Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 733118 (CVE-2020-15803) - <net-analyzer/zabbix-{3.0.31-r1, 4.0.22, 5.0.2}: Stored XSS Vulnerability (CVE-2020-15803)
Summary: <net-analyzer/zabbix-{3.0.31-r1, 4.0.22, 5.0.2}: Stored XSS Vulnerability (CV...
Status: RESOLVED FIXED
Alias: CVE-2020-15803
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://support.zabbix.com/browse/ZBX...
Whiteboard: B4 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-07-18 04:26 UTC by John Helmert III
Modified: 2020-08-05 14:58 UTC (History)
3 users (show)

See Also:
Package list:
=net-analyzer/zabbix-5.0.2 amd64 x86 =net-analyzer/zabbix-4.0.22 amd64 x86 =net-analyzer/zabbix-3.0.31-r1 amd64 x86
Runtime testing required: ---
nattka: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-07-18 04:26:47 UTC
CVE-2020-15803:

Zabbix before 3.0.32rc1, 4.x before 4.0.22rc1, 4.1.x through 4.4.x before 4.4.10rc1, and 5.x before 5.0.2rc1 allows stored XSS in the URL Widget.



It appears we need a bump to 3.0.32, though this versioning is a bit confusing for me so maintainers please advise if this isn't completely accurate.
Comment 1 Miroslav Šulc gentoo-dev 2020-07-18 04:48:38 UTC
afaics there is no 3.0.32 released yet. otherwise we have the latest versions bumped (just yesterday) but imo they can be stabilized.
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-18 21:05:10 UTC
(In reply to Miroslav Šulc from comment #1)
> afaics there is no 3.0.32 released yet. otherwise we have the latest
> versions bumped (just yesterday) but imo they can be stabilized.

Yeah, looks like that.
Comment 3 Miroslav Šulc gentoo-dev 2020-07-19 10:01:26 UTC
i just added the versions we already have for stabilization. imo there's no need to wait. anyway, we still don't have that 3.0.32 as it was not released yet.
Comment 4 Agostino Sarubbo gentoo-dev 2020-07-19 12:23:06 UTC
x86 stable
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-07-19 20:21:46 UTC
(In reply to Miroslav Šulc from comment #3)
> i just added the versions we already have for stabilization. imo there's no
> need to wait. anyway, we still don't have that 3.0.32 as it was not released
> yet.

An alternative would be to drop the 3.x version since we appear to have several newer branches in-tree. Any reason to keep it in-tree and wait for upstream on it?
Comment 6 Miroslav Šulc gentoo-dev 2020-07-20 03:12:26 UTC
(In reply to John Helmert III (ajak) from comment #5)
> (In reply to Miroslav Šulc from comment #3)
> > i just added the versions we already have for stabilization. imo there's no
> > need to wait. anyway, we still don't have that 3.0.32 as it was not released
> > yet.
> 
> An alternative would be to drop the 3.x version since we appear to have
> several newer branches in-tree. Any reason to keep it in-tree and wait for
> upstream on it?

i'm just sticking to what upstream does, which is they keep all these versions as lts (except 4.4): https://www.zabbix.com/download_sources#tab:30LTS
Comment 7 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-20 17:15:36 UTC
amd64 stable
Comment 8 Larry the Git Cow gentoo-dev 2020-07-28 08:40:32 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6a2fdd0c7f29d5880b0fbe6bc4b055d1de30d5d1

commit 6a2fdd0c7f29d5880b0fbe6bc4b055d1de30d5d1
Author:     Miroslav Šulc <fordfrog@gentoo.org>
AuthorDate: 2020-07-28 08:39:42 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2020-07-28 08:39:42 +0000

    net-analyzer/zabbix: removed old and vulnerable 4.0.21 4.4.9 5.0.1
    
    Bug: https://bugs.gentoo.org/733118
    Package-Manager: Portage-3.0.1, Repoman-2.3.23
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 net-analyzer/zabbix/Manifest             |   3 -
 net-analyzer/zabbix/zabbix-4.0.21.ebuild | 350 -------------------------------
 net-analyzer/zabbix/zabbix-4.4.9.ebuild  | 347 ------------------------------
 net-analyzer/zabbix/zabbix-5.0.1.ebuild  | 347 ------------------------------
 4 files changed, 1047 deletions(-)
Comment 9 Miroslav Šulc gentoo-dev 2020-07-28 08:42:11 UTC
sorry for the delay, i did not notice all archs are stabilized. upstream still did not release 3.0.32.
Comment 10 NATTkA bot gentoo-dev 2020-07-28 08:48:33 UTC
Unable to check for sanity:

> no match for package: =net-analyzer/zabbix-4.4.10
Comment 11 Miroslav Šulc gentoo-dev 2020-07-28 08:57:22 UTC
4.4* is not supported by upstream anymore so i removed that one from the tree.
Comment 12 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-29 02:40:46 UTC
(In reply to Miroslav Šulc from comment #9)
> sorry for the delay, i did not notice all archs are stabilized. upstream
> still did not release 3.0.32.

