zabbix: fix CVE-2022-43515,CVE-2022-46768

Signed-off-by: Changqing Li <changqing.li@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Changqing Li <changqing.li@windriver.com> 2023-01-05 08:54:29 +0800
committer: Armin Kuster <akuster808@gmail.com> 2023-01-12 11:05:55 -0500
commit: c479d226e7baf30657a6b7ef3196640a7a567f81 (patch)
tree: 0d0091ea8013bed6d8bf4459867847eaab6c161c
parent: 1f31570d0795da90083d1dbf28127c90908e30ee (diff)
download: meta-openembedded-contrib-c479d226e7baf30657a6b7ef3196640a7a567f81.tar.gz
3 files changed, 92 insertions, 0 deletions
diff --git a/meta-oe/recipes-connectivity/zabbix/zabbix/CVE-2022-43515.patch b/meta-oe/recipes-connectivity/zabbix/zabbix/CVE-2022-43515.patch
new file mode 100644
index 0000000000..6028520923
--- /dev/null
+++ b/meta-oe/recipes-connectivity/zabbix/zabbix/CVE-2022-43515.patch
@@ -0,0 +1,37 @@
+From 6b5dfdb31aa503bb0358784c632ff3a04e7a8ff4 Mon Sep 17 00:00:00 2001
+From: Changqing Li <changqing.li@windriver.com>
+Date: Wed, 4 Jan 2023 13:51:03 +0800
+Subject: [PATCH] [DEV-2301] fixed spoofing X-Forwarded-For request header
+ allows to access Frontend in maintenace mode
+
+Upstream-Status: Backport [https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/50668e9d64af32cdc67a45082c556699ff86565e]
+CVE: CVE-2022-43515
+
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ ui/include/classes/user/CWebUser.php | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/ui/include/classes/user/CWebUser.php b/ui/include/classes/user/CWebUser.php
+index e6e651e..bfacce7 100644
+--- a/ui/include/classes/user/CWebUser.php
++++ b/ui/include/classes/user/CWebUser.php
+@@ -231,13 +231,11 @@ class CWebUser {
+ 	}
+ 
+ 	/**
+-	 * Get user ip address.
++	 * Get user IP address.
+ 	 *
+ 	 * @return string
+ 	 */
+ 	public static function getIp(): string {
+-		return (array_key_exists('HTTP_X_FORWARDED_FOR', $_SERVER) && $_SERVER['HTTP_X_FORWARDED_FOR'] !== '')
+-			? $_SERVER['HTTP_X_FORWARDED_FOR']
+-			: $_SERVER['REMOTE_ADDR'];
++		return $_SERVER['REMOTE_ADDR'];
+ 	}
+ }
+-- 
+2.25.1
+
diff --git a/meta-oe/recipes-connectivity/zabbix/zabbix/CVE-2022-46768.patch b/meta-oe/recipes-connectivity/zabbix/zabbix/CVE-2022-46768.patch
new file mode 100644
index 0000000000..debd0aaa8e
--- /dev/null
+++ b/meta-oe/recipes-connectivity/zabbix/zabbix/CVE-2022-46768.patch
@@ -0,0 +1,53 @@
+From 7373f92c80eb89941428468cd6b9d5c8879a7f93 Mon Sep 17 00:00:00 2001
+From: Changqing Li <changqing.li@windriver.com>
+Date: Wed, 4 Jan 2023 14:23:34 +0800
+Subject: [PATCH] [DEV-2283] added validation of the scheduled report
+ generation URL to zabbix-web-service
+
+Upstream-Status: Backport [https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/fdb03971867]
+CVE: CVE-2022-46768
+
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ .../zabbix_web_service/pdf_report_creator.go   | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+diff --git a/src/go/cmd/zabbix_web_service/pdf_report_creator.go b/src/go/cmd/zabbix_web_service/pdf_report_creator.go
+index 391b58b..8452a3d 100644
+--- a/src/go/cmd/zabbix_web_service/pdf_report_creator.go
++++ b/src/go/cmd/zabbix_web_service/pdf_report_creator.go
+@@ -29,6 +29,7 @@ import (
+ 	"net/http"
+ 	"net/url"
+ 	"strconv"
++	"strings"
+ 	"time"
+ 
+ 	"github.com/chromedp/cdproto/emulation"
+@@ -123,6 +124,23 @@ func (h *handler) report(w http.ResponseWriter, r *http.Request) {
+ 		return
+ 	}
+ 
++	if u.Scheme != "http" && u.Scheme != "https" {
++		logAndWriteError(w, fmt.Sprintf("Unexpected URL scheme: \"%s\"", u.Scheme), http.StatusBadRequest)
++		return
++	}
++
++	if !strings.HasSuffix(u.Path, "/zabbix.php") {
++		logAndWriteError(w, fmt.Sprintf("Unexpected URL path: \"%s\"", u.Path), http.StatusBadRequest)
++		return
++	}
++
++	queryParams := u.Query()
++
++	if queryParams.Get("action") != "dashboard.print" {
++		logAndWriteError(w, fmt.Sprintf("Unexpected URL action: \"%s\"", queryParams.Get("action")), http.StatusBadRequest)
++		return
++	}
++
+ 	log.Tracef(
+ 		"making chrome headless request with parameters url: %s, width: %s, height: %s for report request from %s",
+ 		u.String(), req.Parameters["width"], req.Parameters["height"], r.RemoteAddr)
+-- 
+2.25.1
+
diff --git a/meta-oe/recipes-connectivity/zabbix/zabbix_5.4.12.bb b/meta-oe/recipes-connectivity/zabbix/zabbix_5.4.12.bb
index f5d89d6c3d..d72d3b1122 100644
--- a/meta-oe/recipes-connectivity/zabbix/zabbix_5.4.12.bb
+++ b/meta-oe/recipes-connectivity/zabbix/zabbix_5.4.12.bb
@@ -26,6 +26,8 @@ PACKAGE_ARCH = "${MACHINE_ARCH}"
 SRC_URI = "https://cdn.zabbix.com/zabbix/sources/stable/5.4/${BPN}-${PV}.tar.gz \
     file://0001-Fix-configure.ac.patch \
     file://zabbix-agent.service \
+    file://CVE-2022-43515.patch \
+    file://CVE-2022-46768.patch \
 "
 
 SRC_URI[md5sum] = "f295fd2df86143d72f6ff26e47d9e39e"
author	Changqing Li <changqing.li@windriver.com>	2023-01-05 08:54:29 +0800
committer	Armin Kuster <akuster808@gmail.com>	2023-01-12 11:05:55 -0500
commit	c479d226e7baf30657a6b7ef3196640a7a567f81 (patch)
tree	0d0091ea8013bed6d8bf4459867847eaab6c161c
parent	1f31570d0795da90083d1dbf28127c90908e30ee (diff)
download	meta-openembedded-contrib-c479d226e7baf30657a6b7ef3196640a7a567f81.tar.gz