Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 236517 (CVE-2008-3880) - www-misc/zoneminder <1.24.0 filter array SQL injection (CVE-2008-{3880,3881,3882})
Summary: www-misc/zoneminder <1.24.0 filter array SQL injection (CVE-2008-{3880,3881,3...
Status: RESOLVED FIXED
Alias: CVE-2008-3880
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High trivial (vote)
Assignee: Gentoo Security
URL: http://www.securityfocus.com/archive/...
Whiteboard: ~1 [noglsa]
Keywords:
: 259372 (view as bug list)
Depends on:
Blocks:
 
Reported: 2008-09-02 22:39 UTC by Robert Buchholz (RETIRED)
Modified: 2009-08-03 13:19 UTC (History)
11 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
ebuild for 1.24.1 (zoneminder-1.24.1.ebuild,3.49 KB, text/plain)
2009-06-14 14:42 UTC, Henk Remijn PA5KT
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2008-09-02 22:39:33 UTC
CVE-2008-3880 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3880):
  SQL injection vulnerability in zm_html_view_event.php in ZoneMinder 1.23.3
  and earlier allows remote attackers to execute arbitrary SQL commands via the
  filter array parameter.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-09-02 22:46:40 UTC
mailed upstream
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2008-09-02 22:48:20 UTC
CVE-2008-3881 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3881):
  Multiple cross-site scripting (XSS) vulnerabilities in ZoneMinder 1.23.3 and
  earlier allow remote attackers to inject arbitrary web script or HTML via
  unspecified parameters to unspecified "zm_html_view_*.php" files.

CVE-2008-3882 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3882):
  ZoneMinder 1.23.3 and earlier allows remote attackers to execute arbitrary
  commands (aka "Command Injection") via (1) the executeFilter function in
  zm_html_view_events.php and (2) the run_state parameter to
  zm_html_view_state.php.

Comment 3 Gunnar Wrobel (RETIRED) gentoo-dev 2008-12-28 21:50:43 UTC
Should we mask the package?
Comment 4 Peter Volkov (RETIRED) gentoo-dev 2009-01-26 19:26:53 UTC
Still no solution from upstream. The only workaround exist is:

Restrict access to ZoneMinder (e.g. with ".htaccess").

Package.masked package.

Security team, CVE-2008-3882 is considered as critical. Please, update Severity.
Comment 5 Thomas Anderson (tanderson) (RETIRED) gentoo-dev 2009-01-30 18:23:39 UTC
I contacted upstream to determine the status. Upstream said that all of them are fixed in a soon-to-be-released 1.24.0. 
Comment 6 Tobias Heinlein (RETIRED) gentoo-dev 2009-02-01 13:32:05 UTC
(In reply to comment #4)
> Security team, CVE-2008-3882 is considered as critical. Please, update
> Severity.

Update isn't needed since any ~ is trivial.
Comment 7 David Bosso 2009-02-11 23:19:50 UTC
1.24.0 has been released.
http://www.zoneminder.com/wiki/index.php/Change_History#Release_1.24.0

SECURITY : Fixed all known security vulnerabilities from earlier versions.
Comment 8 Thomas Anderson (tanderson) (RETIRED) gentoo-dev 2009-02-18 20:41:12 UTC
*** Bug 259372 has been marked as a duplicate of this bug. ***
Comment 9 David Bosso 2009-02-25 16:55:34 UTC
1.24.1 has been released:
http://www.zoneminder.com/index.php?id=20&type=0&backPID=15&tt_news=61
Comment 10 Milos Ivanovic 2009-03-06 06:04:35 UTC
When possible, requesting portage update to 1.24.1 (all previous security issues fixed, and website code re-written) and therefore a removal of the hard mask.

Thank you.
Comment 11 Rene Hertell 2009-03-28 23:27:43 UTC
Any news about an update to this package?
Comment 12 Pierre-Yves Rofes (RETIRED) gentoo-dev 2009-03-29 17:30:08 UTC
web-apps, please provide an updated ebuild.
Comment 13 Thomas Anderson (tanderson) (RETIRED) gentoo-dev 2009-03-29 17:33:21 UTC
I've been working on an ebuild of this, but it still doesn't work right in some cases, so I'm still tracking down some loose ends.
Comment 14 MasterC 2009-05-01 01:33:33 UTC
Hoping for a new ebuild soon.  I've been holding off building my security system :)  Been playing with it on Ubuntu, seems like a project worthwhile.

-Chad
Comment 15 P.V.Anthony 2009-05-07 15:56:42 UTC
(In reply to comment #14)
> Hoping for a new ebuild soon.  I've been holding off building my security
> system :)  Been playing with it on Ubuntu, seems like a project worthwhile.
> 
> -Chad

I too am hoping for a new ebuild soon.

P.V.Anthony
Comment 16 Gabriel Máculus 2009-05-30 21:49:16 UTC
(In reply to comment #15)
> (In reply to comment #14)
> > Hoping for a new ebuild soon.  I've been holding off building my security
> > system :)  Been playing with it on Ubuntu, seems like a project worthwhile.
> > 
> > -Chad
> 
> I too am hoping for a new ebuild soon.
> 
> P.V.Anthony
> 
If someone have a draft of ebuild for this, please attach a patch on this bug to evite duplicated work, i'm starting to work on this...
Comment 17 Adam Nielsen 2009-06-08 04:40:22 UTC
How's this going?  The new version's been out for four months but the version in Portage is still and old and has security issues!

Any ideas how long before we get an ebuild, or should we just install manually from source?
Comment 18 Robert Buchholz (RETIRED) gentoo-dev 2009-06-08 08:34:12 UTC
If you attach a working ebuild to this bug, we can move it faster.
Comment 19 Henk Remijn PA5KT 2009-06-14 14:42:36 UTC
Created attachment 194659 [details]
ebuild for 1.24.1

I just copied the old ebuild. Dont know if the dependencies are really necessary.
Comment 20 Thomas Anderson (tanderson) (RETIRED) gentoo-dev 2009-08-03 11:21:25 UTC
+*zoneminder-1.24.2 (03 Aug 2009)
+
+  03 Aug 2009; Thomas Anderson <gentoofan23@gentoo.org>
+  +files/1.24.2/Makefile.am.patch, +zoneminder-1.24.2.ebuild,
+  +files/1.24.2/db_upgrade_script_location.patch,
+  +files/1.24.2/zm_create.sql.in.patch,
+  +files/1.24.2/zm_remote_camera_http.patch:
+  Add www-misc/zoneminder-1.24.2; fixes bug #262019 and security bug
+  #236517.
+

Zoneminder 1.24.2 fixes all known security flaws.
Comment 21 Tobias Heinlein (RETIRED) gentoo-dev 2009-08-03 13:19:30 UTC
Thanks, Thomas. Closing as [noglsa] since it's ~.