path: root/meta-oe/recipes-connectivity/zabbix/zabbix/CVE-2023-29450.patch

From 76f6a80cb3d6131e9c3e98918305c1bf1805fa2a Mon Sep 17 00:00:00 2001
From: Vladislavs Sokurenko <vladislavs.sokurenko@zabbix.com>
Date: Thu, 27 Jul 2023 12:43:02 +0000
Subject: [PATCH] ...G...PS. [DEV-2429] fixed unauthorised file system access
 when using cURL

Merge in ZBX/zabbix from feature/DEV-2429-6.0 to release/6.0

* commit 'abf345230ee185d61cc0bd70d432fa4b093b8a53':
  ...G...PS. [DEV-2429] fixed unautorized file system access when using curl
  .......PS. [DEV-2429] fixed unautorized file system access in JS preprocessing

CVE: CVE-2023-29450

Upstream-Status: Backport [https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/76f6a80cb3d]

Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
---
 src/libs/zbxembed/httprequest.c            |  4 +++
 src/libs/zbxhistory/history_elastic.c      | 30 ++++++++++++++++++++++
 src/libs/zbxhttp/http.c                    |  9 +++++++
 src/libs/zbxmedia/email.c                  |  6 +++++
 src/libs/zbxsysinfo/common/http.c          |  9 +++++++
 src/libs/zbxsysinfo/simple/simple.c        | 11 ++++++++
 src/zabbix_server/httppoller/httptest.c    |  9 +++++++
 src/zabbix_server/reporter/report_writer.c | 10 ++++++++
 src/zabbix_server/vmware/vmware.c          |  9 +++++++
 9 files changed, 97 insertions(+)

diff --git a/src/libs/zbxembed/httprequest.c b/src/libs/zbxembed/httprequest.c
index 7f0eed9..871b925 100644
--- a/src/libs/zbxembed/httprequest.c
+++ b/src/libs/zbxembed/httprequest.c
@@ -354,6 +354,10 @@ static duk_ret_t	es_httprequest_query(duk_context *ctx, const char *http_request
	ZBX_CURL_SETOPT(ctx, request->handle, CURLOPT_CUSTOMREQUEST, http_request, err);
	ZBX_CURL_SETOPT(ctx, request->handle, CURLOPT_TIMEOUT_MS, timeout_ms - elapsed_ms, err);
	ZBX_CURL_SETOPT(ctx, request->handle, CURLOPT_POSTFIELDS, ZBX_NULL2EMPTY_STR(contents), err);
+#if LIBCURL_VERSION_NUM >= 0x071304
+	/* CURLOPT_PROTOCOLS is supported starting with version 7.19.4 (0x071304) */
+	ZBX_CURL_SETOPT(ctx, request->handle, CURLOPT_PROTOCOLS, CURLPROTO_HTTP | CURLPROTO_HTTPS, err);
+#endif

	request->data_offset = 0;
	request->headers_in_offset = 0;
diff --git a/src/libs/zbxhistory/history_elastic.c b/src/libs/zbxhistory/history_elastic.c
index 8b3ea84..fc881da 100644
--- a/src/libs/zbxhistory/history_elastic.c
+++ b/src/libs/zbxhistory/history_elastic.c
@@ -406,6 +406,16 @@ static void	elastic_writer_add_iface(zbx_history_iface_t *hist)
		goto out;
	}

+#if LIBCURL_VERSION_NUM >= 0x071304
+	/* CURLOPT_PROTOCOLS is supported starting with version 7.19.4 (0x071304) */
+	if (CURLE_OK != (err = curl_easy_setopt(data->handle, opt = CURLOPT_PROTOCOLS,
+			CURLPROTO_HTTP | CURLPROTO_HTTPS)))
+	{
+		zabbix_log(LOG_LEVEL_ERR, "cannot set cURL option %d: [%s]", (int)opt, curl_easy_strerror(err));
+		goto out;
+	}
+#endif
+
	*page_w[hist->value_type].errbuf = '\0';

	if (CURLE_OK != (err = curl_easy_setopt(data->handle, opt = CURLOPT_PRIVATE, &page_w[hist->value_type])))
@@ -722,6 +732,16 @@ static int	elastic_get_values(zbx_history_iface_t *hist, zbx_uint64_t itemid, in
		goto out;
	}

