zabbix: fix CVE-2022-43515,CVE-2022-46768

Signed-off-by: Changqing Li <changqing.li@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Changqing Li <changqing.li@windriver.com> 2023-01-05 08:54:29 +0800
committer: Armin Kuster <akuster808@gmail.com> 2023-01-12 11:05:55 -0500
commit: c479d226e7baf30657a6b7ef3196640a7a567f81 (patch)
tree: 0d0091ea8013bed6d8bf4459867847eaab6c161c
parent: 1f31570d0795da90083d1dbf28127c90908e30ee (diff)
download: meta-openembedded-c479d226e7baf30657a6b7ef3196640a7a567f81.tar.gz
3 files changed, 92 insertions, 0 deletions
diff --git a/meta-oe/recipes-connectivity/zabbix/zabbix/CVE-2022-43515.patch b/meta-oe/recipes-connectivity/zabbix/zabbix/CVE-2022-43515.patch
new file mode 100644
index 0000000000..6028520923
--- /dev/null
+++ b/meta-oe/recipes-connectivity/zabbix/zabbix/CVE-2022-43515.patch
@@ -0,0 +1,37 @@
+From 6b5dfdb31aa503bb0358784c632ff3a04e7a8ff4 Mon Sep 17 00:00:00 2001
+From: Changqing Li <changqing.li@windriver.com>
+Date: Wed, 4 Jan 2023 13:51:03 +0800
+Subject: [PATCH] [DEV-2301] fixed spoofing X-Forwarded-For request header
+ allows to access Frontend in maintenace mode
+Upstream-Status: Backport [https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/50668e9d64af32cdc67a45082c556699ff86565e]
+CVE: CVE-2022-43515
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ ui/include/classes/user/CWebUser.php | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+diff --git a/ui/include/classes/user/CWebUser.php b/ui/include/classes/user/CWebUser.php
+index e6e651e..bfacce7 100644
+--- a/ui/include/classes/user/CWebUser.php
+++ b/ui/include/classes/user/CWebUser.php
+@@ -231,13 +231,11 @@ class CWebUser {
+        }
+ 
+        /**
+-        * Get user ip address.
+        * Get user IP address.
+         *
+         * @return string
+         */
+        public static function getIp(): string {
+-               return (array_key_exists('HTTP_X_FORWARDED_FOR', $_SERVER) && $_SERVER['HTTP_X_FORWARDED_FOR'] !== '')
+-                       ? $_SERVER['HTTP_X_FORWARDED_FOR']
+-                       : $_SERVER['REMOTE_ADDR'];
+               return $_SERVER['REMOTE_ADDR'];
+        }
+ }
+-- 
+2.25.1
diff --git a/meta-oe/recipes-connectivity/zabbix/zabbix/CVE-2022-46768.patch b/meta-oe/recipes-connectivity/zabbix/zabbix/CVE-2022-46768.patch
new file mode 100644
index 0000000000..debd0aaa8e
--- /dev/null
+++ b/meta-oe/recipes-connectivity/zabbix/zabbix/CVE-2022-46768.patch
@@ -0,0 +1,53 @@
+From 7373f92c80eb89941428468cd6b9d5c8879a7f93 Mon Sep 17 00:00:00 2001
+From: Changqing Li <changqing.li@windriver.com>
+Date: Wed, 4 Jan 2023 14:23:34 +0800
+Subject: [PATCH] [DEV-2283] added validation of the scheduled report
+ generation URL to zabbix-web-service
+Upstream-Status: Backport [https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/fdb03971867]
+CVE: CVE-2022-46768
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ .../zabbix_web_service/pdf_report_creator.go   | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+diff --git a/src/go/cmd/zabbix_web_service/pdf_report_creator.go b/src/go/cmd/zabbix_web_service/pdf_report_creator.go
+index 391b58b..8452a3d 100644
+--- a/src/go/cmd/zabbix_web_service/pdf_report_creator.go
+++ b/src/go/cmd/zabbix_web_service/pdf_report_creator.go
+@@ -29,6 +29,7 @@ import (
+        "net/http"
+        "net/url"
+        "strconv"
+       "strings"
