diff options
Diffstat (limited to 'meta-oe/recipes-connectivity/zabbix/zabbix/CVE-2023-29450.patch')
-rw-r--r-- | meta-oe/recipes-connectivity/zabbix/zabbix/CVE-2023-29450.patch | 241 |
1 files changed, 241 insertions, 0 deletions
diff --git a/meta-oe/recipes-connectivity/zabbix/zabbix/CVE-2023-29450.patch b/meta-oe/recipes-connectivity/zabbix/zabbix/CVE-2023-29450.patch new file mode 100644 index 0000000000..ea790f0a93 --- /dev/null +++ b/meta-oe/recipes-connectivity/zabbix/zabbix/CVE-2023-29450.patch @@ -0,0 +1,241 @@ +From 76f6a80cb3d6131e9c3e98918305c1bf1805fa2a Mon Sep 17 00:00:00 2001 +From: Vladislavs Sokurenko <vladislavs.sokurenko@zabbix.com> +Date: Thu, 27 Jul 2023 12:43:02 +0000 +Subject: [PATCH] ...G...PS. [DEV-2429] fixed unauthorised file system access + when using cURL + +Merge in ZBX/zabbix from feature/DEV-2429-6.0 to release/6.0 + +* commit 'abf345230ee185d61cc0bd70d432fa4b093b8a53': + ...G...PS. [DEV-2429] fixed unautorized file system access when using curl + .......PS. [DEV-2429] fixed unautorized file system access in JS preprocessing + +CVE: CVE-2023-29450 + +Upstream-Status: Backport [https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/76f6a80cb3d] + +Signed-off-by: Yogita Urade <yogita.urade@windriver.com> +--- + src/libs/zbxembed/httprequest.c | 4 +++ + src/libs/zbxhistory/history_elastic.c | 30 ++++++++++++++++++++++ + src/libs/zbxhttp/http.c | 9 +++++++ + src/libs/zbxmedia/email.c | 6 +++++ + src/libs/zbxsysinfo/common/http.c | 9 +++++++ + src/libs/zbxsysinfo/simple/simple.c | 11 ++++++++ + src/zabbix_server/httppoller/httptest.c | 9 +++++++ + src/zabbix_server/reporter/report_writer.c | 10 ++++++++ + src/zabbix_server/vmware/vmware.c | 9 +++++++ + 9 files changed, 97 insertions(+) + +diff --git a/src/libs/zbxembed/httprequest.c b/src/libs/zbxembed/httprequest.c +index 7f0eed9..871b925 100644 +--- a/src/libs/zbxembed/httprequest.c ++++ b/src/libs/zbxembed/httprequest.c +@@ -354,6 +354,10 @@ static duk_ret_t es_httprequest_query(duk_context *ctx, const char *http_request + ZBX_CURL_SETOPT(ctx, request->handle, CURLOPT_CUSTOMREQUEST, http_request, err); + ZBX_CURL_SETOPT(ctx, request->handle, CURLOPT_TIMEOUT_MS, timeout_ms - elapsed_ms, err); + ZBX_CURL_SETOPT(ctx, request->handle, CURLOPT_POSTFIELDS, ZBX_NULL2EMPTY_STR(contents), err); ++#if LIBCURL_VERSION_NUM >= 0x071304 ++ /* CURLOPT_PROTOCOLS is supported starting with version 7.19.4 (0x071304) */ ++ ZBX_CURL_SETOPT(ctx, request->handle, CURLOPT_PROTOCOLS, CURLPROTO_HTTP | CURLPROTO_HTTPS, err); ++#endif + + request->data_offset = 0; + request->headers_in_offset = 0; +diff --git a/src/libs/zbxhistory/history_elastic.c b/src/libs/zbxhistory/history_elastic.c +index 8b3ea84..fc881da 100644 +--- a/src/libs/zbxhistory/history_elastic.c ++++ b/src/libs/zbxhistory/history_elastic.c +@@ -406,6 +406,16 @@ static void elastic_writer_add_iface(zbx_history_iface_t *hist) + goto out; + } + ++#if LIBCURL_VERSION_NUM >= 0x071304 ++ /* CURLOPT_PROTOCOLS is supported starting with version 7.19.4 (0x071304) */ ++ if (CURLE_OK != (err = curl_easy_setopt(data->handle, opt = CURLOPT_PROTOCOLS, ++ CURLPROTO_HTTP | CURLPROTO_HTTPS))) ++ { ++ zabbix_log(LOG_LEVEL_ERR, "cannot set cURL option %d: [%s]", (int)opt, curl_easy_strerror(err)); ++ goto out; ++ } ++#endif ++ + *page_w[hist->value_type].errbuf = '\0'; + + if (CURLE_OK != (err = curl_easy_setopt(data->handle, opt = CURLOPT_PRIVATE, &page_w[hist->value_type]))) +@@ -722,6 +732,16 @@ static int elastic_get_values(zbx_history_iface_t *hist, zbx_uint64_t itemid, in + goto out; + } + ++#if LIBCURL_VERSION_NUM >= 0x071304 ++ /* CURLOPT_PROTOCOLS is supported starting with version 7.19.4 (0x071304) */ ++ if (CURLE_OK != (err = curl_easy_setopt(data->handle, opt = CURLOPT_PROTOCOLS, ++ CURLPROTO_HTTP | CURLPROTO_HTTPS))) ++ { ++ zabbix_log(LOG_LEVEL_ERR, "cannot set cURL option %d: [%s]", (int)opt, curl_easy_strerror(err)); ++ goto out; ++ } ++#endif ++ + zabbix_log(LOG_LEVEL_DEBUG, "sending query to %s; post data: %s", data->post_url, query.buffer); + + page_r.offset = 0; +@@ -1065,6 +1085,16 @@ void zbx_elastic_version_extract(struct zbx_json *json) + goto clean; + } + ++#if LIBCURL_VERSION_NUM >= 0x071304 ++ /* CURLOPT_PROTOCOLS is supported starting with version 7.19.4 (0x071304) */ ++ if (CURLE_OK != (err = curl_easy_setopt(handle, opt = CURLOPT_PROTOCOLS, ++ CURLPROTO_HTTP | CURLPROTO_HTTPS))) ++ { ++ zabbix_log(LOG_LEVEL_WARNING, "cannot set cURL option %d: [%s]", (int)opt, curl_easy_strerror(err)); ++ goto clean; ++ } ++#endif ++ + *errbuf = '\0'; + + if (CURLE_OK != (err = curl_easy_perform(handle))) +diff --git a/src/libs/zbxhttp/http.c b/src/libs/zbxhttp/http.c +index c10922c..36774cc 100644 +--- a/src/libs/zbxhttp/http.c ++++ b/src/libs/zbxhttp/http.c +@@ -333,6 +333,15 @@ int zbx_http_get(const char *url, const char *header, long timeout, char **out, + goto clean; + } + ++#if LIBCURL_VERSION_NUM >= 0x071304 ++ /* CURLOPT_PROTOCOLS is supported starting with version 7.19.4 (0x071304) */ ++ if (CURLE_OK != (err = curl_easy_setopt(easyhandle, CURLOPT_PROTOCOLS, CURLPROTO_HTTP | CURLPROTO_HTTPS))) ++ { ++ *error = zbx_dsprintf(NULL, "Cannot set allowed protocols: %s", curl_easy_strerror(err)); ++ goto clean; ++ } ++#endif ++ + if (CURLE_OK != (err = curl_easy_setopt(easyhandle, CURLOPT_URL, url))) + { + *error = zbx_dsprintf(NULL, "Cannot specify URL: %s", curl_easy_strerror(err)); +diff --git a/src/libs/zbxmedia/email.c b/src/libs/zbxmedia/email.c +index 3b987d9..d3af744 100644 +--- a/src/libs/zbxmedia/email.c ++++ b/src/libs/zbxmedia/email.c +@@ -661,6 +661,12 @@ static int send_email_curl(const char *smtp_server, unsigned short smtp_port, co + if ('\0' != *smtp_helo) + zbx_snprintf(url + url_offset, sizeof(url) - url_offset, "/%s", smtp_helo); + ++#if LIBCURL_VERSION_NUM >= 0x071304 ++ /* CURLOPT_PROTOCOLS is supported starting with version 7.19.4 (0x071304) */ ++ if (CURLE_OK != (err = curl_easy_setopt(easyhandle, CURLOPT_PROTOCOLS, CURLPROTO_SMTPS | CURLPROTO_SMTP))) ++ goto error; ++#endif ++ + if (CURLE_OK != (err = curl_easy_setopt(easyhandle, CURLOPT_URL, url))) + goto error; + +diff --git a/src/libs/zbxsysinfo/common/http.c b/src/libs/zbxsysinfo/common/http.c +index acd77e1..8dc4793 100644 +--- a/src/libs/zbxsysinfo/common/http.c ++++ b/src/libs/zbxsysinfo/common/http.c +@@ -176,6 +176,15 @@ static int curl_page_get(char *url, char **buffer, char **error) + goto out; + } + ++#if LIBCURL_VERSION_NUM >= 0x071304 ++ /* CURLOPT_PROTOCOLS is supported starting with version 7.19.4 (0x071304) */ ++ if (CURLE_OK != (err = curl_easy_setopt(easyhandle, CURLOPT_PROTOCOLS, CURLPROTO_HTTP | CURLPROTO_HTTPS))) ++ { ++ *error = zbx_dsprintf(*error, "Cannot set allowed protocols: %s", curl_easy_strerror(err)); ++ goto out; ++ } ++#endif ++ + if (CURLE_OK == (err = curl_easy_perform(easyhandle))) + { + if (NULL != buffer) +diff --git a/src/libs/zbxsysinfo/simple/simple.c