aboutsummaryrefslogtreecommitdiffstats
path: root/meta-oe/recipes-connectivity/zabbix/zabbix/CVE-2023-29449.patch
diff options
context:
space:
mode:
Diffstat (limited to 'meta-oe/recipes-connectivity/zabbix/zabbix/CVE-2023-29449.patch')
-rw-r--r--meta-oe/recipes-connectivity/zabbix/zabbix/CVE-2023-29449.patch247
1 files changed, 247 insertions, 0 deletions
diff --git a/meta-oe/recipes-connectivity/zabbix/zabbix/CVE-2023-29449.patch b/meta-oe/recipes-connectivity/zabbix/zabbix/CVE-2023-29449.patch
new file mode 100644
index 0000000000..675d9e0f35
--- /dev/null
+++ b/meta-oe/recipes-connectivity/zabbix/zabbix/CVE-2023-29449.patch
@@ -0,0 +1,247 @@
+From 240754ccee1b6b35ac47862be56dacec11e65b32 Mon Sep 17 00:00:00 2001
+From: Dmitrijs Goloscapovs <dmitrijs.goloscapovs@zabbix.com>
+Date: Thu, 27 Jul 2023 11:23:54 +0000
+Subject: [PATCH] .......PS. [DEV-2387] added new limits for JS objects
+
+Merge in ZBX/zabbix from feature/DEV-2387-6.0 to release/6.0
+
+* commit '16e5f15a70cfbf00c646cb92d1fcb8a362900285':
+ .......PS. [DEV-2387] removed logsize check based on json buffer
+ .......PS. [DEV-2387] removed logsize check based on json buffer
+ .......PS. [DEV-2387] fixed pr comments
+ .......PS. [DEV-2387] removed useless include
+ .......PS. [DEV-2387] added limits for logging and adding httprequest headers
+ .......PS. [DEV-2387] limited initialization of new HttpRequest objects
+
+CVE: CVE-2023-29449
+
+Upstream-Status: Backport [https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/240754ccee1]
+
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ src/libs/zbxembed/console.c | 23 ++++++++++++-----------
+ src/libs/zbxembed/embed.c | 1 +
+ src/libs/zbxembed/embed.h | 3 +++
+ src/libs/zbxembed/httprequest.c | 28 ++++++++++++++++++++++++++++
+ src/libs/zbxembed/zabbix.c | 23 ++++++++++++-----------
+ 5 files changed, 56 insertions(+), 22 deletions(-)
+
+diff --git a/src/libs/zbxembed/console.c b/src/libs/zbxembed/console.c
+index c733487..60c48fc 100644
+--- a/src/libs/zbxembed/console.c
++++ b/src/libs/zbxembed/console.c
+@@ -90,27 +90,28 @@ static duk_ret_t es_log_message(duk_context *ctx, int level)
+ else
+ msg_output = zbx_strdup(msg_output, "undefined");
+
+- zabbix_log(level, "%s", msg_output);
+-
+ duk_get_memory_functions(ctx, &out_funcs);
+ env = (zbx_es_env_t *)out_funcs.udata;
+
+- if (NULL == env->json)
+- goto out;
+-
+- if (ZBX_ES_LOG_MEMORY_LIMIT < env->json->buffer_size) /* approximate limit */
++ if (ZBX_ES_LOG_MEMORY_LIMIT < env->log_size)
+ {
+ err_index = duk_push_error_object(ctx, DUK_RET_EVAL_ERROR, "log exceeds the maximum size of "
+ ZBX_FS_UI64 " bytes.", ZBX_ES_LOG_MEMORY_LIMIT);
+ goto out;
+ }
+
+- zbx_json_addobject(env->json, NULL);
+- zbx_json_adduint64(env->json, "level", (zbx_uint64_t)level);
+- zbx_json_adduint64(env->json, "ms", zbx_get_duration_ms(&env->start_time));
+- zbx_json_addstring(env->json, "message", msg_output, ZBX_JSON_TYPE_STRING);
+- zbx_json_close(env->json);
++ zabbix_log(level, "%s", msg_output);
