Bug 20215 - zoneminder new security issues CVE-2016-10140, CVE-2016-1020[1-6], and CVE-2017-5595
Summary: zoneminder new security issues CVE-2016-10140, CVE-2016-1020[1-6], and CVE-20...
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: https://lwn.net/Vulnerabilities/713052/
Whiteboard: advisory MGA5-64-OK MGA5-32-OK
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2017-01-31 05:02 CET by David Walser
Modified: 2017-06-10 01:06 CEST (History)
6 users (show)

See Also:
Source RPM: zoneminder-1.30.0-3.mga6.src.rpm
CVE: CVE-2016-10140, CVE-2016-1020[1-6], and CVE-2017-5595
Status comment:


Attachments
Terminal output for zmsetup - upgrade - zmsetup (34.02 KB, text/plain)
2017-05-24 02:29 CEST, Barry Jackson
Details

Description David Walser 2017-01-31 05:02:12 CET
Debian-LTS has issued an advisory on January 29:
https://lwn.net/Alerts/712996/

Mageia 5 is also affected.
David Walser 2017-01-31 05:02:23 CET

Whiteboard: (none) => MGA5TOO

Comment 1 Barry Jackson 2017-02-01 01:04:44 CET
This is known and documented and I would rather not change it, as it will make ZoneMinder set-up more difficult for new users.

We have a note in zoneminder.conf which explains about this here:

http://svnweb.mageia.org/packages/cauldron/zoneminder/current/SOURCES/zoneminder.conf?view=markup

It has been the same for years.

Opinions welcome ;)
Comment 2 David Walser 2017-02-01 01:49:20 CET
The package should probably have something in its Apache configuration to restrict the directory with the images to only be accessible from localhost.  People can then customize that to say what systems they want it to be accessible from, and/or implement authentication.  By default then, it would be mitigated, but in a relatively simple way (restricting to localhost by default is simpler than having some default authentication enabled).
Comment 3 David Walser 2017-02-02 11:57:33 CET
Another security issue in zoneminder:
http://openwall.com/lists/oss-security/2017/02/02/18

There is apparently no fix available.  It sounds like only Cauldron is affected.
Comment 4 Barry Jackson 2017-02-03 14:16:12 CET
Thanks David,
I have pointed ZM devs to that report.
Comment 5 David Walser 2017-02-05 15:30:21 CET
(In reply to David Walser from comment #3)
> Another security issue in zoneminder:
> http://openwall.com/lists/oss-security/2017/02/02/18

CVE-2016-1020[1-6] assigned:
http://openwall.com/lists/oss-security/2017/02/05/1

Summary: zoneminder new security issue CVE-2016-10140 => zoneminder new security issues CVE-2016-10140 and CVE-2016-1020[1-6]

Comment 6 David Walser 2017-02-21 11:51:18 CET
Fedora has issued an advisory on February 18:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/25GCK3X4C2XY4YBBWCKSWDEYWBHTJKGV/

It fixes an additional issue, CVE-2017-5595.

Summary: zoneminder new security issues CVE-2016-10140 and CVE-2016-1020[1-6] => zoneminder new security issues CVE-2016-10140, CVE-2016-1020[1-6], and CVE-2017-5595

Comment 7 Barry Jackson 2017-02-21 20:14:50 CET
(In reply to David Walser from comment #6)
> Fedora has issued an advisory on February 18:
> https://lists.fedoraproject.org/archives/list/package-announce@lists.
> fedoraproject.org/thread/25GCK3X4C2XY4YBBWCKSWDEYWBHTJKGV/
> 
> It fixes an additional issue, CVE-2017-5595.

The patch for the above appears to be previously applied in our Mga5 and 6 versions, so I'm a little confused.
I will have a word with Andrew Bauer upstream (and Fedora) and try to understand better what they have done.
Comment 8 Barry Jackson 2017-02-21 23:23:43 CET
CVE-2017-5595 is now fixed in Cauldron

(the patch was faulty and I had to manually edit the files and re-diff with some help from upstream).

Regarding this issue in Mageia 5, I think we may need to update it to the same version as Cauldron. I have been running this version on my Mga5 server for months, however we may be missing a perl dep in Mga5 IIRC - I will look into our options.
Comment 9 Barry Jackson 2017-02-24 01:00:58 CET
CVE-2016-10140 is now fixed in cauldron.

I have fixes for both CVE-2017-5595 and CVE-2016-10140 for Mga5 which I will push together unless any others can be fixed at the same time. - WIP
Comment 10 Nicolas Lécureuil 2017-04-25 15:04:30 CEST
any news for this in cauldron ?

CC: (none) => mageia

Comment 11 Barry Jackson 2017-04-26 00:47:03 CEST
I have asked upstream .. again.
Comment 12 Nicolas Lécureuil 2017-04-26 08:42:30 CEST
what is the list of the CVE we still need to adress ?
Comment 13 David Walser 2017-04-26 11:43:10 CEST
(In reply to Nicolas Lécureuil from comment #12)
> what is the list of the CVE we still need to adress ?