No worries at all -- you're uber responsive all of the time, and I forgot to ask to cleanup anyway!

I think we're still waiting on 3.0.32 but the rest are OK.
Comment 13 Miroslav Šulc gentoo-dev 2020-07-29 04:52:33 UTC
i tried to find the commit that fixes it in the upstream repo so that i could apply just that patch to 3.0.31 but i can't see it. in fact i can't see any commit between 3.0.31 and 3.0.32rc1. the repo is here: https://git.zabbix.com/projects/ZBX/repos/zabbix/commits?until=refs%2Fheads%2Frelease%2F3.0
Comment 14 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-29 04:58:16 UTC
(In reply to Miroslav Šulc from comment #13)
> i tried to find the commit that fixes it in the upstream repo so that i
> could apply just that patch to 3.0.31 but i can't see it. in fact i can't
> see any commit between 3.0.31 and 3.0.32rc1. the repo is here:
> https://git.zabbix.com/projects/ZBX/repos/zabbix/
> commits?until=refs%2Fheads%2Frelease%2F3.0

From https://support.zabbix.com/browse/ZBX-18057?focusedCommentId=439120&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-439120, I think it's:

https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/cbbbf09ae6b

(not sure why I did not notice this sooner)
Comment 15 Miroslav Šulc gentoo-dev 2020-07-29 05:09:13 UTC
(In reply to Sam James from comment #14)
> (In reply to Miroslav Šulc from comment #13)
> > i tried to find the commit that fixes it in the upstream repo so that i
> > could apply just that patch to 3.0.31 but i can't see it. in fact i can't
> > see any commit between 3.0.31 and 3.0.32rc1. the repo is here:
> > https://git.zabbix.com/projects/ZBX/repos/zabbix/
> > commits?until=refs%2Fheads%2Frelease%2F3.0
> 
> From
> https://support.zabbix.com/browse/ZBX-18057?focusedCommentId=439120&page=com.
> atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-
> 439120, I think it's:
> 
> https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/cbbbf09ae6b
> 
> (not sure why I did not notice this sooner)

thanks :-) i have to leave now and won't be at pc whole day, will get and apply the patch tomorrow.
Comment 16 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-30 02:28:46 UTC
(In reply to Miroslav Šulc from comment #15)
> thanks :-) i have to leave now and won't be at pc whole day, will get and
> apply the patch tomorrow.

No worries!
Comment 17 Larry the Git Cow gentoo-dev 2020-07-30 08:25:06 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=43e5d720ddda22f747772ffe6cfab9b2362ed0f6

commit 43e5d720ddda22f747772ffe6cfab9b2362ed0f6
Author:     Miroslav Šulc <fordfrog@gentoo.org>
AuthorDate: 2020-07-30 08:24:38 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2020-07-30 08:25:00 +0000

    net-analyzer/zabbix: fixed CVE-2020-15803 in 3.0.31-r1
    
    Bug: https://bugs.gentoo.org/733118
    Package-Manager: Portage-3.0.1, Repoman-2.3.23
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 .../files/zabbix-3.0.31-fix-cve-2020-15803.patch   |  83 +++++
 net-analyzer/zabbix/zabbix-3.0.31-r1.ebuild        | 351 +++++++++++++++++++++
 2 files changed, 434 insertions(+)
Comment 18 Miroslav Šulc gentoo-dev 2020-07-30 08:27:05 UTC
please stabilize newly added 3.0.31-r1 (contains patch that should fix the cve).
Comment 19 Agostino Sarubbo gentoo-dev 2020-08-05 13:54:22 UTC
amd64 stable
Comment 20 Agostino Sarubbo gentoo-dev 2020-08-05 14:19:20 UTC
x86 stable.

Maintainer(s), please cleanup.
Comment 21 Larry the Git Cow gentoo-dev 2020-08-05 14:27:09 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b5a6e082349adea21e3a5d416eac8f7e491d5c2a

commit b5a6e082349adea21e3a5d416eac8f7e491d5c2a
Author:     Miroslav Šulc <fordfrog@gentoo.org>
AuthorDate: 2020-08-05 14:26:41 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2020-08-05 14:26:41 +0000

    net-analyzer/zabbix: removed vulnerable 3.0.31
    
    Bug: https://bugs.gentoo.org/733118
    Package-Manager: Portage-3.0.1, Repoman-2.3.23
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 net-analyzer/zabbix/zabbix-3.0.31.ebuild | 350 -------------------------------
 1 file changed, 350 deletions(-)
Comment 22 Miroslav Šulc gentoo-dev 2020-08-05 14:27:47 UTC
we're clean now
Comment 23 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-05 14:58:22 UTC
(In reply to Miroslav Šulc from comment #22)
> we're clean now

Thanks a bunch. All done, closing!