summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--meta-oe/recipes-connectivity/zabbix/zabbix/CVE-2023-29451.patch116
-rw-r--r--meta-oe/recipes-connectivity/zabbix/zabbix_5.4.12.bb1
2 files changed, 117 insertions, 0 deletions
diff --git a/meta-oe/recipes-connectivity/zabbix/zabbix/CVE-2023-29451.patch b/meta-oe/recipes-connectivity/zabbix/zabbix/CVE-2023-29451.patch
new file mode 100644
index 0000000000..453f67a920
--- /dev/null
+++ b/meta-oe/recipes-connectivity/zabbix/zabbix/CVE-2023-29451.patch
@@ -0,0 +1,116 @@
1From 90274a56b2505997cd1677f0bd6a8b89b21df163 Mon Sep 17 00:00:00 2001
2From: Changqing Li <changqing.li@windriver.com>
3Date: Wed, 26 Apr 2023 15:00:07 +0800
4Subject: [PATCH] Fix CVE-2023-29451
5
6.......PS. [DEV-2450] fixed JSON validation not detecting invalid unicode characters and out of bounds access with JSONPath on invalid unicode character
7
8Merge in ZBX/zabbix from feature/DEV-2450-6.0 to release/6.0
9
10* commit '97efb4ed5069d4febe825671e2c3d106478d082d':
11 .......PS. [DEV-2450] added mock test
12 .......PS. [DEV-2450] fixed JSON validation not detecting invalid unicode characters and out of bounds access with JSONPath on invalid unicode character
13 .......PS. [DEV-2450] fixed JSON validation not detecting invalid unicode characters and out of bounds access with JSONPath on invalid unicode character
14
15Upstream-Status: Backport
16[https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/3b6a8c84612a67daaf89879226349420104bff24]
17CVE: CVE-2023-29451
18
19Signed-off-by: Changqing Li <changqing.li@windriver.com>
20---
21 src/libs/zbxdiag/diag.c | 3 ++-
22 src/libs/zbxjson/json.c | 2 +-
23 src/libs/zbxjson/json.h | 1 +
24 src/libs/zbxjson/json_parser.c | 15 +++++----------
25 src/zabbix_server/reporter/report_protocol.c | 3 ++-
26 5 files changed, 11 insertions(+), 13 deletions(-)
27
28diff --git a/src/libs/zbxdiag/diag.c b/src/libs/zbxdiag/diag.c
29index 6fc5509..dc47407 100644
30--- a/src/libs/zbxdiag/diag.c
31+++ b/src/libs/zbxdiag/diag.c
32@@ -673,7 +673,8 @@ static void diag_get_simple_values(const struct zbx_json_parse *jp, char **msg)
33 {
34 if (FAIL == zbx_json_brackets_open(pnext, &jp_value))
35 {
36- zbx_json_decodevalue_dyn(pnext, &value, &value_alloc, &type);
37+ if (NULL == zbx_json_decodevalue_dyn(pnext, &value, &value_alloc, &type))
38+ type = ZBX_JSON_TYPE_NULL;
39
40 if (0 != msg_offset)
41 zbx_chrcpy_alloc(msg, &msg_alloc, &msg_offset, ' ');
42diff --git a/src/libs/zbxjson/json.c b/src/libs/zbxjson/json.c
43index 4161ef0..c043d7e 100644
44--- a/src/libs/zbxjson/json.c
45+++ b/src/libs/zbxjson/json.c
46@@ -764,7 +764,7 @@ static unsigned int zbx_hex2num(char c)
47 * 0 on error (invalid escape sequence) *
48 * *
49 ******************************************************************************/
50-static unsigned int zbx_json_decode_character(const char **p, unsigned char *bytes)
51+unsigned int zbx_json_decode_character(const char **p, unsigned char *bytes)
52 {
53 bytes[0] = '\0';
54