++
++ if (NULL != env->json)
++ {
++ zbx_json_addobject(env->json, NULL);
++ zbx_json_adduint64(env->json, "level", (zbx_uint64_t)level);
++ zbx_json_adduint64(env->json, "ms", zbx_get_duration_ms(&env->start_time));
++ zbx_json_addstring(env->json, "message", msg_output, ZBX_JSON_TYPE_STRING);
++ zbx_json_close(env->json);
++ }
+ out:
++ env->log_size += strlen(msg_output);
+ zbx_free(msg_output);
+
+ if (-1 != err_index)
+diff --git a/src/libs/zbxembed/embed.c b/src/libs/zbxembed/embed.c
+index 34d8d18..cc80925 100644
+--- a/src/libs/zbxembed/embed.c
++++ b/src/libs/zbxembed/embed.c
+@@ -444,6 +444,7 @@ int zbx_es_execute(zbx_es_t *es, const char *script, const char *code, int size,
+ zabbix_log(LOG_LEVEL_DEBUG, "In %s() param:%s", __func__, param);
+
+ zbx_timespec(&es->env->start_time);
++ es->env->http_req_objects = 0;
+
+ if (NULL != es->env->json)
+ {
+diff --git a/src/libs/zbxembed/embed.h b/src/libs/zbxembed/embed.h
+index a0a360c..2b954a8 100644
+--- a/src/libs/zbxembed/embed.h
++++ b/src/libs/zbxembed/embed.h
+@@ -48,6 +48,9 @@ struct zbx_es_env
+ struct zbx_json *json;
+
+ jmp_buf loc;
++
++ int http_req_objects;
++ size_t log_size;
+ };
+
+ zbx_es_env_t *zbx_es_get_env(duk_context *ctx);
+diff --git a/src/libs/zbxembed/httprequest.c b/src/libs/zbxembed/httprequest.c
+index 8c2839c..7f0eed9 100644
+--- a/src/libs/zbxembed/httprequest.c
++++ b/src/libs/zbxembed/httprequest.c
+@@ -52,6 +52,7 @@ typedef struct
+ size_t headers_in_alloc;
+ size_t headers_in_offset;
+ unsigned char custom_header;
++ size_t headers_sz;
+ }
+ zbx_es_httprequest_t;
+
+@@ -145,13 +146,21 @@ static duk_ret_t es_httprequest_dtor(duk_context *ctx)
+ ******************************************************************************/
+ static duk_ret_t es_httprequest_ctor(duk_context *ctx)
+ {
++#define MAX_HTTPREQUEST_OBJECT_COUNT 10
+ zbx_es_httprequest_t *request;
+ CURLcode err;
++ zbx_es_env_t *env;
+ int err_index = -1;
+
+ if (!duk_is_constructor_call(ctx))
+ return DUK_RET_TYPE_ERROR;
+
++ if (NULL == (env = zbx_es_get_env(ctx)))
++ return duk_error(ctx, DUK_RET_TYPE_ERROR, "cannot access internal environment");
++
++ if (MAX_HTTPREQUEST_OBJECT_COUNT == env->http_req_objects)
++ return duk_error(ctx, DUK_RET_EVAL_ERROR, "maximum count of HttpRequest objects was reached");
++
+ duk_push_this(ctx);
+
+ request = (zbx_es_httprequest_t *)zbx_malloc(NULL, sizeof(zbx_es_httprequest_t));
+@@ -189,7 +198,10 @@ out:
+ return duk_throw(ctx);
+ }
+
++ env->http_req_objects++;
++
+ return 0;
++#undef MAX_HTTPREQUEST_OBJECT_COUNT
+ }
+
+ /******************************************************************************
+@@ -201,10 +213,12 @@ out:
+ ******************************************************************************/
+ static duk_ret_t es_httprequest_add_header(duk_context *ctx)
+ {
++#define ZBX_ES_MAX_HEADERS_SIZE ZBX_KIBIBYTE * 128
+ zbx_es_httprequest_t *request;
+ CURLcode err;
+ char *utf8 = NULL;
+ int err_index = -1;
++ size_t header_sz;