All of them in Mageia 5, CVE-2016-1020[1-6] in Cauldron (but I'm not aware of a fix for those).
Comment 14 David Walser 2017-04-26 11:43:40 CEST
Feel free to split a new bug for Mageia 5 with the available fixes if the last ones still can't be fixed.
Comment 15 Nicolas Lécureuil 2017-05-01 01:45:07 CEST
what about updating to the latest version from cauldron in mga5 ?
Comment 16 Barry Jackson 2017-05-01 12:31:03 CEST
As I said in #8 we are missing deps for the current cauldron version in Mga5. 
Updating to the latest version would offer no advantage re. CVEs as I have a fix for Mga5 that brings it to the same state as Mga6, but was hoping to apply all fixes in one update.
It seems that there is little progress re. CVE-2016-1020[1-6] so I will go ahead and prepare advisory for CVE-2017-5595 and CVE-2016-10140 for Mga5 in the next few days.
Comment 17 Nicolas Lécureuil 2017-05-04 00:16:35 CEST
and what is the status on cauldron ?
Comment 18 Barry Jackson 2017-05-07 11:35:53 CEST
All has changed for the better since yesterday.

Following my discussions with upstream regarding the various CVEs, they have now detailed the CVEs that have been fixed in the 1.30.2 release notes.
Previously the release notes just mentioned 'various security issues'.

https://github.com/ZoneMinder/ZoneMinder/releases/tag/1.30.2.

I will now over the coming days (I am short on time) test this version in cauldron and look at the possibility of updating in Mageia 5.
Comment 19 Barry Jackson 2017-05-09 00:34:14 CEST
I have requested a freeze push of zoneminder-1.30.3 in Cauldron and tested this version locally.

I have also pushed the same version (with a lower release) to Mga5 updates_testing.

Update goes smooth in Mga5 and I have the Mga5 version running on my Mga5 server using both php and the web API.

There is a new Require needed in Mageia 5 for this, and perl-Sys--Meminfo has also been pushed to 5/updates_testing by Shlomi (thanks!).

Update advisory to follow tomorrow, when I recover from this marathon ;)
Comment 20 Nicolas Lécureuil 2017-05-09 07:38:55 CEST
pushed in cauldron

CVE: (none) => CVE-2016-10140, CVE-2016-1020[1-6], and CVE-2017-5595
Whiteboard: MGA5TOO => (none)
Version: Cauldron => 5

Comment 21 Barry Jackson 2017-05-11 00:42:41 CEST
CVEs have been assigned for security issues fixed upstream in ZoneMinder:

CVE-2016-10140, CVE-2016-10201, CVE-2016-10202, CVE-2016-10203, CVE-2016-10204, CVE-2016-10205
CVE-2016-10206, CVE-2017-5367, CVE-2017-5368, CVE-2017-5595 and CVE-2017-7203.

These are fixed in zoneminder-1.30.4-2.mga6 in Cauldron and a freeze push has been requested.

Update candidate zoneminder-1.30.4-1.mga5 has been submitted to 5/core/updates_testing.

Advisory:
=========================

This update fixes the following security issues:

Information disclosure and authentication bypass vulnerability exists in the Apache HTTP Server
configuration bundled with ZoneMinder v1.30 and v1.29, which allows a remote unauthenticated attacker
to browse all directories in the web root, e.g., a remote unauthenticated attacker can view all CCTV
images on the server via the /events URI. (CVE-2016-10140)

Cross-site scripting (XSS) vulnerability in Zoneminder 1.30 and earlier allows remote attackers to inject arbitrary web script or HTML via the format parameter in a download log request to index.php. (CVE-2016-10201)

Cross-site scripting (XSS) vulnerability in Zoneminder 1.30 and earlier allows remote attackers to inject arbitrary web script or HTML via the path info to index.php. (CVE-2016-10202)

Cross-site scripting (XSS) vulnerability in Zoneminder 1.30 and earlier allows remote attackers to inject arbitrary web script or HTML via the name when creating a new monitor. (CVE-2016-10203)
 
SQL injection vulnerability in Zoneminder 1.30 and earlier allows remote attackers to execute arbitrary SQL commands via the limit parameter in a log query request to index.php. (CVE-2016-10204)

Session fixation vulnerability in Zoneminder 1.30 and earlier allows remote attackers to hijack web sessions via the ZMSESSID cookie. (CVE-2016-10205)

Cross-site request forgery (CSRF) vulnerability in Zoneminder 1.30 and earlier allows remote attackers to hijack the authentication of users for requests that change passwords and possibly have unspecified other impact as demonstrated by a crafted user action request to index.php. (CVE-2016-10206)

