Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: "Miroslav Šulc" <fordfrog@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] repo/gentoo:master commit in: net-analyzer/zabbix/, net-analyzer/zabbix/files/
Date: Thu, 30 Jul 2020 08:25:13
Message-Id: 1596097500.43e5d720ddda22f747772ffe6cfab9b2362ed0f6.fordfrog@gentoo
1 commit: 43e5d720ddda22f747772ffe6cfab9b2362ed0f6
2 Author: Miroslav Šulc <fordfrog <AT> gentoo <DOT> org>
3 AuthorDate: Thu Jul 30 08:24:38 2020 +0000
4 Commit: Miroslav Šulc <fordfrog <AT> gentoo <DOT> org>
5 CommitDate: Thu Jul 30 08:25:00 2020 +0000
6 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=43e5d720
7
8 net-analyzer/zabbix: fixed CVE-2020-15803 in 3.0.31-r1
9
10 Bug: https://bugs.gentoo.org/733118
11 Package-Manager: Portage-3.0.1, Repoman-2.3.23
12 Signed-off-by: Miroslav Šulc <fordfrog <AT> gentoo.org>
13
14 .../files/zabbix-3.0.31-fix-cve-2020-15803.patch | 83 +++++
15 net-analyzer/zabbix/zabbix-3.0.31-r1.ebuild | 351 +++++++++++++++++++++
16 2 files changed, 434 insertions(+)
17
18 diff --git a/net-analyzer/zabbix/files/zabbix-3.0.31-fix-cve-2020-15803.patch b/net-analyzer/zabbix/files/zabbix-3.0.31-fix-cve-2020-15803.patch
19 new file mode 100644
20 index 00000000000..0cca6031558
21 --- /dev/null
22 +++ b/net-analyzer/zabbix/files/zabbix-3.0.31-fix-cve-2020-15803.patch
23 @@ -0,0 +1,83 @@
24 +diff --git a/frontends/php/include/classes/screens/CScreenUrl.php b/frontends/php/include/classes/screens/CScreenUrl.php
25 +index e35c5f1..1df396e 100644
26 +--- a/frontends/php/include/classes/screens/CScreenUrl.php
27 ++++ b/frontends/php/include/classes/screens/CScreenUrl.php
28 +@@ -29,18 +29,10 @@ class CScreenUrl extends CScreenBase {
29 + public function get() {
30 + // prevent from resolving macros in configuration page
31 + if ($this->mode != SCREEN_MODE_PREVIEW && $this->mode != SCREEN_MODE_SLIDESHOW) {
32 +- return $this->getOutput(
33 +- CHtmlUrlValidator::validate($this->screenitem['url'], false)
34 +- ? new CIFrame($this->screenitem['url'], $this->screenitem['width'], $this->screenitem['height'],
35 +- 'auto')
36 +- : makeMessageBox(false, [[
37 +- 'type' => 'error',
38 +- 'message' => _s('Provided URL "%1$s" is invalid.', $this->screenitem['url'])
39 +- ]]
40 +- )
41 +- );
42 ++ return $this->getOutput($this->prepareElement());
43 + }
44 +- elseif ($this->screenitem['dynamic'] == SCREEN_DYNAMIC_ITEM && $this->hostid == 0) {
45 ++
46 ++ if ($this->screenitem['dynamic'] == SCREEN_DYNAMIC_ITEM && $this->hostid == 0) {
47 + return $this->getOutput((new CTableInfo())->setNoDataMessage(_('No host selected.')));
48 + }
49 +
50 +@@ -54,14 +46,28 @@ class CScreenUrl extends CScreenBase {
51 +
52 + $this->screenitem['url'] = $url ? $url : $this->screenitem['url'];
53 +
54 +- return $this->getOutput(
55 +- CHtmlUrlValidator::validate($this->screenitem['url'], false)
