Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 493250 (CVE-2013-6824) - <net-analyzer/zabbix-{2.0.9-r1, 2.2.0-r4} : Shell command injection (CVE-2013-6824)
Summary: <net-analyzer/zabbix-{2.0.9-r1, 2.2.0-r4} : Shell command injection (CVE-2013...
Status: RESOLVED FIXED
Alias: CVE-2013-6824
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: https://support.zabbix.com/browse/ZBX...
Whiteboard: C1 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-12-03 18:38 UTC by Matthew Marlowe (RETIRED)
Modified: 2014-01-23 07:33 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Matthew Marlowe (RETIRED) gentoo-dev 2013-12-03 18:38:30 UTC
Upstream forwarded the following to me this morning:
https://support.zabbix.com/browse/ZBX-7479

I'll try to have updated ebuilds for all zabbix versions in tree later today.

Vulnerability is public.
We'll need to update stable.

Sad about timing, we just sent out first zabbix glsa in awhile just last week.
Comment 1 Matthew Marlowe (RETIRED) gentoo-dev 2013-12-03 19:30:59 UTC
Updated ebuilds in CVS - waiting to test after they reach rsync servers before requesting stabilization.

Fixed versions:
2.0.9-r1
2.2.0-r4
Comment 2 Yury German Gentoo Infrastructure gentoo-dev 2013-12-04 03:31:07 UTC
Please advise when you are ready to go stable.
Comment 3 Matthew Marlowe (RETIRED) gentoo-dev 2013-12-04 21:50:58 UTC
Let's go ahead and stabilize 2.0.9-r1

It compiles/installs here, haven't had much time to test it but we haven't had any new bugs reports for it or it's immediate predecessor which was in ~arch for several days.

The other bumped ebuild 2.2.0-r1 also installed/compiled fine here, so I have no reason yet to think the upstream patch introduced any problems.
Comment 4 Yury German Gentoo Infrastructure gentoo-dev 2013-12-05 16:34:40 UTC

Arches, please test and mark stable:

=net-analyzer/zabbix-2.0.9-r1

Target Keywords : "amd64 x86"
Comment 5 Agostino Sarubbo gentoo-dev 2013-12-10 13:18:17 UTC
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2013-12-10 13:23:57 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 7 Matthew Marlowe (RETIRED) gentoo-dev 2013-12-17 19:40:19 UTC
Cleanup done.
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2013-12-27 00:10:42 UTC
CVE-2013-6824 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6824):
  Zabbix before 1.8.19rc1, 2.0 before 2.0.10rc1, and 2.2 before 2.2.1rc1
  allows remote Zabbix servers and proxies to execute arbitrary commands via a
  newline in a flexible user parameter.
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2014-01-23 07:33:36 UTC
This issue was resolved and addressed in
 GLSA 201401-26 at http://security.gentoo.org/glsa/glsa-201401-26.xml
by GLSA coordinator Sergey Popov (pinkbyte).