Multiple reflected XSS vulnerabilities exist within form and link input parameters of ZoneMinder v1.30 and v1.29, an open-source CCTV server web application, which allows a remote attacker to execute malicious scripts within an authenticated client's browser. The URL is /zm/index.php and sample parameters could include action=login&view=postlogin[XSS] view=console[XSS] view=groups[XSS] view=events&filter[terms][1][cnj]=and[XSS] view=events&filter%5Bterms%5D%5B1%5D%5Bcnj%5D=and[XSS] view=events&filter%5Bterms%5D%5B1%5D%5Bcnj%5D=[XSS]and view=events&limit=1%22%3E%3C/a%3E[XSS] (among others). (CVE-2017-5367)

ZoneMinder v1.30 and v1.29, an open-source CCTV server web application, is vulnerable to CSRF (Cross Site Request Forgery) which allows a remote attack to make changes to the web application as the current logged in victim. If the victim visits a malicious web page, the attacker can silently and automatically create a new admin user within the web application for remote persistence and further attacks. The URL is /zm/index.php and sample parameters could include action=user uid=0 newUser[Username]=attacker1 newUser[Password]=Password1234 conf_password=Password1234 newUser[System]=Edit (among others). (CVE-2017-5368)

A file disclosure and inclusion vulnerability exists in web/views/file.php in ZoneMinder 1.x through v1.30.0 because of unfiltered user-input being passed to readfile(), which allows an authenticated attacker to read local system files (e.g., /etc/passwd) in the context of the web server user (www-data). The attack vector is a .. (dot dot) in the path parameter within a zm/index.php?view=file&path= request. (CVE-2017-5595)

A Cross-Site Scripting (XSS) was discovered in ZoneMinder 1.30.2. The vulnerability exists due to insufficient filtration of user-supplied data (postLoginQuery) passed to the "ZoneMinder-master/web/skins/classic/views/js/postlogin.js.php" URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website. (CVE-2017-7203)

Notes for sysadmins:
1. CRSF attacks are now blocked by setting the ZoneMinder variable 'ENABLE_CSRF_MAGIC' to 'yes'. During system update you may want to check that this variable is set. In Mageia 'yes' is the default for new installs of ZoneMInder.
2. Changes have been made to /etc/httpd/conf/site.d/zoneminder.conf to mitigate CVE-2016-10140. Make sure to accept the new configuration when updating existing systems.

References:
https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=zoneminder
https://github.com/ZoneMinder/ZoneMinder/releases/tag/1.30.2
https://github.com/ZoneMinder/ZoneMinder/releases
https://github.com/ZoneMinder/ZoneMinder/commit/c5906a5d4f9adc7bdaabcf035fe223997883018b (CVE-2016-10201)
https://github.com/ZoneMinder/ZoneMinder/pull/1764 (CVE-2016-10204)
https://github.com/ZoneMinder/ZoneMinder/pull/1764 (CVE-2016-10205)
https://github.com/ZoneMinder/ZoneMinder/commit/ea5342abd2ef3b7dfb1b05e59ccf420196264340 (CVE-2017-7203 & CVE-2017-5367)
https://github.com/ZoneMinder/ZoneMinder/commit/8b19fca9927cdec07cc9dd09bdcf2496a5ae69b3 (CVE-2017-5595)

========================

Updated packages in core/updates_testing:
========================
zoneminder-1.30.4-1.mga5.src.rpm

zoneminder-1.30.4-1.mga5.x86_64.rpm
zoneminder-debuginfo-1.30.4-1.mga5.x86_64.rpm

zoneminder-1.30.4-1.mga5.i586.rpm
zoneminder-debuginfo-1.30.4-1.mga5.i586.rpm

========================

I'm not sure how practical it will be to try to verify these fixes, however if someone does want to try to compromise my server, it is running this version of zoneminder on Mga5 ;) Please email me privately for access details.

Barry
Barry Jackson 2017-05-11 00:44:53 CEST

Assignee: zen25000 => qa-bugs

Dave Hodgins 2017-05-11 22:49:11 CEST

Whiteboard: (none) => advisory
CC: (none) => davidwhodgins

Comment 22 Herman Viaene 2017-05-18 11:48:27 CEST
MGA5-32 on Asus A6000VM Xfce
No installation issues.
Tried to run zmsetup, but first run failed with firewall issue. Disabled firewall alltogether and then 
# zmsetup 
*** Welcome to ZoneMinder Setup ***
Please wait a moment...
Please enter your mysql root password: 
You already have a ZoneMinder database installed
Do you want to re-use it? [y/n] n
Delete existing ZoneMinder database? OK? [y/n] y
Installing a new ZoneMinder database ...
Job for zoneminder.service failed. See "systemctl status zoneminder.service" and "journalctl -xe" for details.
Problem starting ZoneMinder - look at /var/logs/zm/zm_pkg.log
But /var/logs does not exist, it is /var/log, so no log written.
and
systemctl -l status zoneminder.service
â zoneminder.service - ZoneMinder CCTV recording and security system
   Loaded: loaded (/usr/lib/systemd/system/zoneminder.service; enabled)
   Active: failed (Result: exit-code) since do 2017-05-18 11:16:48 CEST; 1min 43s ago
  Process: 4568 ExecStart=/usr/bin/zmpkg.pl start (code=exited, status=255)