55diff --git a/src/libs/zbxjson/json.h b/src/libs/zbxjson/json.h
56index c59646a..4008411 100644
57--- a/src/libs/zbxjson/json.h
58+++ b/src/libs/zbxjson/json.h
59@@ -29,5 +29,6 @@
60 SKIP_WHITESPACE(src)
61
62 void zbx_set_json_strerror(const char *fmt, ...) __zbx_attr_format_printf(1, 2);
63+unsigned int zbx_json_decode_character(const char **p, unsigned char *bytes);
64
65 #endif
66diff --git a/src/libs/zbxjson/json_parser.c b/src/libs/zbxjson/json_parser.c
67index c8dcee4..64d24cf 100644
68--- a/src/libs/zbxjson/json_parser.c
69+++ b/src/libs/zbxjson/json_parser.c
70@@ -88,7 +88,7 @@ static zbx_int64_t json_parse_string(const char *start, char **error)
71 if ('\\' == *ptr)
72 {
73 const char *escape_start = ptr;
74- int i;
75+ unsigned char uc[4]; /* decoded Unicode character takes 1-4 bytes in UTF-8 */
76
77 /* unexpected end of string data, failing */
78 if ('\0' == *(++ptr))
79@@ -107,16 +107,11 @@ static zbx_int64_t json_parse_string(const char *start, char **error)
80 break;
81 case 'u':
82 /* check if the \u is followed with 4 hex digits */
83- for (i = 0; i < 4; i++)
84- {
85- if (0 == isxdigit((unsigned char)*(++ptr)))
86- {
87- return json_error("invalid escape sequence in string",
88- escape_start, error);
89- }
90+ if (0 == zbx_json_decode_character(&ptr, uc)) {
91+ return json_error("invalid escape sequence in string",
92+ escape_start, error);
93 }
94-
95- break;
96+ continue;
97 default:
98 return json_error("invalid escape sequence in string data",
99 escape_start, error);
100diff --git a/src/zabbix_server/reporter/report_protocol.c b/src/zabbix_server/reporter/report_protocol.c
101index 5f55f51..ee0e02e 100644
102--- a/src/zabbix_server/reporter/report_protocol.c
103+++ b/src/zabbix_server/reporter/report_protocol.c
104@@ -421,7 +421,8 @@ void zbx_report_test(const struct zbx_json_parse *jp, zbx_uint64_t userid, struc
105 size_t value_alloc = 0;
106 zbx_ptr_pair_t pair;
107
108- zbx_json_decodevalue_dyn(pnext, &value, &value_alloc, NULL);
109+ if (NULL == zbx_json_decodevalue_dyn(pnext, &value, &value_alloc, NULL))
110+ continue;
111 pair.first = zbx_strdup(NULL, key);
112 pair.second = value;
113 zbx_vector_ptr_pair_append(&params, pair);
114--
1152.25.1
116
diff --git a/meta-oe/recipes-connectivity/zabbix/zabbix_5.4.12.bb b/meta-oe/recipes-connectivity/zabbix/zabbix_5.4.12.bb
index d72d3b1122..7f530a5529 100644
--- a/meta-oe/recipes-connectivity/zabbix/zabbix_5.4.12.bb
+++ b/meta-oe/recipes-connectivity/zabbix/zabbix_5.4.12.bb
@@ -28,6 +28,7 @@ SRC_URI = "https://cdn.zabbix.com/zabbix/sources/stable/5.4/${BPN}-${PV}.tar.gz
28 file://zabbix-agent.service \ 28 file://zabbix-agent.service \
29 file://CVE-2022-43515.patch \ 29 file://CVE-2022-43515.patch \
30 file://CVE-2022-46768.patch \ 30 file://CVE-2022-46768.patch \
31 file://CVE-2023-29451.patch \
31" 32"
32 33
33SRC_URI[md5sum] = "f295fd2df86143d72f6ff26e47d9e39e" 34SRC_URI[md5sum] = "f295fd2df86143d72f6ff26e47d9e39e"
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2025-11-03 17:10:46 +0000