx_snprintf(error, max_error_len, "Cannot close temporary file: %s", zbx_strerror(errno));
99+ goto out;
100+ }
101+
102+ zbx_snprintf(tmp, sizeof(tmp), "%s 2>&1 < %s", fping, filename);
103+
104+ if (0 > sigprocmask(SIG_BLOCK, &mask, &orig_mask))
105+ zbx_error("cannot set sigprocmask to block the user signal");
106+
107+ zabbix_log(LOG_LEVEL_DEBUG, "executing %s", tmp);
108+
109+ if (NULL == (f = popen(tmp, "r")))
110+ {
111+ zbx_strlcpy(error, zbx_strerror(errno), max_error_len);
112+ goto out;
113+ }
114+
115+ while (NULL != zbx_fgets(tmp, sizeof(tmp), f))
116+ {
117+ len = strlen(tmp);
118+
119+ if (MAX_EXECUTE_OUTPUT_LEN < offset + len)
120+ break;
121+
122+ zbx_strncpy_alloc(&buffer, &buf_size, &offset, tmp, len);
123+ }
124+
125+ pclose(f);
126+
127+ if (NULL == buffer)
128+ {
129+ zbx_strlcpy(error, "Cannot obtain the program output", max_error_len);
130+ goto out;
131+ }
132+
133+ *out = buffer;
134+ ret = SUCCEED;
135+out:
136+ unlink(filename);
137+
138+ if (0 > sigprocmask(SIG_SETMASK, &orig_mask, NULL))
139+ zbx_error("cannot restore sigprocmask");
140+
141+ return ret;
142+}
143+
144 /******************************************************************************
145 * *
146 * Function: get_interval_option *
147@@ -137,19 +243,12 @@ static int get_interval_option(const char *fping, ZBX_FPING_HOST *hosts, int hos
148
149 zabbix_log(LOG_LEVEL_DEBUG, "testing fping interval %u ms", intervals[j]);
150
151- zbx_snprintf(tmp, sizeof(tmp), "%s -c1 -t50 -i%u %s", fping, intervals[j], dst);
152+ zbx_snprintf(tmp, sizeof(tmp), "%s -c1 -t50 -i%u", fping, intervals[j]);
153
154 zbx_free(out);
155
156 /* call fping, ignore its exit code but mind execution failures */
157- if (TIMEOUT_ERROR == (ret_exec = zbx_execute(tmp, &out, err, sizeof(err), 1,
158- ZBX_EXIT_CODE_CHECKS_DISABLED, NULL)))
159- {
160- zbx_snprintf(error, max_error_len, "Timeout while executing \"%s\"", tmp);
161- goto out;
162- }
163-
164- if (FAIL == ret_exec)
165+ if (SUCCEED != (ret_exec = get_fping_out(tmp, dst, &out, err, sizeof(err))))
166 {
167 zbx_snprintf(error, max_error_len, "Cannot execute \"%s\": %s", tmp, err);
168 goto out;
169@@ -251,10 +350,10 @@ static int get_ipv6_support(const char * fping, const char *dst)
170 int ret;
171 char tmp[MAX_STRING_LEN], error[255], *out = NULL;
172
173- zbx_snprintf(tmp, sizeof(tmp), "%s -6 -c1 -t50 %s", fping, dst);
174+ zbx_snprintf(tmp, sizeof(tmp), "%s -6 -c1 -t50", fping);
175
176- if ((SUCCEED == (ret = zbx_execute(tmp, &out, error, sizeof(error), 1, ZBX_EXIT_CODE_CHECKS_DISABLED, NULL)) &&
177- ZBX_KIBIBYTE > strlen(out) && NULL != strstr(out, dst)) || TIMEOUT_ERROR == ret)
178+ if (SUCCEED == (ret = get_fping_out(tmp, dst, &out, error, sizeof(error)) &&
179+ ZBX_KIBIBYTE > strlen(out) && NULL != strstr(out, dst)))
180 {
181 ret = SUCCEED;
182 }
183@@ -538,7 +637,7 @@ static int process_ping(ZBX_FPING_HOST *hosts, int hosts_count, int count, int i
184
185 fclose(f);
186
187- zabbix_log(LOG_LEVEL_DEBUG, "%s", tmp);
188+ zabbix_log(LOG_LEVEL_DEBUG, "executing %s", tmp);
189
190 sigemptyset(&mask);
