zabbix: fix CVE-2023-32726 and CVE-2023-32727

CVE-2023-32726:
The vulnerability is caused by improper check for check
if RDLENGTH does not overflow the buffer in response
from DNS server.

CVE-2023-32727:
An attacker who has the privilege to configure Zabbix
items can use function icmpping() with additional
malicious command inside it to execute arbitrary code
on the current Zabbix server.

Refernces:
https://nvd.nist.gov/vuln/detail/CVE-2023-32726
https://security-tracker.debian.org/tracker/CVE-2023-32726
https://nvd.nist.gov/vuln/detail/CVE-2023-32727
https://security-tracker.debian.org/tracker/CVE-2023-32727

Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>

4 files changed, 405 insertions, 0 deletions

diff --git a/meta-oe/recipes-connectivity/zabbix/zabbix/CVE-2023-32726.patch b/meta-oe/recipes-connectivity/zabbix/zabbix/CVE-2023-32726.patch
new file mode 100644
index 0000000000..b9c37bc045
--- /dev/null
+++ b/meta-oe/recipes-connectivity/zabbix/zabbix/CVE-2023-32726.patch
@@ -0,0 +1,160 @@
+From 53ef2b7119f57f4140e6bd9c5cd2d3c6af228179 Mon Sep 17 00:00:00 2001
+From: Armands Arseniuss Skolmeisters <armands.skolmeisters@zabbix.com>
+Date: Thu, 11 Jan 2024 12:00:24 +0000
+Subject: [PATCH] ...G...... [DEV-2702] fixed buffer overread in DNS response
+
+* commit '893902999ab7f0b15cce91e8555cb251b32b6df4':
+ ...G...... [DEV-2702] fixed DNS record data length check
+ ...G...... [DEV-2702] improved DNS error messages
+ ...G...... [DEV-2702] fixed DNS error messages
+ ...G...... [DEV-2702] improved DNS error messages
+ ...G...... [DEV-2702] fixed buffer overread in DNS response
+
+CVE: CVE-2023-32726
+Upstream-Status: Backport [https://github.com/zabbix/zabbix/commit/53ef2b7119f57f4140e6bd9c5cd2d3c6af228179]
+
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ src/libs/zbxsysinfo/common/dns.c | 65 +++++++++++++++++++++++++++-----
+ 1 file changed, 56 insertions(+), 9 deletions(-)
+
+diff --git a/src/libs/zbxsysinfo/common/dns.c b/src/libs/zbxsysinfo/common/dns.c
+index e8938d8..bf456f2 100644
+--- a/src/libs/zbxsysinfo/common/dns.c
++++ b/src/libs/zbxsysinfo/common/dns.c
+@@ -638,7 +638,8 @@ static int	dns_query(AGENT_REQUEST *request, AGENT_RESULT *result, int short_ans
+	{
+		if (NULL == (name = get_name(answer.buffer, msg_end, &msg_ptr)))
+		{
+-			SET_MSG_RESULT(result, zbx_strdup(NULL, "Cannot decode DNS response."));
++			SET_MSG_RESULT(result, zbx_strdup(NULL,
++					"Cannot decode DNS response: cannot expand domain name."));
+			ret = SYSINFO_RET_FAIL;
+			goto clean;
+		}
+@@ -651,6 +652,13 @@ static int	dns_query(AGENT_REQUEST *request, AGENT_RESULT *result, int short_ans
+		GETSHORT(q_len, msg_ptr);
+		offset += zbx_snprintf(buffer + offset, sizeof(buffer) - offset, " %-8s", decode_type(q_type));
+
++		if (msg_ptr + q_len > msg_end)
++		{
++			SET_MSG_RESULT(result, zbx_strdup(NULL, "Cannot decode DNS response: record overflow."));
++			ret = SYSINFO_RET_FAIL;
++			goto clean;
++		}
++
+		switch (q_type)
+		{
+			case T_A:
+@@ -695,8 +703,40 @@ static int	dns_query(AGENT_REQUEST *request, AGENT_RESULT *result, int short_ans
+			case T_PTR:
+				if (NULL == (name = get_name(answer.buffer, msg_end, &msg_ptr)))
+				{
+-					SET_MSG_RESULT(result, zbx_strdup(NULL, "Cannot decode DNS response."));
++#define ERR_MSG_PREFIX	"Cannot decode DNS response: cannot expand "