mei 18 11:16:48 mach6.hviaene.thuis zmpkg.pl[4568]: Can't connect to db at /usr/lib/perl5/vendor_perl/5.20.1/ZoneMinder/Config.pm line 129.
mei 18 11:16:48 mach6.hviaene.thuis zmpkg.pl[4568]: BEGIN failed--compilation aborted at /usr/lib/perl5/vendor_perl/5.20.1/ZoneMinder/Config.pm line 129.
mei 18 11:16:48 mach6.hviaene.thuis zmpkg.pl[4568]: Compilation failed in require at /usr/lib/perl5/vendor_perl/5.20.1/ZoneMinder.pm line 33.
mei 18 11:16:48 mach6.hviaene.thuis zmpkg.pl[4568]: BEGIN failed--compilation aborted at /usr/lib/perl5/vendor_perl/5.20.1/ZoneMinder.pm line 33.
mei 18 11:16:48 mach6.hviaene.thuis zmpkg.pl[4568]: Compilation failed in require at /usr/bin/zmpkg.pl line 48.
mei 18 11:16:48 mach6.hviaene.thuis zmpkg.pl[4568]: BEGIN failed--compilation aborted at /usr/bin/zmpkg.pl line 48.
mei 18 11:16:48 mach6.hviaene.thuis systemd[1]: zoneminder.service: control process exited, code=exited status=255
mei 18 11:16:48 mach6.hviaene.thuis systemd[1]: Failed to start ZoneMinder CCTV recording and security system.
mei 18 11:16:48 mach6.hviaene.thuis systemd[1]: Unit zoneminder.service entered failed state.
mei 18 11:16:48 mach6.hviaene.thuis systemd[1]: zoneminder.service failed.
and journal gives
DBI connect('database=zm;host=localhost','zmuser',...) failed: Access denied for user 'zmuser'@'localhost
I checked with phpmyadmin: the databasz zm is created, but there is no trace of a user "zmuser".
Removedzm database completely and tried zmsztup again, but got the same result.

CC: (none) => herman.viaene

Comment 23 Barry Jackson 2017-05-18 22:03:21 CEST
Hmm.. a clean install in Mga5 is the one scenario I did not test.
Update in Mga5 tested fine, as did upgrade to Mga6.

I will test in a clean install in a Mga5 VM, meanwhile I just tested a clean install in Mga6 for reference and zmsetup output follows:

*** Welcome to ZoneMinder Setup ***
Checking the current ZM_USER_PASSWORD...
The password is not strong enough, it is based on a dictionary word.
Passwords should have at least eight characters with no dictionary
words or common sequences.
Please enter a new one now. (hint: write it down first as it will not be displayed)
New password: 
The password is not strong enough, it is too short.
New password: 
OK
Repeat password: 
Please wait a moment...
You do not appear to have a mysql root password set.

Passwords should have at least eight characters with no dictionary
words or common sequences.
Please enter a new one now. (hint: write it down first as it will not be displayed)
New password: 
OK
Repeat password: 
Set new password now - confirm - OK? [y/n] y
Please wait ...
Installing a new ZoneMinder database ...
You do not appear to have a timezone set for php.
This is required for the Web-UI to work.

Added timezone Europe/London to /etc/php.ini 

Congratulations - ZoneMinder is now running.
You should be able to access the ZM Console in your browser using :-
http://leno/zm
[root@leno baz]#

Link works and ZM is running.

Thanks for finding the (logs) typo ;)

CC: (none) => zen25000

Comment 24 Barry Jackson 2017-05-18 23:44:42 CEST
Hi Herman,

I found it! Phew!

I packaged the old version of zmsetup and the old version of a README in error.

Please re-test with zoneminder-1.30.4-1.1 when it hits 5/core_updates.

If all is well I will re-do the advisory with the package name changed.

Sorry for the extra work :\
Comment 25 Barry Jackson 2017-05-19 00:11:05 CEST
Update candidate zoneminder-1.30.4-1.1.mga5 has been submitted to 5/core/updates_testing.