191 sigaddset(&mask, SIGINT);
192--
1932.40.0
diff --git a/meta-oe/recipes-connectivity/zabbix/zabbix/CVE-2023-32727_0002.patch b/meta-oe/recipes-connectivity/zabbix/zabbix/CVE-2023-32727_0002.patch
new file mode 100644
index 0000000000..aabc675b6a
--- /dev/null
+++ b/meta-oe/recipes-connectivity/zabbix/zabbix/CVE-2023-32727_0002.patch
@@ -0,0 +1,49 @@
1From 610f9fdbb86667f4094972547deb936c6cdfc6d5 Mon Sep 17 00:00:00 2001
2From: Andris Zeila <andris.zeila@zabbix.com>
3Date: Fri, 12 Jan 2024 06:06:02 +0000
4Subject: [PATCH] .......PS. [DEV-2695] removed group/all access flags for
5 fping temporary files
6
7Merge in ZBX/zabbix from feature/DEV-2695-6.5 to master
8
9* commit 'cf07db1d5c2b8fe4a9de85fed22cf05035e08914':
10 .......PS. [DEV-2695] remove group/all access flags when creating fping input file for testing fping features
11
12(cherry picked from commit cd12f0a2d89c3ef05f0e9f50dcb73fdaf3a7e8a9)
13
14CVE: CVE-2023-32727
15Upstream_Status: Backport [https://github.com/zabbix/zabbix/commit/610f9fdbb86667f4094972547deb936c6cdfc6d5]
16
17Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
18---
19 src/libs/zbxicmpping/icmpping.c | 8 +++++++-
20 1 file changed, 7 insertions(+), 1 deletion(-)
21
22diff --git a/src/libs/zbxicmpping/icmpping.c b/src/libs/zbxicmpping/icmpping.c
23index 9a751b7..bab3d09 100644
24--- a/src/libs/zbxicmpping/icmpping.c
25+++ b/src/libs/zbxicmpping/icmpping.c
26@@ -108,6 +108,7 @@ static int get_fping_out(const char *fping, const char *address, char **out, cha
27 int ret = FAIL, fd;
28 sigset_t mask, orig_mask;
29 char filename[MAX_STRING_LEN];
30+ mode_t mode;
31
32 if (FAIL == zbx_validate_hostname(address) && FAIL == is_supported_ip(address))
33 {
34@@ -116,7 +117,12 @@ static int get_fping_out(const char *fping, const char *address, char **out, cha
35 }
36
37 zbx_snprintf(filename, sizeof(filename), "%s/%s_XXXXXX", CONFIG_TMPDIR, progname);
38- if (-1 == (fd = mkstemp(filename)))
39+
40+ mode = umask(077);
41+ fd = mkstemp(filename);
42+ umask(mode);
43+
44+ if (-1 == fd)
45 {
46 zbx_snprintf(error, max_error_len, "Cannot create temporary file \"%s\": %s", filename,
47 zbx_strerror(errno));
48--
492.40.0
diff --git a/meta-oe/recipes-connectivity/zabbix/zabbix_5.4.12.bb b/meta-oe/recipes-connectivity/zabbix/zabbix_5.4.12.bb
index 9bed74b214..2793f0ca5f 100644
--- a/meta-oe/recipes-connectivity/zabbix/zabbix_5.4.12.bb
+++ b/meta-oe/recipes-connectivity/zabbix/zabbix_5.4.12.bb
@@ -31,6 +31,9 @@ SRC_URI = "https://cdn.zabbix.com/zabbix/sources/stable/5.4/${BPN}-${PV}.tar.gz
31 file://CVE-2023-29451.patch \ 31 file://CVE-2023-29451.patch \
32 file://CVE-2023-29449.patch \ 32 file://CVE-2023-29449.patch \
33 file://CVE-2023-29450.patch \ 33 file://CVE-2023-29450.patch \
34 file://CVE-2023-32726.patch \
35 file://CVE-2023-32727_0001.patch \
36 file://CVE-2023-32727_0002.patch \
34" 37"
35 38
36SRC_URI[md5sum] = "f295fd2df86143d72f6ff26e47d9e39e" 39SRC_URI[md5sum] = "f295fd2df86143d72f6ff26e47d9e39e"
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2026-05-08 13:09:56 +0000