56 +- ? new CIFrame($this->screenitem['url'], $this->screenitem['width'], $this->screenitem['height'], 'auto')
57 +- : makeMessageBox(false, [[
58 +- 'type' => 'error',
59 +- 'message' => _s('Provided URL "%1$s" is invalid.', $this->screenitem['url'])
60 +- ]]
61 +- )
62 +- );
63 ++ return $this->getOutput($this->prepareElement());
64 ++ }
65 ++
66 ++ /**
67 ++ * @return CTag
68 ++ */
69 ++ public function prepareElement() {
70 ++ if (CHtmlUrlValidator::validate($this->screenitem['url'], false)) {
71 ++ $item = new CIFrame($this->screenitem['url'], $this->screenitem['width'], $this->screenitem['height'],
72 ++ 'auto'
73 ++ );
74 ++
75 ++ if (ZBX_IFRAME_SANDBOX !== false) {
76 ++ $item->setAttribute('sandbox', ZBX_IFRAME_SANDBOX);
77 ++ }
78 ++
79 ++ return $item;
80 ++ }
81 ++
82 ++ return makeMessageBox(false, [[
83 ++ 'type' => 'error',
84 ++ 'message' => _s('Provided URL "%1$s" is invalid.', $this->screenitem['url'])
85 ++ ]]);
86 + }
87 + }
88 +diff --git a/frontends/php/include/defines.inc.php b/frontends/php/include/defines.inc.php
89 +index a67a625..c6a437c 100644
90 +--- a/frontends/php/include/defines.inc.php
91 ++++ b/frontends/php/include/defines.inc.php
92 +@@ -1284,6 +1284,14 @@ if (function_exists('bcscale')) {
93 + bcscale(7);
94 + }
95 +
96 ++/**
97 ++ * The sandbox attribute enables an extra set of restrictions for the content in the iframe. Default is set to empty
98 ++ * string, which means all restrictions are applied. To disable, set to FALSE. To set a specific set of restrictions,
99 ++ * write a custom string.
100 ++ * https://www.w3.org/TR/2010/WD-html5-20100624/the-iframe-element.html#attr-iframe-sandbox
101 ++ */
102 ++define('ZBX_IFRAME_SANDBOX', '');
103 ++
104 + // HTTP headers
105 + /*
106 + * Value of HTTP X-Frame-options header.
107
108 diff --git a/net-analyzer/zabbix/zabbix-3.0.31-r1.ebuild b/net-analyzer/zabbix/zabbix-3.0.31-r1.ebuild
109 new file mode 100644
110 index 00000000000..e501abc50b2
111 --- /dev/null
112 +++ b/net-analyzer/zabbix/zabbix-3.0.31-r1.ebuild
113 @@ -0,0 +1,351 @@
114 +# Copyright 1999-2020 Gentoo Authors
115 +# Distributed under the terms of the GNU General Public License v2
116 +
117 +EAPI=7
118 +
119 +# needed to make webapp-config dep optional
120 +WEBAPP_OPTIONAL="yes"
121 +inherit flag-o-matic webapp java-pkg-opt-2 user systemd toolchain-funcs
122 +
123 +DESCRIPTION="ZABBIX is software for monitoring of your applications, network and servers"
124 +HOMEPAGE="https://www.zabbix.com/"
125 +MY_P=${P/_/}
126 +MY_PV=${PV/_/}
127 +SRC_URI="https://cdn.zabbix.com/stable/${PV}/${P}.tar.gz"
128 +LICENSE="GPL-2"
129 +SLOT="0"
130 +WEBAPP_MANUAL_SLOT="yes"
131 +KEYWORDS="~amd64 ~x86"
132 +IUSE="+agent java curl frontend ipv6 xmpp ldap libxml2 mysql openipmi oracle +postgres proxy server ssh ssl snmp sqlite odbc static"
133 +REQUIRED_USE="|| ( agent frontend proxy server )
134 + proxy? ( ^^ ( mysql oracle postgres sqlite odbc ) )