Advisory:
=========================

This update fixes the following security issues:

Information disclosure and authentication bypass vulnerability exists in the Apache HTTP Server
configuration bundled with ZoneMinder v1.30 and v1.29, which allows a remote unauthenticated attacker
to browse all directories in the web root, e.g., a remote unauthenticated attacker can view all CCTV
images on the server via the /events URI. (CVE-2016-10140)

Cross-site scripting (XSS) vulnerability in Zoneminder 1.30 and earlier allows remote attackers to inject arbitrary web script or HTML via the format parameter in a download log request to index.php. (CVE-2016-10201)

Cross-site scripting (XSS) vulnerability in Zoneminder 1.30 and earlier allows remote attackers to inject arbitrary web script or HTML via the path info to index.php. (CVE-2016-10202)

Cross-site scripting (XSS) vulnerability in Zoneminder 1.30 and earlier allows remote attackers to inject arbitrary web script or HTML via the name when creating a new monitor. (CVE-2016-10203)
 
SQL injection vulnerability in Zoneminder 1.30 and earlier allows remote attackers to execute arbitrary SQL commands via the limit parameter in a log query request to index.php. (CVE-2016-10204)

Session fixation vulnerability in Zoneminder 1.30 and earlier allows remote attackers to hijack web sessions via the ZMSESSID cookie. (CVE-2016-10205)

Cross-site request forgery (CSRF) vulnerability in Zoneminder 1.30 and earlier allows remote attackers to hijack the authentication of users for requests that change passwords and possibly have unspecified other impact as demonstrated by a crafted user action request to index.php. (CVE-2016-10206)

Multiple reflected XSS vulnerabilities exist within form and link input parameters of ZoneMinder v1.30 and v1.29, an open-source CCTV server web application, which allows a remote attacker to execute malicious scripts within an authenticated client's browser. The URL is /zm/index.php and sample parameters could include action=login&view=postlogin[XSS] view=console[XSS] view=groups[XSS] view=events&filter[terms][1][cnj]=and[XSS] view=events&filter%5Bterms%5D%5B1%5D%5Bcnj%5D=and[XSS] view=events&filter%5Bterms%5D%5B1%5D%5Bcnj%5D=[XSS]and view=events&limit=1%22%3E%3C/a%3E[XSS] (among others). (CVE-2017-5367)

ZoneMinder v1.30 and v1.29, an open-source CCTV server web application, is vulnerable to CSRF (Cross Site Request Forgery) which allows a remote attack to make changes to the web application as the current logged in victim. If the victim visits a malicious web page, the attacker can silently and automatically create a new admin user within the web application for remote persistence and further attacks. The URL is /zm/index.php and sample parameters could include action=user uid=0 newUser[Username]=attacker1 newUser[Password]=Password1234 conf_password=Password1234 newUser[System]=Edit (among others). (CVE-2017-5368)

A file disclosure and inclusion vulnerability exists in web/views/file.php in ZoneMinder 1.x through v1.30.0 because of unfiltered user-input being passed to readfile(), which allows an authenticated attacker to read local system files (e.g., /etc/passwd) in the context of the web server user (www-data). The attack vector is a .. (dot dot) in the path parameter within a zm/index.php?view=file&path= request. (CVE-2017-5595)

A Cross-Site Scripting (XSS) was discovered in ZoneMinder 1.30.2. The vulnerability exists due to insufficient filtration of user-supplied data (postLoginQuery) passed to the "ZoneMinder-master/web/skins/classic/views/js/postlogin.js.php" URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website. (CVE-2017-7203)

Notes for sysadmins:
1. CRSF attacks are now blocked by setting the ZoneMinder variable 'ENABLE_CSRF_MAGIC' to 'yes'. During system update you may want to check that this variable is set. In Mageia 'yes' is the default for new installs of ZoneMInder.
2. Changes have been made to /etc/httpd/conf/site.d/zoneminder.conf to mitigate CVE-2016-10140. Make sure to accept the new configuration when updating existing systems.

References:
https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=zoneminder
https://github.com/ZoneMinder/ZoneMinder/releases/tag/1.30.2
https://github.com/ZoneMinder/ZoneMinder/releases
https://github.com/ZoneMinder/ZoneMinder/commit/c5906a5d4f9adc7bdaabcf035fe223997883018b (CVE-2016-10201)
https://github.com/ZoneMinder/ZoneMinder/pull/1764 (CVE-2016-10204)
https://github.com/ZoneMinder/ZoneMinder/pull/1764 (CVE-2016-10205)
https://github.com/ZoneMinder/ZoneMinder/commit/ea5342abd2ef3b7dfb1b05e59ccf420196264340 (CVE-2017-7203 & CVE-2017-5367)
https://github.com/ZoneMinder/ZoneMinder/commit/8b19fca9927cdec07cc9dd09bdcf2496a5ae69b3 (CVE-2017-5595)

========================

Updated packages in core/updates_testing:
========================
zoneminder-1.30.4-1.1.mga5.src.rpm

zoneminder-1.30.4-1.1.mga5.x86_64.rpm
zoneminder-debuginfo-1.30.4-1.1.mga5.x86_64.rpm

zoneminder-1.30.4-1.1.mga5.i586.rpm
zoneminder-debuginfo-1.30.4-1.1.mga5.i586.rpm

========================

########################
Note: When this is validated it will be neccessary to also push/move perl-Sys-Meminfo from updates testing to core
before zoneminder as this is a new Require (no need to wait for it to build - it's not a BuildRequire).
########################
Comment 26 David Walser 2017-05-19 04:34:59 CEST
> Note: When this is validated it will be neccessary to also push/move
> perl-Sys-Meminfo from updates testing to core

Then that package is part of this update and should have been listed in your package list with your advisory (and not in a separate note).  Because it wasn't, whoever added the advisory to SVN missed it, and if that's not corrected, the package *won't* be pushed with this update.