+
+ if (NULL == (request = es_httprequest(ctx)))
+ return duk_error(ctx, DUK_RET_EVAL_ERROR, "internal scripting error: null object");
+@@ -215,9 +229,20 @@ static duk_ret_t es_httprequest_add_header(duk_context *ctx)
+ goto out;
+ }
+
++ header_sz = strlen(utf8);
++
++ if (ZBX_ES_MAX_HEADERS_SIZE < request->headers_sz + header_sz)
++ {
++ err_index = duk_push_error_object(ctx, DUK_RET_TYPE_ERROR, "headers exceeded maximum size of "
++ ZBX_FS_UI64 " bytes.", ZBX_ES_MAX_HEADERS_SIZE);
++
++ goto out;
++ }
++
+ request->headers = curl_slist_append(request->headers, utf8);
+ ZBX_CURL_SETOPT(ctx, request->handle, CURLOPT_HTTPHEADER, request->headers, err);
+ request->custom_header = 1;
++ request->headers_sz += header_sz + 1;
+ out:
+ zbx_free(utf8);
+
+@@ -225,6 +250,7 @@ out:
+ return duk_throw(ctx);
+
+ return 0;
++#undef ZBX_ES_MAX_HEADERS_SIZE
+ }
+
+ /******************************************************************************
+@@ -244,6 +270,7 @@ static duk_ret_t es_httprequest_clear_header(duk_context *ctx)
+ curl_slist_free_all(request->headers);
+ request->headers = NULL;
+ request->custom_header = 0;
++ request->headers_sz = 0;
+
+ return 0;
+ }
+@@ -311,6 +338,7 @@ static duk_ret_t es_httprequest_query(duk_context *ctx, const char *http_request
+ {
+ curl_slist_free_all(request->headers);
+ request->headers = NULL;
++ request->headers_sz = 0;
+ }
+
+ if (NULL != contents)
+diff --git a/src/libs/zbxembed/zabbix.c b/src/libs/zbxembed/zabbix.c
+index 820768f..0ecde86 100644
+--- a/src/libs/zbxembed/zabbix.c
++++ b/src/libs/zbxembed/zabbix.c
+@@ -81,27 +81,28 @@ static duk_ret_t es_zabbix_log(duk_context *ctx)
+ zbx_replace_invalid_utf8(message);
+ }
+
+- zabbix_log(level, "%s", message);
+-
+ duk_get_memory_functions(ctx, &out_funcs);
+ env = (zbx_es_env_t *)out_funcs.udata;
+
+- if (NULL == env->json)
+- goto out;
+-
+- if (ZBX_ES_LOG_MEMORY_LIMIT < env->json->buffer_size) /* approximate limit */
++ if (ZBX_ES_LOG_MEMORY_LIMIT < env->log_size)
+ {
+ err_index = duk_push_error_object(ctx, DUK_RET_EVAL_ERROR, "log exceeds the maximum size of "
+ ZBX_FS_UI64 " bytes.", ZBX_ES_LOG_MEMORY_LIMIT);
+ goto out;
+ }
+
+- zbx_json_addobject(env->json, NULL);
+- zbx_json_adduint64(env->json, "level", (zbx_uint64_t)level);
+- zbx_json_adduint64(env->json, "ms", zbx_get_duration_ms(&env->start_time));
+- zbx_json_addstring(env->json, "message", message, ZBX_JSON_TYPE_STRING);
+- zbx_json_close(env->json);
++ zabbix_log(level, "%s", message);
++
++ if (NULL != env->json)
++ {
++ zbx_json_addobject(env->json, NULL);
++ zbx_json_adduint64(env->json, "level", (zbx_uint64_t)level);
++ zbx_json_adduint64(env->json, "ms", zbx_get_duration_ms(&env->start_time));
++ zbx_json_addstring(env->json, "message", message, ZBX_JSON_TYPE_STRING);
++ zbx_json_close(env->json);
++ }
+ out:
++ env->log_size += strlen(message);
+ zbx_free(message);
+
+ if (-1 != err_index)
+--
+2.35.5
generated by cgit 1.2.3-korg (git 2.39.0) at 2024-05-01 00:38:30 +0000