+#if LIBCURL_VERSION_NUM >= 0x071304
+	/* CURLOPT_PROTOCOLS is supported starting with version 7.19.4 (0x071304) */
+	if (CURLE_OK != (err = curl_easy_setopt(data->handle, opt = CURLOPT_PROTOCOLS,
+			CURLPROTO_HTTP | CURLPROTO_HTTPS)))
+	{
+		zabbix_log(LOG_LEVEL_ERR, "cannot set cURL option %d: [%s]", (int)opt, curl_easy_strerror(err));
+		goto out;
+	}
+#endif
+
	zabbix_log(LOG_LEVEL_DEBUG, "sending query to %s; post data: %s", data->post_url, query.buffer);

	page_r.offset = 0;
@@ -1065,6 +1085,16 @@ void	zbx_elastic_version_extract(struct zbx_json *json)
		goto clean;
	}

+#if LIBCURL_VERSION_NUM >= 0x071304
+	/* CURLOPT_PROTOCOLS is supported starting with version 7.19.4 (0x071304) */
+	if (CURLE_OK != (err = curl_easy_setopt(handle, opt = CURLOPT_PROTOCOLS,
+			CURLPROTO_HTTP | CURLPROTO_HTTPS)))
+	{
+		zabbix_log(LOG_LEVEL_WARNING, "cannot set cURL option %d: [%s]", (int)opt, curl_easy_strerror(err));
+		goto clean;
+	}
+#endif
+
	*errbuf = '\0';

	if (CURLE_OK != (err = curl_easy_perform(handle)))
diff --git a/src/libs/zbxhttp/http.c b/src/libs/zbxhttp/http.c
index c10922c..36774cc 100644
--- a/src/libs/zbxhttp/http.c
+++ b/src/libs/zbxhttp/http.c
@@ -333,6 +333,15 @@ int	zbx_http_get(const char *url, const char *header, long timeout, char **out,
		goto clean;
	}

+#if LIBCURL_VERSION_NUM >= 0x071304
+	/* CURLOPT_PROTOCOLS is supported starting with version 7.19.4 (0x071304) */
+	if (CURLE_OK != (err = curl_easy_setopt(easyhandle, CURLOPT_PROTOCOLS, CURLPROTO_HTTP | CURLPROTO_HTTPS)))
+	{
+		*error = zbx_dsprintf(NULL, "Cannot set allowed protocols: %s", curl_easy_strerror(err));
+		goto clean;
+	}
+#endif
+
	if (CURLE_OK != (err = curl_easy_setopt(easyhandle, CURLOPT_URL, url)))
	{
		*error = zbx_dsprintf(NULL, "Cannot specify URL: %s", curl_easy_strerror(err));
diff --git a/src/libs/zbxmedia/email.c b/src/libs/zbxmedia/email.c
index 3b987d9..d3af744 100644
--- a/src/libs/zbxmedia/email.c
+++ b/src/libs/zbxmedia/email.c
@@ -661,6 +661,12 @@ static int	send_email_curl(const char *smtp_server, unsigned short smtp_port, co
	if ('\0' != *smtp_helo)
		zbx_snprintf(url + url_offset, sizeof(url) - url_offset, "/%s", smtp_helo);

+#if LIBCURL_VERSION_NUM >= 0x071304
+	/* CURLOPT_PROTOCOLS is supported starting with version 7.19.4 (0x071304) */
+	if (CURLE_OK != (err = curl_easy_setopt(easyhandle, CURLOPT_PROTOCOLS, CURLPROTO_SMTPS | CURLPROTO_SMTP)))
+		goto error;
+#endif
+
	if (CURLE_OK != (err = curl_easy_setopt(easyhandle, CURLOPT_URL, url)))
		goto error;

diff --git a/src/libs/zbxsysinfo/common/http.c b/src/libs/zbxsysinfo/common/http.c
index acd77e1..8dc4793 100644
--- a/src/libs/zbxsysinfo/common/http.c
+++ b/src/libs/zbxsysinfo/common/http.c
@@ -176,6 +176,15 @@ static int	curl_page_get(char *url, char **buffer, char **error)
		goto out;
	}

+#if LIBCURL_VERSION_NUM >= 0x071304
+	/* CURLOPT_PROTOCOLS is supported starting with version 7.19.4 (0x071304) */
+	if (CURLE_OK != (err = curl_easy_setopt(easyhandle, CURLOPT_PROTOCOLS, CURLPROTO_HTTP | CURLPROTO_HTTPS)))
+	{
+		*error = zbx_dsprintf(*error, "Cannot set allowed protocols: %s", curl_easy_strerror(err));
+		goto out;
+	}
+#endif
+
	if (CURLE_OK == (err = curl_easy_perform(easyhandle)))
	{
		if (NULL != buffer)
diff --git a/src/libs/zbxsysinfo/simple/simple.c b/src/libs/zbxsysinfo/simple/simple.c
index be1b9f9..80c5eac 100644
--- a/src/libs/zbxsysinfo/simple/simple.c
+++ b/src/libs/zbxsysinfo/simple/simple.c
@@ -189,6 +189,17 @@ static int	check_https(const char *host, unsigned short port, int timeout, int *
		goto clean;
	}