135 + server? ( ^^ ( mysql oracle postgres odbc ) )
136 + static? ( !oracle !snmp )"
137 +
138 +COMMON_DEPEND="
139 + curl? ( net-misc/curl )
140 + java? ( >=virtual/jdk-1.8:* )
141 + ldap? (
142 + =dev-libs/cyrus-sasl-2*
143 + net-libs/gnutls
144 + net-nds/openldap
145 + )
146 + libxml2? ( dev-libs/libxml2 )
147 + mysql? ( dev-db/mysql-connector-c )
148 + odbc? ( dev-db/unixODBC )
149 + openipmi? ( sys-libs/openipmi )
150 + oracle? ( dev-db/oracle-instantclient-basic )
151 + postgres? ( dev-db/postgresql:* )
152 + proxy? ( sys-libs/zlib )
153 + server? (
154 + dev-libs/libevent
155 + sys-libs/zlib
156 + )
157 + snmp? ( net-analyzer/net-snmp )
158 + sqlite? ( dev-db/sqlite )
159 + ssh? ( net-libs/libssh2 )
160 + ssl? ( dev-libs/openssl:=[-bindist] )
161 + xmpp? ( dev-libs/iksemel )
162 +"
163 +
164 +RDEPEND="${COMMON_DEPEND}
165 + java? ( >=virtual/jre-1.8:* )
166 + mysql? ( virtual/mysql )
167 + proxy? ( net-analyzer/fping[suid] )
168 + server? (
169 + app-admin/webapp-config
170 + dev-libs/libevent
171 + dev-libs/libpcre
172 + net-analyzer/fping[suid]
173 + )
174 + frontend? (
175 + app-admin/webapp-config
176 + dev-lang/php:*[bcmath,ctype,sockets,gd,truetype,xml,session,xmlreader,xmlwriter,nls,sysvipc,unicode]
177 + media-libs/gd[png]
178 + virtual/httpd-php:*
179 + mysql? ( dev-lang/php[mysqli] )
180 + odbc? ( dev-lang/php[odbc] )
181 + oracle? ( dev-lang/php[oci8-instant-client] )
182 + postgres? ( dev-lang/php[postgres] )
183 + sqlite? ( dev-lang/php[sqlite] )
184 + )
185 +"
186 +DEPEND="${COMMON_DEPEND}
187 + static? (
188 + curl? ( net-misc/curl[static-libs] )
189 + ldap? (
190 + =dev-libs/cyrus-sasl-2*[static-libs]
191 + net-libs/gnutls[static-libs]
192 + net-nds/openldap[static-libs]
193 + )
194 + libxml2? ( dev-libs/libxml2[static-libs] )
195 + mysql? ( dev-db/mysql-connector-c[static-libs] )
196 + odbc? ( dev-db/unixODBC[static-libs] )
197 + postgres? ( dev-db/postgresql:*[static-libs] )
198 + sqlite? ( dev-db/sqlite[static-libs] )
199 + ssh? ( net-libs/libssh2 )
200 + )
201 +"
202 +BDEPEND="
203 + virtual/pkgconfig
204 +"
205 +
206 +PATCHES=(
207 + "${FILESDIR}/${PN}-3.0.30-security-disable-PidFile.patch"
208 + "${FILESDIR}/${PN}-3.0.30-mysql8.patch"
209 + "${FILESDIR}/${P}-fix-cve-2020-15803.patch"
210 +)
211 +
212 +S=${WORKDIR}/${MY_P}
213 +
214 +ZABBIXJAVA_BASE="opt/zabbix_java"
215 +
216 +pkg_setup() {
217 + if use oracle; then
218 + if [ -z "${ORACLE_HOME}" ]; then
219 + eerror
220 + eerror "The environment variable ORACLE_HOME must be set"
221 + eerror "and point to the correct location."
222 + eerror "It looks like you don't have Oracle installed."
223 + eerror
224 + die "Environment variable ORACLE_HOME is not set"
225 + fi
226 + if has_version 'dev-db/oracle-instantclient-basic'; then
227 + ewarn
228 + ewarn "Please ensure you have a full install of the Oracle client."
229 + ewarn "dev-db/oracle-instantclient* is NOT sufficient."
