From 353e152a3464eb2998d89bd75c6105d9736e9607 Mon Sep 17 00:00:00 2001 From: Jesse Keating Date: Sat, 19 Apr 2008 18:45:52 +0000 Subject: [PATCH 1/5] Initialize branch F-9 for zoneminder --- branch | 1 + 1 file changed, 1 insertion(+) create mode 100644 branch diff --git a/branch b/branch new file mode 100644 index 0000000..1c26f78 --- /dev/null +++ b/branch @@ -0,0 +1 @@ +F-9 From 81ce2342986a007bc7c753c17e559b76ed62b5f2 Mon Sep 17 00:00:00 2001 From: mebourne Date: Tue, 29 Apr 2008 23:21:56 +0000 Subject: [PATCH 2/5] - Patch for CVE-2008-1381 --- zoneminder-1.22.3-security.patch | 143 +++++++++++++++++++++++++++++++ zoneminder.spec | 7 +- 2 files changed, 149 insertions(+), 1 deletion(-) create mode 100644 zoneminder-1.22.3-security.patch diff --git a/zoneminder-1.22.3-security.patch b/zoneminder-1.22.3-security.patch new file mode 100644 index 0000000..159db46 --- /dev/null +++ b/zoneminder-1.22.3-security.patch @@ -0,0 +1,143 @@ +diff -ru ZoneMinder-1.22.3/web/zm_export_funcs.php ZoneMinder-1.22.3-fix/web/zm_export_funcs.php +--- ZoneMinder-1.22.3/web/zm_export_funcs.php 2006-03-27 16:01:33.000000000 -0600 ++++ ZoneMinder-1.22.3-fix/web/zm_export_funcs.php 2008-04-28 10:07:32.000000000 -0500 +@@ -314,7 +314,7 @@ + { + $archive = "temp/".$export_root.".tar.gz"; + @unlink( $archive ); +- $command = "tar --create --gzip --file=$archive --files-from=$list_file"; ++ $command = "tar --create --gzip --file=".escapeshellarg($archive)." --files-from=".escapeshellarg($list_file); + exec( $command, $output, $status ); + if ( $status ) + { +@@ -329,7 +329,7 @@ + $archive = "temp/zm_export.zip"; + $archive = "temp/".$export_root.".zip"; + @unlink( $archive ); +- $command = "cat $list_file | zip -q $archive -@"; ++ $command = "cat ".escapeshellarg($list_file)." | zip -q ".escapeshellarg($archive)." -@"; + exec( $command, $output, $status ); + if ( $status ) + { +diff -ru ZoneMinder-1.22.3/web/zm_funcs.php ZoneMinder-1.22.3-fix/web/zm_funcs.php +--- ZoneMinder-1.22.3/web/zm_funcs.php 2006-11-09 04:51:10.000000000 -0600 ++++ ZoneMinder-1.22.3-fix/web/zm_funcs.php 2008-04-28 10:16:17.000000000 -0500 +@@ -724,20 +724,20 @@ + + function packageControl( $command ) + { +- $string = ZM_PATH_BIN."/zmpkg.pl $command"; ++ $string = ZM_PATH_BIN."/zmpkg.pl ".escapeshellarg( $command ); + $string .= " 2>/dev/null >&- <&- >/dev/null"; + exec( $string ); + } + + function daemonControl( $command, $daemon=false, $args=false ) + { +- $string = ZM_PATH_BIN."/zmdc.pl $command"; ++ $string = ZM_PATH_BIN."/zmdc.pl ".escapeshellarg( $command ); + if ( $daemon ) + { +- $string .= " $daemon"; ++ $string .= " ".escapeshellarg( $daemon ); + if ( $args ) + { +- $string .= " $args"; ++ $string .= " ".escapeshellarg( $args ); + } + } + $string .= " 2>/dev/null >&- <&- >/dev/null"; +@@ -893,9 +893,9 @@ + $string = ZM_PATH_BIN."/zmdc.pl check"; + if ( $daemon ) + { +- $string .= " $daemon"; ++ $string .= " ".escapeshellarg( $daemon ); + if ( $args ) +- $string .= " $args"; ++ $string .= " ".escapeshellarg( $args ); + } + $result = exec( $string ); + return( preg_match( '/running/', $result ) ); +@@ -973,7 +973,7 @@ + { + if ( ZM_WEB_SCALE_THUMBS ) + { +- $command = ZM_PATH_NETPBM."/jpegtopnm -quiet -dct fast $image_path | ".ZM_PATH_NETPBM."/pnmscalefixed -quiet $fraction | ".ZM_PATH_NETPBM."/pnmtojpeg -quiet -dct=fast > $thumb_path"; ++ $command = ZM_PATH_NETPBM."