[gentoo-commits] gentoo-x86 commit in net-analyzer/zabbix/files/2.4/patches: zbx7479.patch zbx8151.patch - gentoo-commits

From:	"Matthew Marlow (mattm)" <mattm@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] gentoo-x86 commit in net-analyzer/zabbix/files/2.4/patches: zbx7479.patch zbx8151.patch
Date:	Wed, 29 Oct 2014 22:38:44
Message-Id:	`20141029223838.115A0907B@oystercatcher.gentoo.org`

1

mattm       14/10/29 22:38:38

2

3

  Added:                zbx7479.patch zbx8151.patch

4

  Log:

5

  Major version bump 2.4.1, totally experimental, has not been tested.  Package masked.  Do not install unless you are using a non-production system and can contribute to improving gentoo support for 2.4 and comment on bug 524010.

6

7

  (Portage version: 2.2.8-r1/cvs/Linux x86_64, signed Manifest commit with key 786037A7)

8

9

Revision  Changes    Path

10

1.1                  net-analyzer/zabbix/files/2.4/patches/zbx7479.patch

11

12

file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-analyzer/zabbix/files/2.4/patches/zbx7479.patch?rev=1.1&view=markup

13

plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-analyzer/zabbix/files/2.4/patches/zbx7479.patch?rev=1.1&content-type=text/plain

14

15

Index: zbx7479.patch

16

===================================================================

17

Index: src/libs/zbxsysinfo/sysinfo.c

18

===================================================================

19

--- src/libs/zbxsysinfo/sysinfo.c	(revision 40348)

20

+++ src/libs/zbxsysinfo/sysinfo.c	(working copy)

21

@@ -427,13 +427,49 @@

22

 	test_aliases();

23

}

24

25

+static int	zbx_check_user_parameter(const char *param, char *error, int max_error_len)

26

+{

27

+	const char	suppressed_chars[] = "\\'\"`*?[]{}~$!&;()<>|#@\n", *c;

28

+	char		*buf = NULL;

29

+	size_t		buf_alloc = 128, buf_offset = 0;

30

+

31

+	if (0 != CONFIG_UNSAFE_USER_PARAMETERS)

32

+		return SUCCEED;

33

+

34

+	for (c = suppressed_chars; '\0' != *c; c++)

35

+	{

36

+		if (NULL == strchr(param, *c))

37

+			continue;

38

+

39

+		buf = zbx_malloc(buf, buf_alloc);

40

+

41

+		for (c = suppressed_chars; '\0' != *c; c++)

42

+		{

43

+			if (c != suppressed_chars)

44

+				zbx_strcpy_alloc(&buf, &buf_alloc, &buf_offset, ", ");

45

+

46

+			if (0 != isprint(*c))

47

+				zbx_chrcpy_alloc(&buf, &buf_alloc, &buf_offset, *c);

48

+			else

49

+				zbx_snprintf_alloc(&buf, &buf_alloc, &buf_offset, "0x%02x", *c);

50

+		}

51

+

52

+		zbx_snprintf(error, max_error_len, "special characters \"%s\" are not allowed in the parameters", buf);

53

+

54

+		zbx_free(buf);

55

+

56

+		return FAIL;

57

+	}

58

+

59

+	return SUCCEED;

60

+}

61

+

62

 static int	replace_param(const char *cmd, const char *param, char *out, int outlen, char *error, int max_error_len)

63

{

64

 	int		ret = SUCCEED;

65

 	char		buf[MAX_STRING_LEN];

66

 	char		command[MAX_STRING_LEN];

67

 	char		*pl, *pr;

68

-	const char	suppressed_chars[] = "\\'\"`*?[]{}~$!&;()<>|#@", *c;

69

70

 	assert(out);

71

72

@@ -465,25 +501,10 @@

73

{

74

 				get_param(param, (int)(pr[1] - '0'), buf, sizeof(buf));

75

76

-				if (0 == CONFIG_UNSAFE_USER_PARAMETERS)

77

-				{

78

-					for (c = suppressed_chars; '\0' != *c; c++)

79

-					{

80

-						if (NULL != strchr(buf, *c))

81

-						{

82

-							zbx_snprintf(error, max_error_len, "Special characters '%s'"

83

-									" are not allowed in the parameters",

84

-									suppressed_chars);

85

-							ret = FAIL;

86

-							break;

87

-						}

88

-					}

89

-				}

90

+				if (SUCCEED != (ret = zbx_check_user_parameter(buf, error, max_error_len)))

91

+					break;

92

}

93

94

-			if (FAIL == ret)

95

-				break;

96

-

97

 			zbx_strlcat(out, buf, outlen);

98

 			outlen -= MIN((int)strlen(buf), (int)outlen);

1.1                  net-analyzer/zabbix/files/2.4/patches/zbx8151.patch

104

105

file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-analyzer/zabbix/files/2.4/patches/zbx8151.patch?rev=1.1&view=markup

106

plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-analyzer/zabbix/files/2.4/patches/zbx8151.patch?rev=1.1&content-type=text/plain

