Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 428372 (CVE-2012-3435) - <net-analyzer/zabbix-{1.8.15,2.0.2-r1}: SQL Injection (CVE-2012-3435)
Summary: <net-analyzer/zabbix-{1.8.15,2.0.2-r1}: SQL Injection (CVE-2012-3435)
Status: RESOLVED FIXED
Alias: CVE-2012-3435
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2012-07-27 20:43 UTC by Sean Amoss (RETIRED)
Modified: 2013-11-25 17:53 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sean Amoss (RETIRED) gentoo-dev Security 2012-07-27 20:43:51 UTC
From the Red Hat bug at $URL:

'An SQL injection flaw was found in Zabbix, where input passed via the "itemid"
parameter to popup_bitem.php is not properly sanitized before being used in an
SQL query.

The report was against version 2.0.1, but the upstream bug report [1] indicates
this also affects 1.8.x.  Upstream has patched [2] this, and there is a
potential patch for 1.8.x [3].'

[1] https://support.zabbix.com/browse/ZBX-5348
[2]
http://git.zabbixzone.com/zabbix2.0/.git/commit/333a3a5542ba8a2c901c24b7bf5440f41f1f4f54
[3] https://gist.github.com/3181678
Comment 1 Matthew Marlowe gentoo-dev 2012-07-27 21:49:04 UTC
I've requested info on the zabbix irc channel if the upstream plans to release 2.0.2 as an urgent fix.  If not, it appears that 2.0.2rc2 includes the fix so we can commit and stablize that as alternative path.

I'll have to review the 1.8.x patch to see if we want to apply that.  I haven't heard anything about a new 1.8.x release being scheduled.

Thanks for catching this bug.  I've sent an inquiry to verify how zabbix is notifying distros of security vulnerabilities.
Comment 2 Matthew Marlowe gentoo-dev 2012-07-30 09:12:29 UTC
Per Zabbix Devs - Official 2.0.2 release will be out early this week.  I'll bump it and remove the earlier 2.0.x ebuilds when it comes out.

No word yet on whether a new 1.8.x release is scheduled.
Comment 3 Matthew Marlowe gentoo-dev 2012-08-01 14:18:33 UTC
1.8.15 should be released soon with fix for 1.8.x releases.

2.0.2 was released today - bump in CVS.  I'll want to do more testing and incorporate other bug fixes in an r1 release, but for the time being it has the security patch, is marked for testing arches, and I've removed all older 2.0.x ebuilds.  None of the prior 2.0.x releases have yet reached stable status.

When 1.8.15 is released, it will become the new stable and all older 1.8.x ebuilds will be removed.
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2012-08-17 12:00:27 UTC
CVE-2012-3435 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3435):
  SQL injection vulnerability in frontends/php/popup_bitem.php in Zabbix
  1.8.15rc1 and earlier, and 2.x before 2.0.2rc1, allows remote attackers to
  execute arbitrary SQL commands via the itemid parameter.
Comment 5 Matthew Marlowe gentoo-dev 2012-08-21 15:04:35 UTC
1.8.15 and 2.0.2-r1 are in tree.
Neither are ready yet to be declared stable.
Older ebuilds have been removed - to my knowledge nothing depends on Zabbix being stable.
With a little more testing, we should be able to stabilize 1.8.15 however it was just released yesterday so I'll want to wait at least a few days to ensure it didn't introduce any obvious bugs.
Comment 6 Tim Sammut (RETIRED) gentoo-dev 2012-08-21 16:28:24 UTC
Ok, but we should not wait too long. Now that previous stable versions are gone stable users will have issues running 'emerge --update' methinks.
Comment 7 Tim Sammut (RETIRED) gentoo-dev 2012-08-25 17:27:32 UTC
Matthew, ok to stabilize now? Thanks.
Comment 8 Matthew Marlowe gentoo-dev 2012-08-26 21:16:19 UTC
It builds fine here and I haven't seen any new bugs since we bumped 1.8.15, so sure - let's go ahead and stabilize it so that those currently on stable have something secure to switch to.
Comment 9 Tim Sammut (RETIRED) gentoo-dev 2012-08-27 01:25:07 UTC
Ok, thanks.

Arches, please test and mark stable:
=net-analyzer/zabbix-1.8.15
Target keywords : "amd64 x86"
Comment 10 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2012-08-30 08:43:54 UTC
x86 stable
Comment 11 Agostino Sarubbo gentoo-dev 2012-08-30 21:17:41 UTC
amd64 stable
Comment 12 Agostino Sarubbo gentoo-dev 2012-08-30 21:18:31 UTC
security, please vote.
Comment 13 Tim Sammut (RETIRED) gentoo-dev 2012-08-31 19:03:50 UTC
Thanks, folks. GLSA Vote: yes.
Comment 14 Stefan Behte (RETIRED) gentoo-dev Security 2012-12-16 21:57:12 UTC
Added to existing GLSA request.
Comment 15 Matthew Marlowe gentoo-dev 2012-12-17 00:11:23 UTC
(In reply to comment #14)
> Added to existing GLSA request.

I'm not seeing any information on a new vulnerability here...
There are references to newer versions in title but CVE-2012-3435 was resolved prior.
Which CVE should I be looking at?
Comment 16 GLSAMaker/CVETool Bot gentoo-dev 2013-11-25 17:53:49 UTC
This issue was resolved and addressed in
 GLSA 201311-15 at http://security.gentoo.org/glsa/glsa-201311-15.xml
by GLSA coordinator Sergey Popov (pinkbyte).