/jpegtopnm -quiet -dct fast ".escapeshellarg( $image_path )." | ".ZM_PATH_NETPBM."/pnmscalefixed -quiet ".escapeshellarg( $fraction )." | ".ZM_PATH_NETPBM."/pnmtojpeg -quiet -dct=fast > ".escapeshellarg( $thumb_path ); + exec( $command ); + } + else +@@ -1040,7 +1040,7 @@ + $command = ZM_PATH_BIN."/zmvideo.pl -e ".$event['Id']." -f ".$format." -r ".sprintf( "%.2f", ($rate/RATE_BASE) )." -s ".sprintf( "%.2f", ($scale/SCALE_BASE) ); + if ( $overwrite ) + $command .= " -o"; +- $result = exec( $command, $output, $status ); ++ $result = exec( escapeshellcmd( $command ), $output, $status ); + return( $status?"":rtrim($result) ); + } + +@@ -1062,7 +1062,7 @@ + + function executeFilter( $filter ) + { +- $command = ZM_PATH_BIN."/zmfilter.pl --filter ".$filter; ++ $command = ZM_PATH_BIN."/zmfilter.pl --filter ".escapeshellarg( $filter ); + $result = exec( $command, $output, $status ); + $result = mysql_query( "delete from Filters where Name like '_TempFilter%'" ); + if ( !$result ) +@@ -1882,13 +1882,7 @@ + { + // Can't connect so use script + $command = ZM_PATH_BIN."/zmx10.pl --command $status --key $key"; +- //$command .= " 2>/dev/null >&- <&- >/dev/null"; +- $result = exec( $string ); +- if ( preg_match( '/^'.$key.'\s+(.*)/', $result, $matches ) ) +- $status = $matches[1]; +- else +- $status = "unknown"; +- $x10_response = exec( escapeshellcmd( $x10_command ) ); ++ $x10_response = exec( escapeshellcmd( $command ) ); + } + if ( preg_match( '/^'.$key.'\s+(.*)/', $x10_response, $matches ) ) + $status = $matches[1]; +diff -ru ZoneMinder-1.22.3/web/zm_xhtml_view_eventdetails.php ZoneMinder-1.22.3-fix/web/zm_xhtml_view_eventdetails.php +--- ZoneMinder-1.22.3/web/zm_xhtml_view_eventdetails.php 2006-11-09 05:48:56.000000000 -0600 ++++ ZoneMinder-1.22.3-fix/web/zm_xhtml_view_eventdetails.php 2008-04-28 10:07:32.000000000 -0500 +@@ -75,7 +75,7 @@ + $fraction = sprintf( "%.2f", $scale/100 ); + if ( file_exists( $image_path ) ) + { +- $command = ZM_PATH_NETPBM."/jpegtopnm -dct fast $image_path | ".ZM_PATH_NETPBM."/pnmscalefixed $fraction | ".ZM_PATH_NETPBM."/ppmtojpeg --dct=fast > $thumb_image"; ++ $command = ZM_PATH_NETPBM."/jpegtopnm -dct fast ".escapeshellarg($image_path)." | ".ZM_PATH_NETPBM."/pnmscalefixed ".escapeshellarg($fraction)." | ".ZM_PATH_NETPBM."/ppmtojpeg --dct=fast > ".escapeshellarg($thumb_image); + exec( $command ); + } + } +diff -ru ZoneMinder-1.22.3/web/zm_xhtml_view_event.php ZoneMinder-1.22.3-fix/web/zm_xhtml_view_event.php +--- ZoneMinder-1.22.3/web/zm_xhtml_view_event.php 2006-11-09 05:48:56.000000000 -0600 ++++ ZoneMinder-1.22.3-fix/web/zm_xhtml_view_event.php 2008-04-28 10:07:32.000000000 -0500 +@@ -278,10 +278,9 @@ + { + $anal_image = preg_replace( "/capture/", "analyse", $capt_image ); + if ( file_exists( $anal_image ) ) +- $command = ZM_PATH_NETPBM."/jpegtopnm -dct fast $anal_image | ".ZM_PATH_NETPBM."/pnmscalefixed $fraction | ".ZM_PATH_NETPBM."/ppmtojpeg --dct=fast > $thumb_image"; ++ $command = ZM_PATH_NETPBM."/jpegtopnm -dct fast ".escapeshellarg($anal_image)." | ".ZM_PATH_NETPBM."/pnmscalefixed ".escapeshellarg($fraction)." | ".ZM_PATH_NETPBM."/ppmtojpeg --dct=fast > ".escapeshellarg($thumb_image); + else +- $command = ZM_PATH_NETPBM."/jpegtopnm -dct fast $capt_image | ".ZM_PATH_NETPBM."/pnmscalefixed $fraction | ".ZM_PATH_NETPBM."