CVE-2017-5595 (rhbz#1419509)

zoneminder-1.28.1-cve-2017-5595.patch

@@ -0,0 +1,116 @@
+diff -uNr ZoneMinder-1.28.1.orig/web/views/file.php ZoneMinder-1.28.1/web/views/file.php
+--- ZoneMinder-1.28.1.orig/web/views/file.php	2015-02-04 21:52:37.000000000 -0500
++++ ZoneMinder-1.28.1/web/views/file.php	1969-12-31 19:00:00.000000000 -0500
+@@ -1,56 +0,0 @@
+-<?php
+-//
+-// ZoneMinder file view file, $Date: 2008-09-29 14:15:13 +0100 (Mon, 29 Sep 2008) $, $Revision: 2640 $
+-// Copyright (C) 2001-2008 Philip Coombes
+-//
+-// This program is free software; you can redistribute it and/or
+-// modify it under the terms of the GNU General Public License
+-// as published by the Free Software Foundation; either version 2
+-// of the License, or (at your option) any later version.
+-//
+-// This program is distributed in the hope that it will be useful,
+-// but WITHOUT ANY WARRANTY; without even the implied warranty of
+-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+-// GNU General Public License for more details.
+-//
+-// You should have received a copy of the GNU General Public License
+-// along with this program; if not, write to the Free Software
+-// Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
+-//
+-
+-if ( !canView( 'Events' ) )
+-{
+-    $view = "error";
+-    return;
+-}
+-
+-if ( empty($_REQUEST['path']) )
+-{
+-    $errorText = "No path given to file.php";
+-}
+-else
+-{
+-    $path = $_REQUEST['path'];
+-    if ( !empty($user['MonitorIds']) )
+-    {
+-        $fileOk = false;
+-        $pathMonId = substr( $path, 0, strspn( $path, "1234567890" ) );
+-        foreach ( preg_split( '/["\'\s]*,["\'\s]*/', $user['MonitorIds'] ) as $monId )
+-        {
+-            if ( $pathMonId == $monId )
+-            {
+-                $fileOk = true;
+-                break;
+-            }
+-        }
+-        if ( !$fileOk )
+-            $errorText = "No permissions to view file '$path'";
+-    }
+-}
+-
+-// Simple version
+-if ( $errorText )
+-    Error( $errorText );
+-else
+-    readfile( ZM_DIR_EVENTS.'/'.$path );
+-?>
+diff -uNr ZoneMinder-1.28.1.orig/web/views/image.php ZoneMinder-1.28.1/web/views/image.php
+--- ZoneMinder-1.28.1.orig/web/views/image.php	2015-02-04 21:52:37.000000000 -0500
++++ ZoneMinder-1.28.1/web/views/image.php	2017-02-07 21:12:51.315376682 -0500
+@@ -30,24 +30,26 @@
+ if ( empty($_REQUEST['path']) )
+ {
+     $errorText = "No image path";
+-}
+-else
+-{
+-    $path = $_REQUEST['path'];
+-    if ( !empty($user['MonitorIds']) )
+-    {
+-        $imageOk = false;
+-        $pathMonId = substr( $path, 0, strspn( $path, "1234567890" ) );
+-        foreach ( preg_split( '/["\'\s]*,["\'\s]*/', $user['MonitorIds'] ) as $monId )
+-        {
+-            if ( $pathMonId == $monId )
+-            {
+-                $imageOk = true;
+-                break;
++} else {
++    $dir_events = realpath(ZM_DIR_EVENTS);
++    $path = realpath($dir_events . '/' . $_REQUEST['path']);
++    $pos = strpos($path, $dir_events);
++
++    if($pos == 0 && $pos !== false) {
++        if ( !empty($user['MonitorIds']) ) {
++            $imageOk = false;
++            $pathMonId = substr( $path, 0, strspn( $path, "1234567890" ) );
++            foreach ( preg_split( '/["\'\s]*,["\'\s]*/', $user['MonitorIds'] ) as $monId ) {
++                if ( $pathMonId == $monId ) {
++                    $imageOk = true;
++                    break;
++		}
+             }
++            if ( !$imageOk )
++                $errorText = "No image permissions";
+         }
+-        if ( !$imageOk )
+-            $errorText = "No image permissions";
++    } else {
++            $errorText = "Invalid image path";
+     }
+ }
+ 
+diff -uNr ZoneMinder-1.28.1.orig/web/views/Makefile.am ZoneMinder-1.28.1/web/views/Makefile.am
+--- ZoneMinder-1.28.1.orig/web/views/Makefile.am	2015-02-04 21:52:37.000000000 -0500
++++ ZoneMinder-1.28.1/web/views/Makefile.am	2017-02-07 21:03:29.653105953 -0500
+@@ -2,5 +2,4 @@
+ 
+ webdir = @WEB_PREFIX@/views
+ 
+-dist_web_DATA = file.php \
+-	image.php
++dist_web_DATA = image.php

zoneminder.spec

@@ -5,7 +5,7 @@
 
 Name:       zoneminder
 Version:    1.28.1
-Release:    6%{?dist}
+Release:    8%{?dist}
 Summary:    A camera monitoring and analysis tool
 Group:      System Environment/Daemons
 # jscalendar is LGPL (any version):  http://www.dynarch.com/projects/calendar/
@@ -25,6 +25,7 @@ Source7:    zoneminder.logrotate
 # with zoneminder.  As these are javascript, there is no guideline violation
 # here.
 #Source8:    http://mootools.net/download/get/mootools-1.2.3-core-yc.js
+Patch1:     zoneminder-1.28.1-cve-2017-5595.patch
 Patch2:     zoneminder-1.28.1-runlevel.patch
 Patch3:     zoneminder-1.28.1-noffmpeg.patch
 Patch11:    zoneminder-1.28.1-gcc47.patch
@@ -49,7 +50,10 @@ BuildRequires:  perl(Sys::Mmap)
 BuildRequires:  perl(Sys::Syslog)
 BuildRequires:  perl(Time::HiRes)
 
-Requires:   httpd php php-mysql cambozola
+Requires:   httpd
+Requires:   php
+Requires:   php-mysqli
+Requires:   cambozola
 Requires:   perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version))
 Requires:   perl(DBD::mysql) perl(Archive::Tar) perl(Archive::Zip)
 Requires:   perl(MIME::Entity) perl(MIME::Lite) perl(Net::SMTP) perl(Net::FTP)
@@ -80,6 +84,7 @@ mv *html *php doc/* README ../jscalendar-doc
 rmdir doc
 popd
 
+%patch1 -p1 -b .cve-2017-5595
 %patch2 -p1 -b .runlevel
 %patch3 -p1 -b .noffmpeg
 %patch11 -p1 -b .gcc47
@@ -247,6 +252,12 @@ fi
 
 
 %changelog
+* Tue Feb  7 2017 Charles R. Anderson <cra@wpi.edu> - 1.28.1-8
+- CVE-2017-5595 (rhbz#1419509)
+
+* Fri Jan  6 2017 Charles R. Anderson <cra@wpi.edu> - 1.28.1-7
+- Change Requires php-mysql --> php-mysqli
+
 * Mon May 16 2016 Jitka Plesnikova <jplesnik@redhat.com> - 1.28.1-6
 - Perl 5.24 rebuild