Removing the advisory tag from the whiteboard until that package is added (but note, if this gets validated, my removing that tag won't stop this from being pushed incorrectly).

Whiteboard: advisory => (none)

Comment 27 Dave Hodgins 2017-05-19 19:28:15 CEST
Added perl-Sys-MemInfo-0.910.0-1.mga5 to srpm list in the advisory.

Whiteboard: (none) => advisory

Comment 28 Lewis Smith 2017-05-23 21:47:14 CEST
Testing M5x64 real hardware
BEFORE update: installed zoneminder-1.28.0-2.33f3612.1.mga5
(Do not set up a database in advance, as is suggested somewhere).

 # zmsetup
[3;J
 *** Welcome to ZoneMinder Setup ***
 Please wait a moment...
 Please enter your mysql root password: 
 Installing a new ZoneMinder database ...
 Congratulations - ZoneMinder is now running.
 You should be able to access the ZM Console in your browser using :-
 http://localhost.localdomain/zm
The MySQL dtabase set up is 'zm'.

 # systemctl status zoneminder.service
● zoneminder.service - ZoneMinder CCTV recording and security system
   Loaded: loaded (/usr/lib/systemd/system/zoneminder.service; enabled)
   Active: active (running) since Maw 2017-05-23 21:07:29 CEST; 7min ago
  Process: 22046 ExecStart=/usr/bin/zmpkg.pl start (code=exited, status=0/SUCCESS)
 Main PID: 22155 (zmdc.pl)
   CGroup: /system.slice/zoneminder.service
           ├─22155 /usr/bin/perl -wT /usr/bin/zmdc.pl startup
           ├─22430 /usr/bin/perl -wT /usr/bin/zmfilter.pl
           ├─22506 /usr/bin/perl -wT /usr/bin/zmaudit.pl -c
           └─22562 /usr/bin/perl -wT /usr/bin/zmwatch.pl

Mai 23 21:07:24 localhost.localdomain zmdc[22155]: INF [Server starting at 17...
etc etc

 http://localhost.localdomain/zm
shows page "ZoneMinder Console - Running - v1.28.0"
The 'Add new monitor' & 'Filters' buttons pop up neat dialogue windows; as do the 'Options' & 'Log' links. No sign of logout.

All looks good.

UPDATE to: zoneminder-1.30.4-1.1.mga5
also pulled in
- perl-Class-Std-0.11.0-5.mga5.noarch
- perl-Class-Std-Fast-0.0.8-9.mga5.noarch
- perl-Data-UUID-1.219.0-7.mga5.x86_64
- perl-IO-Interface-1.70.0-3.mga5.x86_64
- perl-IO-Socket-Multicast-1.120.0-11.mga5.x86_64
- perl-SOAP-WSDL-3.1.0-3.mga5.noarch
- perl-Sys-CPU-0.610.0-5.mga5.x86_64
- perl-Sys-MemInfo-0.910.0-1.mga5.x86_64         ***

# zmsetup
[3;J
*** Welcome to ZoneMinder Setup ***
Checking the current ZM_USER_PASSWORD...
The password is not strong enough, it is based on a dictionary word.
Passwords should have at least eight characters with no dictionary
words or common sequences.          [Mine complied, but I changed it anyway]
Please enter a new one now. (hint: write it down first as it will not be displayed)
New password: 
OK
Repeat password: 
Please wait a moment...
Please enter your mysql root password: 
You already have a ZoneMinder database installed
Do you want to re-use it? [y/n] y
Updating database structure where necessary ...

Initiating database upgrade to version 1.30.4 from version 1.28.0

Please ensure that ZoneMinder is stopped on your system prior to upgrading the database.
   [ # systemctl stop zoneminder.service ]
Press enter to continue or ctrl-C to stop : 

Do you wish to take a backup of your database prior to upgrading?
This may result in a large file in /var/tmp/zm if you have a lot of events.
Press 'y' for a backup or 'n' to continue : n