230 + ewarn
231 + fi
232 + fi
233 +
234 + if use frontend; then
235 + webapp_pkg_setup
236 + fi
237 +
238 + enewgroup zabbix
239 + enewuser zabbix -1 -1 /var/lib/zabbix/home zabbix
240 +
241 + java-pkg-opt-2_pkg_setup
242 +}
243 +
244 +src_prepare() {
245 + default
246 +}
247 +
248 +src_configure() {
249 + econf \
250 + $(use_enable agent) \
251 + $(use_enable ipv6) \
252 + $(use_enable java) \
253 + $(use_enable proxy) \
254 + $(use_enable server) \
255 + $(use_enable static) \
256 + $(use_with curl libcurl) \
257 + $(use_with ldap) \
258 + $(use_with libxml2) \
259 + $(use_with mysql) \
260 + $(use_with odbc unixodbc) \
261 + $(use_with openipmi openipmi) \
262 + $(use_with oracle) \
263 + $(use_with postgres postgresql) \
264 + $(use_with snmp net-snmp) \
265 + $(use_with sqlite sqlite3) \
266 + $(use_with ssh ssh2) \
267 + $(use_with ssl openssl) \
268 + $(use_with xmpp jabber)
269 +}
270 +
271 +src_compile() {
272 + if [ -f Makefile ] || [ -f GNUmakefile ] || [ -f makefile ]; then
273 + emake AR="$(tc-getAR)" RANLIB="$(tc-getRANLIB)"
274 + fi
275 +}
276 +
277 +src_install() {
278 + local dirs=(
279 + /etc/zabbix
280 + /var/lib/zabbix
281 + /var/lib/zabbix/home
282 + /var/lib/zabbix/scripts
283 + /var/lib/zabbix/alertscripts
284 + /var/lib/zabbix/externalscripts
285 + /var/log/zabbix
286 + )
287 +
288 + for dir in "${dirs[@]}"; do
289 + dodir "${dir}"
290 + keepdir "${dir}"
291 + done
292 +
293 + if use server; then
294 + insinto /etc/zabbix
295 + doins "${S}"/conf/zabbix_server.conf
296 + fperms 0640 /etc/zabbix/zabbix_server.conf
297 + fowners root:zabbix /etc/zabbix/zabbix_server.conf
298 +
299 + newinitd "${FILESDIR}"/zabbix-server.init zabbix-server
300 +
301 + dosbin src/zabbix_server/zabbix_server
302 +
303 + insinto /usr/share/zabbix
304 + doins -r "${S}"/database/
305 +
306 + systemd_dounit "${FILESDIR}"/zabbix-server.service
307 + systemd_newtmpfilesd "${FILESDIR}"/zabbix-server.tmpfiles zabbix-server.conf
308 + fi
309 +
310 + if use proxy; then
311 + insinto /etc/zabbix
312 + doins "${S}"/conf/zabbix_proxy.conf
313 + fperms 0640 /etc/zabbix/zabbix_proxy.conf
314 + fowners root:zabbix /etc/zabbix/zabbix_proxy.conf
315 +
316 + newinitd "${FILESDIR}"/zabbix-proxy.init zabbix-proxy
317 +
318 + dosbin src/zabbix_proxy/zabbix_proxy
319 +
320 + insinto /usr/share/zabbix
321 + doins -r "${S}"/database/
322 +
323 + systemd_dounit "${FILESDIR}"/zabbix-proxy.service
324 + systemd_newtmpfilesd "${FILESDIR}"/zabbix-proxy.tmpfiles zabbix-proxy.conf
325 + fi
326 +
327 + if use agent; then
328 + insinto /etc/zabbix
329 + doins "${S}"/conf/zabbix_agentd.conf
330 + fperms 0640 /etc/zabbix/zabbix_agentd.conf
331 + fowners root:zabbix /etc/zabbix/zabbix_agentd.conf
332 +
333 + newinitd "${FILESDIR}"/zabbix-agentd.init zabbix-agentd
334 +
335 + dosbin src/zabbix_agent/zabbix_agentd
336 + dobin \
337 + src/zabbix_sender/zabbix_sender \
338 + src/zabbix_get/zabbix_get
339 +
340 + systemd_dounit "${FILESDIR}"/zabbix-agentd.service
341 + systemd_newtmpfilesd "${FILESDIR}"/zabbix-agentd.tmpfiles zabbix-agentd.conf
342 + fi
343 +
344 + fowners root:zabbix /etc/zabbix
345 + fowners zabbix:zabbix \
346 + /var/lib/zabbix \
347 + /var/lib/zabbix/home \
348 + /var/lib/zabbix/scripts \
349 + /var/lib/zabbix/alertscripts \
350 + /var/lib/zabbix/externalscripts \
351 + /var/log/zabbix
352 + fperms 0750 \
353 + /etc/zabbix \
354 + /var/lib/zabbix \
355 + /var/lib/zabbix/home \
356 + /var/lib/zabbix/scripts \
357 + /var/lib/zabbix/alertscripts \
