diff --git a/.cvsignore b/.gitignore similarity index 100% rename from .cvsignore rename to .gitignore diff --git a/Makefile b/Makefile deleted file mode 100644 index 537d8ee..0000000 --- a/Makefile +++ /dev/null @@ -1,21 +0,0 @@ -# Makefile for source rpm: zoneminder -# $Id$ -NAME := zoneminder -SPECFILE = $(firstword $(wildcard *.spec)) - -define find-makefile-common -for d in common ../common ../../common ; do if [ -f $$d/Makefile.common ] ; then if [ -f $$d/CVS/Root -a -w $$/Makefile.common ] ; then cd $$d ; cvs -Q update ; fi ; echo "$$d/Makefile.common" ; break ; fi ; done -endef - -MAKEFILE_COMMON := $(shell $(find-makefile-common)) - -ifeq ($(MAKEFILE_COMMON),) -# attept a checkout -define checkout-makefile-common -test -f CVS/Root && { cvs -Q -d $$(cat CVS/Root) checkout common && echo "common/Makefile.common" ; } || { echo "ERROR: I can't figure out how to checkout the 'common' module." ; exit -1 ; } >&2 -endef - -MAKEFILE_COMMON := $(shell $(checkout-makefile-common)) -endif - -include $(MAKEFILE_COMMON) diff --git a/zoneminder-1.22.3-runlevel.patch b/zoneminder-1.22.3-runlevel.patch new file mode 100644 index 0000000..1887b88 --- /dev/null +++ b/zoneminder-1.22.3-runlevel.patch @@ -0,0 +1,10 @@ +--- scripts/zm.in.runlevel 2008-05-06 22:54:36.000000000 +0100 ++++ scripts/zm.in 2008-05-06 23:01:35.000000000 +0100 +@@ -1,6 +1,6 @@ + #!/bin/sh + # description: ZoneMinder is the top Linux video camera security and surveillance solution. ZoneMinder is intended for use in single or multi-camera video security applications.Copyright: Philip Coombes, Corey DeLasaux 2003-2006 +-# chkconfig: 2345 99 00 ++# chkconfig: - 99 00 + # processname: zmpkg.pl + + # Source function library. diff --git a/zoneminder-1.22.3-security.patch b/zoneminder-1.22.3-security.patch new file mode 100644 index 0000000..159db46 --- /dev/null +++ b/zoneminder-1.22.3-security.patch @@ -0,0 +1,143 @@ +diff -ru ZoneMinder-1.22.3/web/zm_export_funcs.php ZoneMinder-1.22.3-fix/web/zm_export_funcs.php +--- ZoneMinder-1.22.3/web/zm_export_funcs.php 2006-03-27 16:01:33.000000000 -0600 ++++ ZoneMinder-1.22.3-fix/web/zm_export_funcs.php 2008-04-28 10:07:32.000000000 -0500 +@@ -314,7 +314,7 @@ + { + $archive = "temp/".$export_root.".tar.gz"; + @unlink( $archive ); +- $command = "tar --create --gzip --file=$archive --files-from=$list_file"; ++ $command = "tar --create --gzip --file=".escapeshellarg($archive)." --files-from=".escapeshellarg($list_file); + exec( $command, $output, $status ); + if ( $status ) + { +@@ -329,7 +329,7 @@ + $archive = "temp/zm_export.zip"; + $archive = "temp/".$export_root.".zip"; + @unlink( $archive ); +- $command = "cat $list_file | zip -q $archive -@"; ++ $command = "cat ".escapeshellarg($list_file)." | zip -q ".escapeshellarg($archive)." -@"; + exec( $command, $output, $status ); + if ( $status ) + { +diff -ru ZoneMinder-1.22.3/web/zm_funcs.php ZoneMinder-1.22.3-fix/web/zm_funcs.php +--- ZoneMinder-1.22.3/web/zm_funcs.php 2006-11-09 04:51:10.000000000 -0600 ++++ ZoneMinder-1.22.3-fix/web/zm_funcs.php 2008-04-28 10:16:17.000000000 -0500 +@@ -724,20 +724,20 @@ + + function packageControl( $command ) + { +- $string = ZM_PATH_BIN."/zmpkg.pl $command"; ++ $string = ZM_PATH_BIN."/zmpkg.pl ".escapeshellarg( $command ); + $string .