++					const char	*err_msg = NULL;
++
++					switch (q_type)
++					{
++						case T_NS:
++							err_msg = ERR_MSG_PREFIX "name server name.";
++							break;
++						case T_CNAME:
++							err_msg = ERR_MSG_PREFIX "canonical name.";
++							break;
++						case T_MB:
++							err_msg = ERR_MSG_PREFIX "mailbox name.";
++							break;
++						case T_MD:
++							err_msg = ERR_MSG_PREFIX "mail destination name.";
++							break;
++						case T_MF:
++							err_msg = ERR_MSG_PREFIX "mail forwarder name.";
++							break;
++						case T_MG:
++							err_msg = ERR_MSG_PREFIX "mail group name.";
++							break;
++						case T_MR:
++							err_msg = ERR_MSG_PREFIX "renamed mailbox name.";
++							break;
++						case T_PTR:
++							err_msg = ERR_MSG_PREFIX "PTR name.";
++							break;
++					}
++
++					SET_MSG_RESULT(result, zbx_strdup(NULL, err_msg));
+					return SYSINFO_RET_FAIL;
++#undef ERR_MSG_PREFIX
+				}
+				offset += zbx_snprintf(buffer + offset, sizeof(buffer) - offset, " %s", name);
+				break;
+@@ -706,7 +746,8 @@ static int	dns_query(AGENT_REQUEST *request, AGENT_RESULT *result, int short_ans
+
+				if (NULL == (name = get_name(answer.buffer, msg_end, &msg_ptr)))	/* exchange */
+				{
+-					SET_MSG_RESULT(result, zbx_strdup(NULL, "Cannot decode DNS response."));
++					SET_MSG_RESULT(result, zbx_strdup(NULL, "Cannot decode DNS response:"
++							" cannot expand mail exchange name."));
+					return SYSINFO_RET_FAIL;
+				}
+				offset += zbx_snprintf(buffer + offset, sizeof(buffer) - offset, " %s", name);
+@@ -715,14 +756,16 @@ static int	dns_query(AGENT_REQUEST *request, AGENT_RESULT *result, int short_ans
+			case T_SOA:
+				if (NULL == (name = get_name(answer.buffer, msg_end, &msg_ptr)))	/* source host */
+				{
+-					SET_MSG_RESULT(result, zbx_strdup(NULL, "Cannot decode DNS response."));
++					SET_MSG_RESULT(result, zbx_strdup(NULL, "Cannot decode DNS response:"
++							" cannot expand source nameserver name."));
+					return SYSINFO_RET_FAIL;
+				}
+				offset += zbx_snprintf(buffer + offset, sizeof(buffer) - offset, " %s", name);
+
+				if (NULL == (name = get_name(answer.buffer, msg_end, &msg_ptr)))	/* administrator */
+				{
+-					SET_MSG_RESULT(result, zbx_strdup(NULL, "Cannot decode DNS response."));
++					SET_MSG_RESULT(result, zbx_strdup(NULL, "Cannot decode DNS response:"
++							" cannot expand administrator mailbox name."));
+					return SYSINFO_RET_FAIL;
+				}
+				offset += zbx_snprintf(buffer + offset, sizeof(buffer) - offset, " %s", name);
+@@ -750,7 +793,8 @@ static int	dns_query(AGENT_REQUEST *request, AGENT_RESULT *result, int short_ans
+			case T_WKS:
+				if (INT32SZ + 1 > q_len)
+				{
+-					SET_MSG_RESULT(result, zbx_strdup(NULL, "Cannot decode DNS response."));
++					SET_MSG_RESULT(result, zbx_strdup(NULL, "Cannot decode DNS response:"
++							" malformed WKS resource record."));
+					return SYSINFO_RET_FAIL;
+				}
+
+@@ -816,14 +860,16 @@ static int	dns_query(AGENT_REQUEST *request, AGENT_RESULT *result, int short_ans
+			case T_MINFO:
+				if (NULL == (name = get_name(answer.buffer, msg_end, &msg_ptr)))	/* mailbox responsible for mailing lists */
+				{
+-					SET_MSG_RESULT(result, zbx_strdup(NULL, "Cannot decode DNS response."));
++					SET_MSG_RESULT(result, zbx_strdup(NULL, "Cannot decode DNS response:"