358 + /var/lib/zabbix/externalscripts \
359 + /var/log/zabbix
360 +
361 + dodoc README INSTALL NEWS ChangeLog \
362 + conf/zabbix_agentd.conf \
363 + conf/zabbix_proxy.conf \
364 + conf/zabbix_agentd/userparameter_examples.conf \
365 + conf/zabbix_agentd/userparameter_mysql.conf \
366 + conf/zabbix_server.conf
367 +
368 + if use frontend; then
369 + webapp_src_preinst
370 + cp -R frontends/php/* "${D}/${MY_HTDOCSDIR}"
371 + webapp_configfile \
372 + "${MY_HTDOCSDIR}"/include/db.inc.php \
373 + "${MY_HTDOCSDIR}"/include/config.inc.php
374 + webapp_src_install
375 + fi
376 +
377 + if use java; then
378 + dodir \
379 + /${ZABBIXJAVA_BASE} \
380 + /${ZABBIXJAVA_BASE}/bin \
381 + /${ZABBIXJAVA_BASE}/lib
382 + keepdir /${ZABBIXJAVA_BASE}
383 + exeinto /${ZABBIXJAVA_BASE}/bin
384 + doexe src/zabbix_java/bin/zabbix-java-gateway-${MY_PV}.jar
385 + exeinto /${ZABBIXJAVA_BASE}/lib
386 + doexe \
387 + src/zabbix_java/lib/logback-classic-0.9.27.jar \
388 + src/zabbix_java/lib/logback-console.xml \
389 + src/zabbix_java/lib/logback-core-0.9.27.jar \
390 + src/zabbix_java/lib/logback.xml \
391 + src/zabbix_java/lib/android-json-4.3_r3.1.jar \
392 + src/zabbix_java/lib/slf4j-api-1.6.1.jar
393 + newinitd "${FILESDIR}"/zabbix-jmx-proxy.init zabbix-jmx-proxy
394 + newconfd "${FILESDIR}"/zabbix-jmx-proxy.conf zabbix-jmx-proxy
395 + fi
396 +}
397 +
398 +pkg_postinst() {
399 + if use server || use proxy ; then
400 + elog
401 + elog "You may need to configure your database for Zabbix"
402 + elog "if you have not already done so."
403 + elog
404 +
405 + zabbix_homedir=$(egethome zabbix)
406 + if [ -n "${zabbix_homedir}" ] && \
407 + [ "${zabbix_homedir}" != "/var/lib/zabbix/home" ]; then
408 + ewarn
409 + ewarn "The user 'zabbix' should have his homedir changed"
410 + ewarn "to /var/lib/zabbix/home if you want to use"
411 + ewarn "custom alert scripts."
412 + ewarn
413 + ewarn "A real homedir might be needed for configfiles"
414 + ewarn "for custom alert scripts (e.g. ~/.sendxmpprc when"
415 + ewarn "using sendxmpp for Jabber alerts)."
416 + ewarn
417 + ewarn "To change the homedir use:"
418 + ewarn " usermod -d /var/lib/zabbix/home zabbix"
419 + ewarn
420 + fi
421 + fi
422 +
423 + if use server; then
424 + elog
425 + elog "For distributed monitoring you have to run:"
426 + elog
427 + elog "zabbix_server -n <nodeid>"
428 + elog
429 + elog "This will convert database data for use with Node ID"
430 + elog "and also adds a local node."
431 + elog
432 + fi
433 +
434 + elog "--"
435 + elog
436 + elog "You may need to add these lines to /etc/services:"
437 + elog
438 + elog "zabbix-agent 10050/tcp Zabbix Agent"
439 + elog "zabbix-agent 10050/udp Zabbix Agent"
440 + elog "zabbix-trapper 10051/tcp Zabbix Trapper"
441 + elog "zabbix-trapper 10051/udp Zabbix Trapper"
442 + elog
443 +
444 + if use server || use proxy ; then
445 + # check for fping
446 + fping_perms=$(stat -c %a /usr/sbin/fping 2>/dev/null)
447 + case "${fping_perms}" in
448 + 4[157][157][157])
449 + ;;
450 + *)
451 + ewarn
452 + ewarn "If you want to use the checks 'icmpping' and 'icmppingsec',"
453 + ewarn "you have to make /usr/sbin/fping setuid root and executable"
454 + ewarn "by everyone. Run the following command to fix it:"
455 + ewarn
456 + ewarn " chmod u=rwsx,g=rx,o=rx /usr/sbin/fping"
457 + ewarn
458 + ewarn "Please be aware that this might impose a security risk,"
459 + ewarn "depending on the code quality of fping."
460 + ewarn
461 + ;;
462 + esac
463 + fi
464 +}
Report Message
Find on MARC Find on Google Groups