= " 2>/dev/null >&- <&- >/dev/null"; + exec( $string ); + } + + function daemonControl( $command, $daemon=false, $args=false ) + { +- $string = ZM_PATH_BIN."/zmdc.pl $command"; ++ $string = ZM_PATH_BIN."/zmdc.pl ".escapeshellarg( $command ); + if ( $daemon ) + { +- $string .= " $daemon"; ++ $string .= " ".escapeshellarg( $daemon ); + if ( $args ) + { +- $string .= " $args"; ++ $string .= " ".escapeshellarg( $args ); + } + } + $string .= " 2>/dev/null >&- <&- >/dev/null"; +@@ -893,9 +893,9 @@ + $string = ZM_PATH_BIN."/zmdc.pl check"; + if ( $daemon ) + { +- $string .= " $daemon"; ++ $string .= " ".escapeshellarg( $daemon ); + if ( $args ) +- $string .= " $args"; ++ $string .= " ".escapeshellarg( $args ); + } + $result = exec( $string ); + return( preg_match( '/running/', $result ) ); +@@ -973,7 +973,7 @@ + { + if ( ZM_WEB_SCALE_THUMBS ) + { +- $command = ZM_PATH_NETPBM."/jpegtopnm -quiet -dct fast $image_path | ".ZM_PATH_NETPBM."/pnmscalefixed -quiet $fraction | ".ZM_PATH_NETPBM."/pnmtojpeg -quiet -dct=fast > $thumb_path"; ++ $command = ZM_PATH_NETPBM."/jpegtopnm -quiet -dct fast ".escapeshellarg( $image_path )." | ".ZM_PATH_NETPBM."/pnmscalefixed -quiet ".escapeshellarg( $fraction )." | ".ZM_PATH_NETPBM."/pnmtojpeg -quiet -dct=fast > ".escapeshellarg( $thumb_path ); + exec( $command ); + } + else +@@ -1040,7 +1040,7 @@ + $command = ZM_PATH_BIN."/zmvideo.pl -e ".$event['Id']." -f ".$format." -r ".sprintf( "%.2f", ($rate/RATE_BASE) )." -s ".sprintf( "%.2f", ($scale/SCALE_BASE) ); + if ( $overwrite ) + $command .= " -o"; +- $result = exec( $command, $output, $status ); ++ $result = exec( escapeshellcmd( $command ), $output, $status ); + return( $status?"":rtrim($result) ); + } + +@@ -1062,7 +1062,7 @@ + + function executeFilter( $filter ) + { +- $command = ZM_PATH_BIN."/zmfilter.pl --filter ".$filter; ++ $command = ZM_PATH_BIN."/zmfilter.pl --filter ".escapeshellarg( $filter ); + $result = exec( $command, $output, $status ); + $result = mysql_query( "delete from Filters where Name like '_TempFilter%'" ); + if ( !$result ) +@@ -1882,13 +1882,7 @@ + { + // Can't connect so use script + $command = ZM_PATH_BIN."/zmx10.pl --command $status --key $key"; +- //$command .= " 2>/dev/null >&- <&- >/dev/null"; +- $result = exec( $string ); +- if ( preg_match( '/^'.$key.'\s+(.*)/', $result, $matches ) ) +- $status = $matches[1]; +- else +- $status = "unknown"; +- $x10_response = exec( escapeshellcmd( $x10_command ) ); ++ $x10_response = exec( escapeshellcmd( $command ) ); + } + if ( preg_match( '/^'.$key.'\s+(.*)/', $x10_response, $matches ) ) + $status = $matches[1]; +diff -ru ZoneMinder-1.22.3/web/zm_xhtml_view_eventdetails.php ZoneMinder-1.22.3-fix/web/zm_xhtml_view_eventdetails.php +--- ZoneMinder-1.22.3/web/zm_xhtml_view_eventdetails.php 2006-11-09 05:48:56.000000000 -0600 ++++ ZoneMinder-1.22.3-fix/web/zm_xhtml_view_eventdetails.php 2008-04-28 10:07:32.000000000 -0500 +@@ -75,7 +75,7 @@ + $fraction = sprintf( "%.2f", $scale/100 ); + if ( file_exists( $image_path ) ) + { +- $command = ZM_PATH_NETPBM."/jpegtopnm -dct fast $image_path | ".ZM_PATH_NETPBM."/pnmscalefixed $fraction | ".ZM_PATH_NETPBM."/ppmtojpeg --dct=fast > $thumb_image"; ++ $command = ZM_PATH_NETPBM."/jpegtopnm -dct fast ".escapeshellarg($image_path)." | ".ZM_PATH_NETPBM."