b/src/libs/zbxsysinfo/simple/simple.c +index be1b9f9..80c5eac 100644 +--- a/src/libs/zbxsysinfo/simple/simple.c ++++ b/src/libs/zbxsysinfo/simple/simple.c +@@ -189,6 +189,17 @@ static int check_https(const char *host, unsigned short port, int timeout, int * + goto clean; + } + ++#if LIBCURL_VERSION_NUM >= 0x071304 ++ /* CURLOPT_PROTOCOLS is supported starting with version 7.19.4 (0x071304) */ ++ if (CURLE_OK != (err = curl_easy_setopt(easyhandle, opt = CURLOPT_PROTOCOLS, ++ CURLPROTO_HTTP | CURLPROTO_HTTPS))) ++ { ++ zabbix_log(LOG_LEVEL_DEBUG, "%s: could not set cURL option [%d]: %s", ++ __func__, (int)opt, curl_easy_strerror(err)); ++ goto clean; ++ } ++#endif ++ + if (NULL != CONFIG_SOURCE_IP) + { + if (CURLE_OK != (err = curl_easy_setopt(easyhandle, opt = CURLOPT_INTERFACE, CONFIG_SOURCE_IP))) +diff --git a/src/zabbix_server/httppoller/httptest.c b/src/zabbix_server/httppoller/httptest.c +index 0ff70ef..0201442 100644 +--- a/src/zabbix_server/httppoller/httptest.c ++++ b/src/zabbix_server/httppoller/httptest.c +@@ -696,6 +696,15 @@ static void process_httptest(DC_HOST *host, zbx_httptest_t *httptest) + goto clean; + } + ++#if LIBCURL_VERSION_NUM >= 0x071304 ++ /* CURLOPT_PROTOCOLS is supported starting with version 7.19.4 (0x071304) */ ++ if (CURLE_OK != (err = curl_easy_setopt(easyhandle, CURLOPT_PROTOCOLS, CURLPROTO_HTTP | CURLPROTO_HTTPS))) ++ { ++ err_str = zbx_strdup(err_str, curl_easy_strerror(err)); ++ goto clean; ++ } ++#endif ++ + if (SUCCEED != zbx_http_prepare_ssl(easyhandle, httptest->httptest.ssl_cert_file, + httptest->httptest.ssl_key_file, httptest->httptest.ssl_key_password, + httptest->httptest.verify_peer, httptest->httptest.verify_host, &err_str)) +diff --git a/src/zabbix_server/reporter/report_writer.c b/src/zabbix_server/reporter/report_writer.c +index 87d1364..7530ed0 100644 +--- a/src/zabbix_server/reporter/report_writer.c ++++ b/src/zabbix_server/reporter/report_writer.c +@@ -162,6 +162,16 @@ static int rw_get_report(const char *url, const char *cookie, int width, int hei + goto out; + } + ++#if LIBCURL_VERSION_NUM >= 0x071304 ++ /* CURLOPT_PROTOCOLS is supported starting with version 7.19.4 (0x071304) */ ++ if (CURLE_OK != (err = curl_easy_setopt(curl, opt = CURLOPT_PROTOCOLS, CURLPROTO_HTTP | CURLPROTO_HTTPS))) ++ { ++ *error = zbx_dsprintf(*error, "Cannot set cURL option %d: %s.", (int)opt, ++ (curl_error = rw_curl_error(err))); ++ goto out; ++ } ++#endif ++ + if (NULL != CONFIG_TLS_CA_FILE && '\0' != *CONFIG_TLS_CA_FILE) + { + if (CURLE_OK != (err = curl_easy_setopt(curl, opt = CURLOPT_CAINFO, CONFIG_TLS_CA_FILE)) || +diff --git a/src/zabbix_server/vmware/vmware.c b/src/zabbix_server/vmware/vmware.c +index b02c8c7..718d519 100644 +--- a/src/zabbix_server/vmware/vmware.c ++++ b/src/zabbix_server/vmware/vmware.c +@@ -2045,6 +2045,15 @@ static int vmware_service_authenticate(zbx_vmware_service_t *service, CURL *easy + goto out; + } + ++#if LIBCURL_VERSION_NUM >= 0x071304 ++ /* CURLOPT_PROTOCOLS is supported starting with version 7.19.4 (0x071304) */ ++ if (CURLE_OK != (err = curl_easy_setopt(easyhandle, opt = CURLOPT_PROTOCOLS, CURLPROTO_HTTP | CURLPROTO_HTTPS))) ++ { ++ *error = zbx_dsprintf(*error, "Cannot set cURL option %d: %s.", (int)opt, curl_easy_strerror(err)); ++ goto out; ++ } ++#endif ++ + if (NULL != CONFIG_SOURCE_IP) + { + if (CURLE_OK != (err = curl_easy_setopt(easyhandle, opt = CURLOPT_INTERFACE, CONFIG_SOURCE_IP))) +-- +2.35.5 |