Upgrading database to version 1.30.4
Loading config from DB
No option 'ZM_EYEZM_DEBUG' found, removing.
No option 'ZM_EYEZM_EVENT_VCODEC' found, removing.
No option 'ZM_EYEZM_FEED_VCODEC' found, removing.
No option 'ZM_EYEZM_H264_DEFAULT_BR' found, removing.
No option 'ZM_EYEZM_H264_DEFAULT_EVBR' found, removing.
No option 'ZM_EYEZM_H264_TIMEOUT' found, removing.
No option 'ZM_EYEZM_LOG_FILE' found, removing.
No option 'ZM_EYEZM_LOG_TO_FILE' found, removing.
No option 'ZM_EYEZM_SEG_DURATION' found, removing.
No option 'ZM_WEB_P_AJAX_TIMEOUT' found, removing.
No option 'ZM_WEB_P_CAN_STREAM' found, removing.
No option 'ZM_WEB_P_DEFAULT_RATE' found, removing.
No option 'ZM_WEB_P_DEFAULT_SCALE' found, removing.
No option 'ZM_WEB_P_SCALE_THUMBS' found, removing.
No option 'ZM_WEB_P_STREAM_METHOD' found, removing.
No option 'ZM_WEB_P_VIDEO_BITRATE' found, removing.
No option 'ZM_WEB_P_VIDEO_MAXFPS' found, removing.
Saving config to DB
Upgrading DB to 1.28.1 from 1.28.0

Database successfully upgraded to version 1.28.1.
[...19 times the same 3 lines]

Database upgrade to version 1.30.4 successful.

You do not appear to have a timezone set for php.
This is required for the Web-UI to work.

Added timezone Europe/Paris to /etc/php.ini 

Congratulations - ZoneMinder is now running.
You should be able to access the ZM Console in your browser using :-
http://localhost.localdomain/zm

 # systemctl status zoneminder.service
● zoneminder.service - ZoneMinder CCTV recording and security system
   Loaded: loaded (/usr/lib/systemd/system/zoneminder.service; enabled)
   Active: active (running) since Maw 2017-05-23 21:33:14 CEST; 4min 50s ago
  Process: 32071 ExecStart=/usr/bin/zmpkg.pl start (code=exited, status=0/SUCCESS)
 Main PID: 32182 (zmdc.pl)
   CGroup: /system.slice/zoneminder.service
           ├─32182 /usr/bin/perl -wT /usr/bin/zmdc.pl startup
           ├─32478 /usr/bin/perl -wT /usr/bin/zmfilter.pl
           ├─32528 /usr/bin/perl -wT /usr/bin/zmaudit.pl -c
           ├─32624 /usr/bin/perl -wT /usr/bin/zmwatch.pl
           └─32704 /usr/bin/perl -w /usr/bin/zmtelemetry.pl

Mai 23 21:33:13 localhost.localdomain zmfilter[32478]: INF [Scanning for events]
etc etc

 http://localhost.localdomain/zm
Initial screen showed OK, Filters/Options/Log worked OK, but *not* 'Add new monitor'. In fact the 'Log' link was shown red, and in the displayed log:

2017-05-23 21:40:12.586201	web_js	24395	ERR	ReferenceError: addMonitor is not defined	http://localhost.localdomain/zm/	1
2017-05-23 21:39:29.318748	web_js	32073	ERR	TypeError: form.elements.autoArchive is undefined	http://localhost.localdomain/zm/skins/classic/views/js/filter.js	10
2017-05-23 21:39:23.450179	web_js	32073	ERR	TypeError: form.elements.autoArchive is undefined	http://localhost.localdomain/zm/skins/classic/views/js/filter.js	10
2017-05-23 21:39:04.031831	web_js	32070	ERR	ReferenceError: addMonitor is not defined	http://localhost.localdomain/zm/	1
2017-05-23 21:38:59.767802	web_js	32070	ERR	ReferenceError: addMonitor is not defined	http://localhost.localdomain/zm/	1
...
2017-05-23 21:26:45.565530	zmpkg	5025	FAT	Can't execute: Unknown column 'IsActive' in 'field list'	zmpkg.pl

Need your feedback on this, please, Barry.

Whiteboard: advisory => advisory feedback
CC: (none) => lewyssmith

Comment 29 Barry Jackson 2017-05-24 00:52:26 CEST
I am on it.
Something went wrong in the db updates - those lines should not have repeated, but should have reported each step in the sequence between 1.28.x and 1.30.4.
It worked fine when I tested it. :\
It may be a day or so.
Comment 30 Barry Jackson 2017-05-24 02:19:37 CEST
I just net-installed Mga5 on a partition on my SSD on my main system.
I'm using it now.

I installed zoneminder-1.28.0 from Mga5 repo and ran zmsetup.

I added a monitor for my uvc webcam but hit a minor issue which needed user apache adding to the video group, after which it worked fine.

I then enabled updates_testing and ran urpmi zoneminder, which updated to 1.30.4-1.1

Followed by zmsetup

The db update went perfectly and every step was different, no lines were repeated.

The monitor still worked as before in the web interface and I was able to delete the monitor and create a new one which also works fine.

Whether the fact that you maybe had no monitors set up before upgrading affected the database I am not sure, but anyone upgrading a working system would not hit that. I never have.