/pnmscalefixed ".escapeshellarg($fraction)." | ".ZM_PATH_NETPBM."/ppmtojpeg --dct=fast > ".escapeshellarg($thumb_image); + exec( $command ); + } + } +diff -ru ZoneMinder-1.22.3/web/zm_xhtml_view_event.php ZoneMinder-1.22.3-fix/web/zm_xhtml_view_event.php +--- ZoneMinder-1.22.3/web/zm_xhtml_view_event.php 2006-11-09 05:48:56.000000000 -0600 ++++ ZoneMinder-1.22.3-fix/web/zm_xhtml_view_event.php 2008-04-28 10:07:32.000000000 -0500 +@@ -278,10 +278,9 @@ + { + $anal_image = preg_replace( "/capture/", "analyse", $capt_image ); + if ( file_exists( $anal_image ) ) +- $command = ZM_PATH_NETPBM."/jpegtopnm -dct fast $anal_image | ".ZM_PATH_NETPBM."/pnmscalefixed $fraction | ".ZM_PATH_NETPBM."/ppmtojpeg --dct=fast > $thumb_image"; ++ $command = ZM_PATH_NETPBM."/jpegtopnm -dct fast ".escapeshellarg($anal_image)." | ".ZM_PATH_NETPBM."/pnmscalefixed ".escapeshellarg($fraction)." | ".ZM_PATH_NETPBM."/ppmtojpeg --dct=fast > ".escapeshellarg($thumb_image); + else +- $command = ZM_PATH_NETPBM."/jpegtopnm -dct fast $capt_image | ".ZM_PATH_NETPBM."/pnmscalefixed $fraction | ".ZM_PATH_NETPBM."/ppmtojpeg --dct=fast > $thumb_image"; +- #exec( escapeshellcmd( $command ) ); ++ $command = ZM_PATH_NETPBM."/jpegtopnm -dct fast ".escapeshellarg($capt_image)." | ".ZM_PATH_NETPBM."/pnmscalefixed ".escapeshellarg($fraction)." | ".ZM_PATH_NETPBM."/ppmtojpeg --dct=fast > ".escapeshellarg($thumb_image); + exec( $command ); + } + } +diff -ru ZoneMinder-1.22.3/web/zm_xhtml_view_video.php ZoneMinder-1.22.3-fix/web/zm_xhtml_view_video.php +--- ZoneMinder-1.22.3/web/zm_xhtml_view_video.php 2006-11-09 05:48:56.000000000 -0600 ++++ ZoneMinder-1.22.3-fix/web/zm_xhtml_view_video.php 2008-04-28 10:07:32.000000000 -0500 +@@ -102,7 +102,7 @@ + $command = ZM_PATH_BIN."/zmvideo.pl -e ".$event['Id']." -f ".$video_format." -r ".sprintf( "%.2f", ($rate/RATE_BASE) )." -S ".$video_size; + if ( $overwrite ) + $command .= " -o"; +- $generated = exec( $command, $output, $status ); ++ $generated = exec( escapeshellcmd( $command ), $output, $status ); + } + + $video_files = array(); diff --git a/zoneminder.spec b/zoneminder.spec index bebaafa..f2c1d3d 100644 --- a/zoneminder.spec +++ b/zoneminder.spec @@ -5,7 +5,7 @@ Name: zoneminder Version: 1.22.3 -Release: 12%{?dist} +Release: 14%{?dist} Summary: A camera monitoring and analysis tool Group: System Environment/Daemons License: GPLv2+ @@ -18,8 +18,10 @@ Source2: zoneminder.conf Source3: redalert.wav Source4: README.Fedora Patch1: zoneminder-1.22.3-dbinstall.patch +Patch2: zoneminder-1.22.3-runlevel.patch Patch10: zoneminder-1.22.3-installfix.patch Patch11: zoneminder-1.22.3-gcc43.patch +Patch12: zoneminder-1.22.3-security.patch Conflicts: zm <= 1.22.3 @@ -50,8 +52,10 @@ too much degradation of performance. This package includes cambozola.jar. %prep %setup -q -n ZoneMinder-%{version} %patch1 -p0 -b .dbinstall +%patch2 -p0 -b .runlevel %patch10 -p0 -b .installfix %patch11 -p0 -b .gcc43 +%patch12 -p1 -b .security gunzip -c %{SOURCE1} | tar xf - cambozola-*/dist/cambozola.jar cp %{SOURCE4} README.Fedora @@ -167,6 +171,12 @@ fi %changelog +* Tue May 6 2008 Martin Ebourne - 1.22.3-14 +- Remove default runlevel, bz #441315 + +* Wed Apr 30 2008 Martin Ebourne - 1.22.3-13 +- Patch for CVE-2008-1381 + * Tue Feb 19 2008 Fedora Release Engineering - 1.22.3-12 - Autorebuild for GCC 4.3