107

108

Index: zbx8151.patch

109

===================================================================

110

Index: frontends/php/include/defines.inc.php

111

===================================================================

112

--- frontends/php/include/defines.inc.php	(revision 46596)

113

+++ frontends/php/include/defines.inc.php	(revision 46655)

114

@@ -835,6 +835,14 @@

115

116

 define('ZBX_DEFAULT_IMPORT_HOST_GROUP', 'Imported hosts');

117

118

+// XML import flags

119

+// See ZBX-8151. Old version of libxml suffered from setting DTDLOAD and NOENT flags by default, which allowed

120

+// performing XXE attacks. Calling libxml_disable_entity_loader(true) also had no affect if flags passed to libxml

121

+// calls were 0 - so for better security with legacy libxml we need to call libxml_disable_entity_loader(true) AND

122

+// pass the LIBXML_NONET flag. Please keep in mind that LIBXML_NOENT actually EXPANDS entities, opposite to it's name -

123

+// so this flag is not needed here.

124

+define('LIBXML_IMPORT_FLAGS', LIBXML_NONET);

125

+

126

 // API errors

127

 define('ZBX_API_ERROR_INTERNAL',	111);

128

 define('ZBX_API_ERROR_PARAMETERS',	100);

129

Index: frontends/php/include/classes/import/readers/CXmlImportReader.php

130

===================================================================

131

--- frontends/php/include/classes/import/readers/CXmlImportReader.php	(revision 46596)

132

+++ frontends/php/include/classes/import/readers/CXmlImportReader.php	(revision 46655)

133

@@ -32,7 +32,8 @@

134

*/

135

 	public function read($string) {

136

 		libxml_use_internal_errors(true);

137

-		$result = simplexml_load_string($string);

138

+		libxml_disable_entity_loader(true);

139

+		$result = simplexml_load_string($string, null, LIBXML_IMPORT_FLAGS);

140

 		if (!$result) {

141

 			$errors = libxml_get_errors();

142

 			libxml_clear_errors();

143

Index: frontends/php/include/classes/import/CXmlImport18.php

144

===================================================================

145

--- frontends/php/include/classes/import/CXmlImport18.php	(revision 46596)

146

+++ frontends/php/include/classes/import/CXmlImport18.php	(revision 46655)

147

@@ -390,12 +390,13 @@

148

 		return $array;

149

}

150

151

-	public static function import($file) {

152

+	public static function import($source) {

153

154

 		libxml_use_internal_errors(true);

155

+		libxml_disable_entity_loader(true);

156

157

 		$xml = new DOMDocument();

158

-		if (!$xml->loadXML($file)) {

159

+		if (!$xml->loadXML($source, LIBXML_IMPORT_FLAGS)) {

160

 			$text = '';