I also checked the Web API by following:
https://github.com/pliablepixels/zmNinja/wiki/Validating-if-APIs-work-on-ZM
(skip test 4 which is known to fail in ZM > 1.30.1)

This works as expected.

I will attach the terminal output of both zmsetup runs below.
Comment 31 Barry Jackson 2017-05-24 02:29:42 CEST
Created attachment 9328 [details]
Terminal output for zmsetup - upgrade - zmsetup

Note that "Please ensure that ZoneMinder is stopped on your system prior to upgrading the database." May be ignored as my script does this first. That text is output by an upstream perl script that I can't silence :\

Barry
Comment 32 Barry Jackson 2017-05-24 03:02:48 CEST
Forgot to mention the password - zmsetup now uses the same cracklib password checker that is used by mariadb to be certain that a password will not cause a breakage of zmsetup later on in the process. This was necessary since the new mariadb ships with strict password checking ON by default.
An existing mysql root password that would fail now is still honoured if it was set in an earlier version (found by experiment).

Barry
Comment 33 Lewis Smith 2017-05-27 08:21:55 CEST
@Barry: Thank you for all your cross-checking. I will ask in QA for someone with a webcam etc. to try this update - I have nothing. If nothing crops up, your own test looks impeccable. Give it a few days.

Whiteboard: advisory feedback => advisory

Comment 34 Lewis Smith 2017-05-27 16:33:40 CEST
More on post-update x64

The 19 database upgrade messages note in Comment 28 clearly relate to the DB's 18 tables.

After a reboot or two, I had another look at zoneminder. This time the initial screen showed no errors ('log' link not red). Better, the 'Add new monitor' worked. Despite having nothing for it, I saved the default dialogue, and it was shown on the main screen with 'Source' in red; reasonable.
The log is full of errors. By the time I wrote this, the startup ones had scrolled away and the following 6 were being repeated every several 10s of seconds:

2017-05-27 16:24:02.429900	zmdc		8611	INF	'zmc -d /dev/video0' started at 17/05/27 16:24:02	zmdc.pl	
2017-05-27 16:24:02.419410	zmdc		5521	INF	'zmc -d /dev/video0' starting at 17/05/27 16:24:02, pid = 8611	zmdc.pl	
2017-05-27 16:24:01.666480	zmwatch		5987	INF	Restarting capture daemon for Monitor-1, shared data not valid	zmwatch.pl
2017-05-27 16:21:41.358240	zmwatch		5987	ERR	Memory map file '/dev/shm/zm.mmap.1' does not exist. zmc might not be running.	zmwatch.pl	
2017-05-27 16:21:31.489180	zmdc		5521	ERR	'zmc -d /dev/video0' exited abnormally, exit status 255	zmdc.pl	
2017-05-27 16:21:31.445558	zmc_dvideo0		31177	FAT	Can't find swscale format for palette 0	zm_local_camera.cpp	223

If I can capture the startup ones anothe time, I will post them. They were more varied.
Comment 35 Barry Jackson 2017-05-28 01:13:22 CEST
All the log messages look reasonable since you have created a monitor that has no camera attached.
ZoneMinder is quite verbose and spews out lots of info into the logs, even on a fully working system, so don't be too worried by a few red ones, especially during start-up.
Comment 36 Lewis Smith 2017-05-30 22:45:15 CEST
In the light of Barry's generous feedback, and particularly his own run-through of the update (Comments 30-31), this looks good for 64-bit. If nobody comes forward for 32-bits soon, it can be validated as-is.

Whiteboard: advisory => advisory MGA5-64-OK

Comment 37 Dave Hodgins 2017-06-07 07:30:41 CEST
Got it working on an i586 install, on x86_64 hardware, with a webcam (had to override several settings, such as image size, ntsc instead of pal, etc.), and confirmed it was still working after installing the update.

Validating the update.

Whiteboard: advisory MGA5-64-OK => advisory MGA5-64-OK MGA5-32-OK
Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 38 Nicolas Lécureuil 2017-06-08 23:26:47 CEST
Update ID assignment failed

Checking for QA validation keyword⦠  â
Checking dependent bugs⦠             â (None found)
Checking SRPMs⦠                      â (5/core/zoneminder-1.30.4-1.mga5) â 


'validated_update' keyword reset.

Keywords: validated_update => (none)

Comment 39 Lewis Smith 2017-06-09 20:10:05 CEST
(In reply to Nicolas Lécureuil from comment #38)
> Update ID assignment failed
> Checking for QA validation keyword⦠  â
> Checking dependent bugs⦠             â (None found)
> Checking SRPMs⦠                      â (5/core/zoneminder-1.30.4-1.mga5) â 

I see; advisory wrong. The package tested was: zoneminder-1.30.4-1.1.mga5
The advisory had .4-1 which I have updated to .4-1.1
Re-validating.

Keywords: (none) => validated_update

Comment 40 Mageia Robot 2017-06-10 01:06:36 CEST
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0162.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.