/ppmtojpeg --dct=fast > $thumb_image"; +- #exec( escapeshellcmd( $command ) ); ++ $command = ZM_PATH_NETPBM."/jpegtopnm -dct fast ".escapeshellarg($capt_image)." | ".ZM_PATH_NETPBM."/pnmscalefixed ".escapeshellarg($fraction)." | ".ZM_PATH_NETPBM."/ppmtojpeg --dct=fast > ".escapeshellarg($thumb_image); + exec( $command ); + } + } +diff -ru ZoneMinder-1.22.3/web/zm_xhtml_view_video.php ZoneMinder-1.22.3-fix/web/zm_xhtml_view_video.php +--- ZoneMinder-1.22.3/web/zm_xhtml_view_video.php 2006-11-09 05:48:56.000000000 -0600 ++++ ZoneMinder-1.22.3-fix/web/zm_xhtml_view_video.php 2008-04-28 10:07:32.000000000 -0500 +@@ -102,7 +102,7 @@ + $command = ZM_PATH_BIN."/zmvideo.pl -e ".$event['Id']." -f ".$video_format." -r ".sprintf( "%.2f", ($rate/RATE_BASE) )." -S ".$video_size; + if ( $overwrite ) + $command .= " -o"; +- $generated = exec( $command, $output, $status ); ++ $generated = exec( escapeshellcmd( $command ), $output, $status ); + } + + $video_files = array(); diff --git a/zoneminder.spec b/zoneminder.spec index bebaafa..e5c966d 100644 --- a/zoneminder.spec +++ b/zoneminder.spec @@ -5,7 +5,7 @@ Name: zoneminder Version: 1.22.3 -Release: 12%{?dist} +Release: 13%{?dist} Summary: A camera monitoring and analysis tool Group: System Environment/Daemons License: GPLv2+ @@ -20,6 +20,7 @@ Source4: README.Fedora Patch1: zoneminder-1.22.3-dbinstall.patch Patch10: zoneminder-1.22.3-installfix.patch Patch11: zoneminder-1.22.3-gcc43.patch +Patch12: zoneminder-1.22.3-security.patch Conflicts: zm <= 1.22.3 @@ -52,6 +53,7 @@ too much degradation of performance. This package includes cambozola.jar. %patch1 -p0 -b .dbinstall %patch10 -p0 -b .installfix %patch11 -p0 -b .gcc43 +%patch12 -p1 -b .security gunzip -c %{SOURCE1} | tar xf - cambozola-*/dist/cambozola.jar cp %{SOURCE4} README.Fedora @@ -167,6 +169,9 @@ fi %changelog +* Wed Apr 30 2008 Martin Ebourne - 1.22.3-13 +- Patch for CVE-2008-1381 + * Tue Feb 19 2008 Fedora Release Engineering - 1.22.3-12 - Autorebuild for GCC 4.3 From 089ea055fc91fd8c3f477ce4972eb33fc9d6d767 Mon Sep 17 00:00:00 2001 From: mebourne Date: Tue, 6 May 2008 22:08:03 +0000 Subject: [PATCH 3/5] - Remove default runlevel, bz #441315 --- zoneminder-1.22.3-runlevel.patch | 10 ++++++++++ zoneminder.spec | 7 ++++++- 2 files changed, 16 insertions(+), 1 deletion(-) create mode 100644 zoneminder-1.22.3-runlevel.patch diff --git a/zoneminder-1.22.3-runlevel.patch b/zoneminder-1.22.3-runlevel.patch new file mode 100644 index 0000000..1887b88 --- /dev/null +++ b/zoneminder-1.22.3-runlevel.patch @@ -0,0 +1,10 @@ +--- scripts/zm.in.runlevel 2008-05-06 22:54:36.000000000 +0100 ++++ scripts/zm.in 2008-05-06 23:01:35.000000000 +0100 +@@ -1,6 +1,6 @@ + #!/bin/sh + # description: ZoneMinder is the top Linux video camera security and surveillance solution. ZoneMinder is intended for use in single or multi-camera video security applications.Copyright: Philip Coombes, Corey DeLasaux 2003-2006 +-# chkconfig: 2345 99 00 ++# chkconfig: - 99 00 + # processname: zmpkg.pl + + # Source function library. diff --git a/zoneminder.spec b/zoneminder.spec index e5c966d..f2c1d3d 100644 --- a/zoneminder.spec +++ b/zoneminder.spec @@ -5,7 +5,7 @@ Name: zoneminder Version: 1.22.3 -Release: 13%{?dist} +Release: 14%{?dist} Summary: A camera monitoring and analysis tool Group: System Environment/Daemons License: GPLv2+ @@ -18,6 +18,7 @@ Source2: zoneminder.conf Source3: redalert.wav Source4: README.Fedora Patch1: zoneminder-1.22.3-dbinstall.patch +Patch2: zoneminder-1.22.3-runlevel.patch Patch10: zoneminder-1.22.3-installfix.patch Patch11: zoneminder-1.22.3-gcc43.patch Patch12: zoneminder-1.22.3-security.patch @@ -51,6 +52,7 @@ too much degradation of performance. This package includes cambozola.jar. %prep %setup -q -n ZoneMinder-%{version} %patch1 -p0 -b .dbinstall +%patch2 -p0 -b .runlevel %patch10 -p0 -b .installfix %patch11 -p0 -b .gcc43 %patch12 -p1 -b .security @@ -169,6 +171,9 @@ fi %changelog +* Tue May 6 2008 Martin Ebourne - 1.22.3-14 +- Remove default runlevel, bz #441315 + * Wed Apr 30 2008 Martin Ebourne - 1.22.3-13 - Patch for CVE-2008-1381 From 607e5400f559d13613e0bf36383dbc5c66556e60 Mon Sep 17 00:00:00 2001 From: Bill Nottingham Date: Thu, 26 Nov 2009 01:08:58 +0000 Subject: [PATCH 4/5] Fix typo that causes a failure to update the common directory. (releng #2781) --- Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Makefile b/Makefile index 537d8ee..d82be1e 100644 --- a/Makefile +++ b/Makefile @@ -1,10 +1,10 @@ # Makefile for source rpm: zoneminder -# $Id$ +# $Id: Makefile,v 1.1 2007/06/28 20:07:46 kevin Exp $ NAME := zoneminder SPECFILE = $(firstword $(wildcard *.spec)) define find-makefile-common -for d in common ../common ../../common ; do if [ -f $$d/Makefile.common ] ; then if [ -f $$d/CVS/Root -a -w $$/Makefile.common ] ; then cd $$d ; cvs -Q update ; fi ; echo "$$d/Makefile.common" ; break ; fi ; done +for d in common ../common ../../common ; do if [ -f $$d/Makefile.common ] ; then if [ -f $$d/CVS/Root -a -w $$d/Makefile.common ] ; then cd $$d ; cvs -Q update ; fi ; echo "$$d/Makefile.common" ; break ; fi ; done endef MAKEFILE_COMMON := $(shell $(find-makefile-common)) From 1d49d8ed7f29a484f0731e4a434118e7c955042e Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Thu, 29 Jul 2010 16:32:38 +0000 Subject: [PATCH 5/5] dist-git conversion --- .cvsignore => .gitignore | 0 Makefile | 21 --------------------- branch | 1 - 3 files changed, 22 deletions(-) rename .cvsignore => .gitignore (100%) delete mode 100644 Makefile delete mode 100644 branch diff --git a/.cvsignore b/.gitignore similarity index 100% rename from .cvsignore rename to .gitignore diff --git a/Makefile b/Makefile deleted file mode 100644 index d82be1e..0000000 --- a/Makefile +++ /dev/null @@ -1,21 +0,0 @@ -# Makefile for source rpm: zoneminder -# $Id: Makefile,v 1.1 2007/06/28 20:07:46 kevin Exp $ -NAME := zoneminder -SPECFILE = $(firstword $(wildcard *.spec)) - -define find-makefile-common -for d in common ../common ../../common ; do if [ -f $$d/Makefile.common ] ; then if [ -f $$d/CVS/Root -a -w $$d/Makefile.common ] ; then cd $$d ; cvs -Q update ; fi ; echo "$$d/Makefile.common" ; break ; fi ; done -endef - -MAKEFILE_COMMON := $(shell $(find-makefile-common)) - -ifeq ($(MAKEFILE_COMMON),) -# attept a checkout -define checkout-makefile-common -test -f CVS/Root && { cvs -Q -d $$(cat CVS/Root) checkout common && echo "common/Makefile.common" ; } || { echo "ERROR: I can't figure out how to checkout the 'common' module." ; exit -1 ; } >&2 -endef - -MAKEFILE_COMMON := $(shell $(checkout-makefile-common)) -endif - -include $(MAKEFILE_COMMON) diff --git a/branch b/branch deleted file mode 100644 index 1c26f78..0000000 --- a/branch +++ /dev/null @@ -1 +0,0 @@ -F-9