+        "time"
+ 
+        "github.com/chromedp/cdproto/emulation"
+@@ -123,6 +124,23 @@ func (h *handler) report(w http.ResponseWriter, r *http.Request) {
+                return
+        }
+ 
+       if u.Scheme != "http" && u.Scheme != "https" {
+               logAndWriteError(w, fmt.Sprintf("Unexpected URL scheme: \"%s\"", u.Scheme), http.StatusBadRequest)
+               return
+       }
+
+       if !strings.HasSuffix(u.Path, "/zabbix.php") {
+               logAndWriteError(w, fmt.Sprintf("Unexpected URL path: \"%s\"", u.Path), http.StatusBadRequest)
+               return
+       }
+
+       queryParams := u.Query()
+
+       if queryParams.Get("action") != "dashboard.print" {
+               logAndWriteError(w, fmt.Sprintf("Unexpected URL action: \"%s\"", queryParams.Get("action")), http.StatusBadRequest)
+               return
+       }
+
+        log.Tracef(
+                "making chrome headless request with parameters url: %s, width: %s, height: %s for report request from %s",
+                u.String(), req.Parameters["width"], req.Parameters["height"], r.RemoteAddr)
+-- 
+2.25.1
diff --git a/meta-oe/recipes-connectivity/zabbix/zabbix_5.4.12.bb b/meta-oe/recipes-connectivity/zabbix/zabbix_5.4.12.bb
index f5d89d6c3d..d72d3b1122 100644
--- a/meta-oe/recipes-connectivity/zabbix/zabbix_5.4.12.bb
+++ b/meta-oe/recipes-connectivity/zabbix/zabbix_5.4.12.bb
@@ -26,6 +26,8 @@ PACKAGE_ARCH = "${MACHINE_ARCH}"
 SRC_URI = "https://cdn.zabbix.com/zabbix/sources/stable/5.4/${BPN}-${PV}.tar.gz \
    file://0001-Fix-configure.ac.patch \
    file://zabbix-agent.service \
+    file://CVE-2022-43515.patch \
+    file://CVE-2022-46768.patch \
 "
 SRC_URI[md5sum] = "f295fd2df86143d72f6ff26e47d9e39e"
author	Changqing Li <changqing.li@windriver.com>	2023-01-05 08:54:29 +0800
committer	Armin Kuster <akuster808@gmail.com>	2023-01-12 11:05:55 -0500
commit	c479d226e7baf30657a6b7ef3196640a7a567f81 (patch)
tree	0d0091ea8013bed6d8bf4459867847eaab6c161c
parent	1f31570d0795da90083d1dbf28127c90908e30ee (diff)
download	meta-openembedded-c479d226e7baf30657a6b7ef3196640a7a567f81.tar.gz

diff --git a/meta-oe/recipes-connectivity/zabbix/zabbix/CVE-2022-43515.patch b/meta-oe/recipes-connectivity/zabbix/zabbix/CVE-2022-43515.patch new file mode 100644 index 0000000000..6028520923 --- /dev/null +++ b/meta-oe/recipes-connectivity/zabbix/zabbix/CVE-2022-43515.patch
@@ -0,0 +1,37 @@
		1	From 6b5dfdb31aa503bb0358784c632ff3a04e7a8ff4 Mon Sep 17 00:00:00 2001
		2	From: Changqing Li <changqing.li@windriver.com>
		3	Date: Wed, 4 Jan 2023 13:51:03 +0800
		4	Subject: [PATCH] [DEV-2301] fixed spoofing X-Forwarded-For request header
		5	allows to access Frontend in maintenace mode
		6
		7	Upstream-Status: Backport [https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/50668e9d64af32cdc67a45082c556699ff86565e]
		8	CVE: CVE-2022-43515
		9
		10	Signed-off-by: Changqing Li <changqing.li@windriver.com>
		11	---
		12	ui/include/classes/user/CWebUser.php \| 6 ++----
		13	1 file changed, 2 insertions(+), 4 deletions(-)
		14
		15	diff --git a/ui/include/classes/user/CWebUser.php b/ui/include/classes/user/CWebUser.php
		16	index e6e651e..bfacce7 100644
		17	--- a/ui/include/classes/user/CWebUser.php
		18	+++ b/ui/include/classes/user/CWebUser.php
		19	@@ -231,13 +231,11 @@ class CWebUser {
		20	}
		21
		22	/**
		23	- * Get user ip address.
		24	+ * Get user IP address.