+#if LIBCURL_VERSION_NUM >= 0x071304
+	/* CURLOPT_PROTOCOLS is supported starting with version 7.19.4 (0x071304) */
+	if (CURLE_OK != (err = curl_easy_setopt(easyhandle, opt = CURLOPT_PROTOCOLS,
+			CURLPROTO_HTTP | CURLPROTO_HTTPS)))
+	{
+		zabbix_log(LOG_LEVEL_DEBUG, "%s: could not set cURL option [%d]: %s",
+				__func__, (int)opt, curl_easy_strerror(err));
+		goto clean;
+	}
+#endif
+
	if (NULL != CONFIG_SOURCE_IP)
	{
		if (CURLE_OK != (err = curl_easy_setopt(easyhandle, opt = CURLOPT_INTERFACE, CONFIG_SOURCE_IP)))
diff --git a/src/zabbix_server/httppoller/httptest.c b/src/zabbix_server/httppoller/httptest.c
index 0ff70ef..0201442 100644
--- a/src/zabbix_server/httppoller/httptest.c
+++ b/src/zabbix_server/httppoller/httptest.c
@@ -696,6 +696,15 @@ static void	process_httptest(DC_HOST *host, zbx_httptest_t *httptest)
		goto clean;
	}

+#if LIBCURL_VERSION_NUM >= 0x071304
+	/* CURLOPT_PROTOCOLS is supported starting with version 7.19.4 (0x071304) */
+	if (CURLE_OK != (err = curl_easy_setopt(easyhandle, CURLOPT_PROTOCOLS, CURLPROTO_HTTP | CURLPROTO_HTTPS)))
+	{
+		err_str = zbx_strdup(err_str, curl_easy_strerror(err));
+		goto clean;
+	}
+#endif
+
	if (SUCCEED != zbx_http_prepare_ssl(easyhandle, httptest->httptest.ssl_cert_file,
			httptest->httptest.ssl_key_file, httptest->httptest.ssl_key_password,
			httptest->httptest.verify_peer, httptest->httptest.verify_host, &err_str))
diff --git a/src/zabbix_server/reporter/report_writer.c b/src/zabbix_server/reporter/report_writer.c
index 87d1364..7530ed0 100644
--- a/src/zabbix_server/reporter/report_writer.c
+++ b/src/zabbix_server/reporter/report_writer.c
@@ -162,6 +162,16 @@ static int	rw_get_report(const char *url, const char *cookie, int width, int hei
		goto out;
	}

+#if LIBCURL_VERSION_NUM >= 0x071304
+	/* CURLOPT_PROTOCOLS is supported starting with version 7.19.4 (0x071304) */
+	if (CURLE_OK != (err = curl_easy_setopt(curl, opt = CURLOPT_PROTOCOLS, CURLPROTO_HTTP | CURLPROTO_HTTPS)))
+	{
+		*error = zbx_dsprintf(*error, "Cannot set cURL option %d: %s.", (int)opt,
+				(curl_error = rw_curl_error(err)));
+		goto out;
+	}
+#endif
+
	if (NULL != CONFIG_TLS_CA_FILE && '\0' != *CONFIG_TLS_CA_FILE)
	{
		if (CURLE_OK != (err = curl_easy_setopt(curl, opt = CURLOPT_CAINFO, CONFIG_TLS_CA_FILE)) ||
diff --git a/src/zabbix_server/vmware/vmware.c b/src/zabbix_server/vmware/vmware.c
index b02c8c7..718d519 100644
--- a/src/zabbix_server/vmware/vmware.c
+++ b/src/zabbix_server/vmware/vmware.c
@@ -2045,6 +2045,15 @@ static int	vmware_service_authenticate(zbx_vmware_service_t *service, CURL *easy
		goto out;
	}

+#if LIBCURL_VERSION_NUM >= 0x071304
+	/* CURLOPT_PROTOCOLS is supported starting with version 7.19.4 (0x071304) */
+	if (CURLE_OK != (err = curl_easy_setopt(easyhandle, opt = CURLOPT_PROTOCOLS, CURLPROTO_HTTP | CURLPROTO_HTTPS)))
+	{
+		*error = zbx_dsprintf(*error, "Cannot set cURL option %d: %s.", (int)opt, curl_easy_strerror(err));
+		goto out;
+	}
+#endif
+
	if (NULL != CONFIG_SOURCE_IP)
	{
		if (CURLE_OK != (err = curl_easy_setopt(easyhandle, opt = CURLOPT_INTERFACE, CONFIG_SOURCE_IP)))
--
2.35.5