161

 			foreach (libxml_get_errors() as $error) {

162

 				switch ($error->level) {

1	mattm 14/10/29 22:38:38
2
3	Added: zbx7479.patch zbx8151.patch
4	Log:
5	Major version bump 2.4.1, totally experimental, has not been tested. Package masked. Do not install unless you are using a non-production system and can contribute to improving gentoo support for 2.4 and comment on bug 524010.
6
7	(Portage version: 2.2.8-r1/cvs/Linux x86_64, signed Manifest commit with key 786037A7)
8
9	Revision Changes Path
10	1.1 net-analyzer/zabbix/files/2.4/patches/zbx7479.patch
11
12	file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-analyzer/zabbix/files/2.4/patches/zbx7479.patch?rev=1.1&view=markup
13	plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-analyzer/zabbix/files/2.4/patches/zbx7479.patch?rev=1.1&content-type=text/plain
14
15	Index: zbx7479.patch
16	===================================================================
17	Index: src/libs/zbxsysinfo/sysinfo.c
18	===================================================================
19	--- src/libs/zbxsysinfo/sysinfo.c (revision 40348)
20	+++ src/libs/zbxsysinfo/sysinfo.c (working copy)
21	@@ -427,13 +427,49 @@
22	test_aliases();
23	}
24
25	+static int zbx_check_user_parameter(const char param, char error, int max_error_len)
26	+{
27	+ const char suppressed_chars[] = "\\'\"`?[]{}~$!&;()<>\|#@\n", c;
28	+ char *buf = NULL;
29	+ size_t buf_alloc = 128, buf_offset = 0;
30	+
31	+ if (0 != CONFIG_UNSAFE_USER_PARAMETERS)
32	+ return SUCCEED;
33	+
34	+ for (c = suppressed_chars; '\0' != *c; c++)
35	+ {
36	+ if (NULL == strchr(param, *c))
37	+ continue;
38	+
39	+ buf = zbx_malloc(buf, buf_alloc);
40	+
41	+ for (c = suppressed_chars; '\0' != *c; c++)
42	+ {
43	+ if (c != suppressed_chars)
44	+ zbx_strcpy_alloc(&buf, &buf_alloc, &buf_offset, ", ");
45	+
46	+ if (0 != isprint(*c))
47	+ zbx_chrcpy_alloc(&buf, &buf_alloc, &buf_offset, *c);
48	+ else
49	+ zbx_snprintf_alloc(&buf, &buf_alloc, &buf_offset, "0x%02x", *c);
50	+ }
51	+
52	+ zbx_snprintf(error, max_error_len, "special characters \"%s\" are not allowed in the parameters", buf);
53	+
54	+ zbx_free(buf);
55	+
56	+ return FAIL;
57	+ }
58	+
59	+ return SUCCEED;
60	+}
61	+
62	static int replace_param(const char cmd, const char param, char out, int outlen, char error, int max_error_len)
63	{
64	int ret = SUCCEED;
65	char buf[MAX_STRING_LEN];
66	char command[MAX_STRING_LEN];
67	char pl, pr;
68	- const char suppressed_chars[] = "\\'\"`?[]{}~$!&;()<>\|#@", c;
69
70	assert(out);
71
72	@@ -465,25 +501,10 @@
73	{
74	get_param(param, (int)(pr[1] - '0'), buf, sizeof(buf));
75
76	- if (0 == CONFIG_UNSAFE_USER_PARAMETERS)
77	- {
78	- for (c = suppressed_chars; '\0' != *c; c++)
79	- {
80	- if (NULL != strchr(buf, *c))
81	- {
82	- zbx_snprintf(error, max_error_len, "Special characters '%s'"
83	- " are not allowed in the parameters",
84	- suppressed_chars);
85	- ret = FAIL;
86	- break;
87	- }
88	- }
89	- }
90	+ if (SUCCEED != (ret = zbx_check_user_parameter(buf, error, max_error_len)))
91	+ break;
92	}
93
94	- if (FAIL == ret)
95	- break;
96	-
97	zbx_strlcat(out, buf, outlen);
98	outlen -= MIN((int)strlen(buf), (int)outlen);
99
100
101
102
103	1.1 net-analyzer/zabbix/files/2.4/patches/zbx8151.patch
104
105	file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-analyzer/zabbix/files/2.4/patches/zbx8151.patch?rev=1.1&view=markup
106	plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-analyzer/zabbix/files/2.4/patches/zbx8151.patch?rev=1.1&content-type=text/plain
107
108	Index: zbx8151.patch
109	===================================================================
110	Index: frontends/php/include/defines.inc.php
111	===================================================================
112	--- frontends/php/include/defines.inc.php (revision 46596)
113	+++ frontends/php/include/defines.inc.php (revision 46655)
114	@@ -835,6 +835,14 @@
115
116	define('ZBX_DEFAULT_IMPORT_HOST_GROUP', 'Imported hosts');
117
118	+// XML import flags
119	+// See ZBX-8151. Old version of libxml suffered from setting DTDLOAD and NOENT flags by default, which allowed
120	+// performing XXE attacks. Calling libxml_disable_entity_loader(true) also had no affect if flags passed to libxml
121	+// calls were 0 - so for better security with legacy libxml we need to call libxml_disable_entity_loader(true) AND
122	+// pass the LIBXML_NONET flag. Please keep in mind that LIBXML_NOENT actually EXPANDS entities, opposite to it's name -
123	+// so this flag is not needed here.
124	+define('LIBXML_IMPORT_FLAGS', LIBXML_NONET);
125	+
126	// API errors
127	define('ZBX_API_ERROR_INTERNAL', 111);
128	define('ZBX_API_ERROR_PARAMETERS', 100);
129	Index: frontends/php/include/classes/import/readers/CXmlImportReader.php
130	===================================================================
131	--- frontends/php/include/classes/import/readers/CXmlImportReader.php (revision 46596)
132	+++ frontends/php/include/classes/import/readers/CXmlImportReader.php (revision 46655)
133	@@ -32,7 +32,8 @@
134	*/
135	public function read($string) {
136	libxml_use_internal_errors(true);
137	- $result = simplexml_load_string($string);
138	+ libxml_disable_entity_loader(true);
139	+ $result = simplexml_load_string($string, null, LIBXML_IMPORT_FLAGS);
140	if (!$result) {
141	$errors = libxml_get_errors();
142	libxml_clear_errors();
143	Index: frontends/php/include/classes/import/CXmlImport18.php
144	===================================================================
145	--- frontends/php/include/classes/import/CXmlImport18.php (revision 46596)
146	+++ frontends/php/include/classes/import/CXmlImport18.php (revision 46655)
147	@@ -390,12 +390,13 @@
148	return $array;
149	}
150
151	- public static function import($file) {
152	+ public static function import($source) {
153
154	libxml_use_internal_errors(true);
155	+ libxml_disable_entity_loader(true);
156
157	$xml = new DOMDocument();
158	- if (!$xml->loadXML($file)) {
159	+ if (!$xml->loadXML($source, LIBXML_IMPORT_FLAGS)) {
160	$text = '';
161	foreach (libxml_get_errors() as $error) {
162	switch ($error->level) {

Gentoo Archives: gentoo-commits