		25	*
		26	* @return string
		27	*/
		28	public static function getIp(): string {
		29	- return (array_key_exists('HTTP_X_FORWARDED_FOR', $_SERVER) && $_SERVER['HTTP_X_FORWARDED_FOR'] !== '')
		30	- ? $_SERVER['HTTP_X_FORWARDED_FOR']
		31	- : $_SERVER['REMOTE_ADDR'];
		32	+ return $_SERVER['REMOTE_ADDR'];
		33	}
		34	}
		35	--
		36	2.25.1
		37


diff --git a/meta-oe/recipes-connectivity/zabbix/zabbix/CVE-2022-46768.patch b/meta-oe/recipes-connectivity/zabbix/zabbix/CVE-2022-46768.patch new file mode 100644 index 0000000000..debd0aaa8e --- /dev/null +++ b/meta-oe/recipes-connectivity/zabbix/zabbix/CVE-2022-46768.patch
@@ -0,0 +1,53 @@
		1	From 7373f92c80eb89941428468cd6b9d5c8879a7f93 Mon Sep 17 00:00:00 2001
		2	From: Changqing Li <changqing.li@windriver.com>
		3	Date: Wed, 4 Jan 2023 14:23:34 +0800
		4	Subject: [PATCH] [DEV-2283] added validation of the scheduled report
		5	generation URL to zabbix-web-service
		6
		7	Upstream-Status: Backport [https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/fdb03971867]
		8	CVE: CVE-2022-46768
		9
		10	Signed-off-by: Changqing Li <changqing.li@windriver.com>
		11	---
		12	.../zabbix_web_service/pdf_report_creator.go \| 18 ++++++++++++++++++
		13	1 file changed, 18 insertions(+)
		14
		15	diff --git a/src/go/cmd/zabbix_web_service/pdf_report_creator.go b/src/go/cmd/zabbix_web_service/pdf_report_creator.go
		16	index 391b58b..8452a3d 100644
		17	--- a/src/go/cmd/zabbix_web_service/pdf_report_creator.go
		18	+++ b/src/go/cmd/zabbix_web_service/pdf_report_creator.go
		19	@@ -29,6 +29,7 @@ import (
		20	"net/http"
		21	"net/url"
		22	"strconv"
		23	+ "strings"
		24	"time"
		25
		26	"github.com/chromedp/cdproto/emulation"
		27	@@ -123,6 +124,23 @@ func (h handler) report(w http.ResponseWriter, r http.Request) {
		28	return
		29	}
		30
		31	+ if u.Scheme != "http" && u.Scheme != "https" {
		32	+ logAndWriteError(w, fmt.Sprintf("Unexpected URL scheme: \"%s\"", u.Scheme), http.StatusBadRequest)
		33	+ return
		34	+ }
		35	+
		36	+ if !strings.HasSuffix(u.Path, "/zabbix.php") {
		37	+ logAndWriteError(w, fmt.Sprintf("Unexpected URL path: \"%s\"", u.Path), http.StatusBadRequest)
		38	+ return
		39	+ }
		40	+
		41	+ queryParams := u.Query()
		42	+
		43	+ if queryParams.Get("action") != "dashboard.print" {
		44	+ logAndWriteError(w, fmt.Sprintf("Unexpected URL action: \"%s\"", queryParams.Get("action")), http.StatusBadRequest)
		45	+ return
		46	+ }
		47	+
		48	log.Tracef(
		49	"making chrome headless request with parameters url: %s, width: %s, height: %s for report request from %s",
		50	u.String(), req.Parameters["width"], req.Parameters["height"], r.RemoteAddr)
		51	--
		52	2.25.1
		53


diff --git a/meta-oe/recipes-connectivity/zabbix/zabbix_5.4.12.bb b/meta-oe/recipes-connectivity/zabbix/zabbix_5.4.12.bb index f5d89d6c3d..d72d3b1122 100644 --- a/meta-oe/recipes-connectivity/zabbix/zabbix_5.4.12.bb +++ b/meta-oe/recipes-connectivity/zabbix/zabbix_5.4.12.bb
@@ -26,6 +26,8 @@ PACKAGE_ARCH = "${MACHINE_ARCH}"
26	SRC_URI = "https://cdn.zabbix.com/zabbix/sources/stable/5.4/${BPN}-${PV}.tar.gz \	26	SRC_URI = "https://cdn.zabbix.com/zabbix/sources/stable/5.4/${BPN}-${PV}.tar.gz \
27	file://0001-Fix-configure.ac.patch \	27	file://0001-Fix-configure.ac.patch \
28	file://zabbix-agent.service \	28	file://zabbix-agent.service \
		29	file://CVE-2022-43515.patch \
		30	file://CVE-2022-46768.patch \
29	"	31	"
30		32
31	SRC_URI[md5sum] = "f295fd2df86143d72f6ff26e47d9e39e"	33	SRC_URI[md5sum] = "f295fd2df86143d72f6ff26e47d9e39e"