[Git][security-tracker-team/security-tracker][master] CVE-2023-32727/zabbix - buster is not affected.

Tobias Frost (@tobi) tobi at debian.org
Tue Jan 23 19:14:01 GMT 2024 


Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker


Commits:
36e9a771 by Tobias Frost at 2024-01-23T20:13:31+01:00
CVE-2023-32727/zabbix - buster is not affected.

The vulnerability is a format-string vulnerability, a user provided input
(dst - intented to be a target host for fping) is passed to a shell
without saniziting.

the key line for the patch for CVE-2023-32727 is in function get_interval_option():

-		zbx_snprintf(tmp, sizeof(tmp), "%s -c1 -t50 -i%u %s", fping, intervals[j], dst);
+		zbx_snprintf(tmp, sizeof(tmp), "%s -c1 -t50 -i%u", fping, intervals[j]);

"dst" is the ping target, and the resulting tmp is the complete command to be executed in the vulnerable
version. (via execl("/bin/sh", "sh", "-c", command, (char *)NULL); in zbx_execute())

Bisecting upstream brings the following commits introducing this:

Commit: 57abe5a1f2c208d05cc59029026098c2f13ed464 [1]
+       zbx_snprintf(tmp, sizeof(tmp), "%s -c1 -t50 -i0 %s", fping, dst);

[1] https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/57abe5a1f2c208d05cc59029026098c2f13ed464#src/libs/zbxicmpping/icmpping.c
    line 102

List of affected versions, where the commit is seen first time:

git tag --contains 57abe5a1f2c208d05cc59029026098c2f13ed464  (manually
filtered to show only first tag of every affected version)
4.4.0alpha3
5.0.0alpha1
5.2.0alpha1
5.4.0alpha1
6.0.0alpha1
6.2.0alpha1
6.4.0alpha1
7.0.0alpha1

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -6428,12 +6428,14 @@ CVE-2023-32728 (The Zabbix Agent 2 item key smart.disk.get does not sanitize its
 	NOTE: https://github.com/zabbix/zabbix/commit/09fa80bb16b094e4c17c036868c817f411efe4a0 (6.0.24rc1)
 	NOTE: https://github.com/zabbix/zabbix/commit/7c00b48ab998066962e5275efa50007cb72ea1ac (6.0.24rc1)
 	NOTE: https://github.com/zabbix/zabbix/commit/245fbae6039ebfbd720ab33c0349c82bae242fc9 (6.0.24rc1)
-        NOTE: Vulnerable feature introduced with version 5.0.9rc1 resp. 5.4.0alpha2 https://support.zabbix.com/browse/ZBXNEXT-6339
+        NOTE: Vulnerable feature introduced with versions 5.0.9rc1, 5.3.5rc1 and 5.4.0alpha2 https://support.zabbix.com/browse/ZBXNEXT-6339
 CVE-2023-32727 (An attacker who has the privilege to configure Zabbix items can use fu ...)
 	- zabbix 1:6.0.23+dfsg-1
+        [buster] - zabbix <not-affected> (Vulnerable code introduced later)
 	NOTE: https://support.zabbix.com/browse/ZBX-23857
 	NOTE: https://github.com/zabbix/zabbix/commit/93e090592fc6de7ec5d3d42c1bb9074ad1f3ba34 (6.0.23rc1)
 	NOTE: https://github.com/zabbix/zabbix/commit/610f9fdbb86667f4094972547deb936c6cdfc6d5 (6.0.23rc1)
+        NOTE: introduced in ttps://git.zabbix.com/projects/ZBX/repos/zabbix/commits/57abe5a1f2c208d05cc59029026098c2f13ed464 (4.4.0alpha3)
 CVE-2023-32726 (The vulnerability is caused by improper check for check if RDLENGTH do ...)
 	- zabbix 1:6.0.24+dfsg-1
 	NOTE: https://support.zabbix.com/browse/ZBX-23855
@@ -6442,7 +6444,7 @@ CVE-2023-32725 (The website configured in the URL widget will receive a session
 	- zabbix 1:6.0.23+dfsg-1
 	[bullseye] - zabbix <not-affected> (Vulnerable code not present)
 	[buster] - zabbix <not-affected> (vulnerable code introduced later)
-	NOTE: https://support.zabbix.com/browse/ZBX-23854
+	NOTE: https://support.zabbix.com/browse/ZBX-2354
 	NOTE: https://github.com/zabbix/zabbix/commit/89e0cd6ea93a097671d6bcfbfa674047a3096b26 (6.0.22rc1)
 	NOTE: report_manager introduced with: https://github.com/zabbix/zabbix/commit/a06a08111546081e8256267bc0062cbd74dc3309 (6.0.0alpha1)
 CVE-2023-32230 (An improper handling of a malformed API request to an API server in Bo ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/36e9a77145dd28bbc338686e27d75ada2c9f7279

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/36e9a77145dd28bbc338686e27d75ada2c9f7279
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20240123/82910098/attachment.htm>

More information about the debian-security-tracker-commits mailing list