++							" cannot expand mailbox responsible for mailing lists."));
+					return SYSINFO_RET_FAIL;
+				}
+				offset += zbx_snprintf(buffer + offset, sizeof(buffer) - offset, " %s", name);
+
+				if (NULL == (name = get_name(answer.buffer, msg_end, &msg_ptr)))	/* mailbox for error messages */
+				{
+-					SET_MSG_RESULT(result, zbx_strdup(NULL, "Cannot decode DNS response."));
++					SET_MSG_RESULT(result, zbx_strdup(NULL, "Cannot decode DNS response:"
++							" cannot expand mailbox for error messages."));
+					return SYSINFO_RET_FAIL;
+				}
+				offset += zbx_snprintf(buffer + offset, sizeof(buffer) - offset, " %s", name);
+@@ -854,7 +900,8 @@ static int	dns_query(AGENT_REQUEST *request, AGENT_RESULT *result, int short_ans
+
+				if (NULL == (name = get_name(answer.buffer, msg_end, &msg_ptr)))	/* target */
+				{
+-					SET_MSG_RESULT(result, zbx_strdup(NULL, "Cannot decode DNS response."));
++					SET_MSG_RESULT(result, zbx_strdup(NULL, "Cannot decode DNS response:"
++							" cannot expand service target hostname."));
+					return SYSINFO_RET_FAIL;
+				}
+				offset += zbx_snprintf(buffer + offset, sizeof(buffer) - offset, " %s", name);
+--
+2.40.0
diff --git a/meta-oe/recipes-connectivity/zabbix/zabbix/CVE-2023-32727_0001.patch b/meta-oe/recipes-connectivity/zabbix/zabbix/CVE-2023-32727_0001.patch
new file mode 100644
index 0000000000..5c1e0c5af6
--- /dev/null
+++ b/meta-oe/recipes-connectivity/zabbix/zabbix/CVE-2023-32727_0001.patch
@@ -0,0 +1,193 @@
+From 93e090592fc6de7ec5d3d42c1bb9074ad1f3ba34 Mon Sep 17 00:00:00 2001
+From: Andris Zeila <andris.zeila@zabbix.com>
+Date: Fri, 12 Jan 2024 05:48:31 +0000
+Subject: [PATCH] .......PS. [DEV-2695] changed fping tests to read address
+ from file
+
+Merge in ZBX/zabbix from feature/DEV-2695-6.0 to release/6.0
+
+* commit '6603893ff94620e28fc543d5d0d4c86b9be3342e':
+  .......PS. [DEV-2695] fixed signal blocking
+  .......PS. [DEV-2695] added target hostname/ip validation in fping feature tests
+  .......PS. [DEV-2695] added error messages when failed to prepare temporary file for fping tests
+  .......PS. [DEV-2695] changed fping tests to read address from file
+
+CVE: CVE-2023-32727
+Upstream-Status: BAckport [https://github.com/zabbix/zabbix/commit/93e090592fc6de7ec5d3d42c1bb9074ad1f3ba34]
+
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ src/libs/zbxicmpping/icmpping.c | 125 ++++++++++++++++++++++++++++----
+ 1 file changed, 112 insertions(+), 13 deletions(-)
+
+diff --git a/src/libs/zbxicmpping/icmpping.c b/src/libs/zbxicmpping/icmpping.c
+index 72f7e86..9a751b7 100644
+--- a/src/libs/zbxicmpping/icmpping.c
++++ b/src/libs/zbxicmpping/icmpping.c
+@@ -59,6 +59,8 @@ static void	get_source_ip_option(const char *fping, const char **option, unsigne
+
+	zbx_snprintf(tmp, sizeof(tmp), "%s -h 2>&1", fping);
+
++	zabbix_log(LOG_LEVEL_DEBUG, "executing %s", tmp);
++
+	if (NULL == (f = popen(tmp, "r")))
+		return;
+
+@@ -85,6 +87,110 @@ static void	get_source_ip_option(const char *fping, const char **option, unsigne
+	*checked = 1;
+ }
+
++/******************************************************************************
++ *                                                                            *
++ * Purpose: execute external program and return stdout and stderr values      *
++ *                                                                            *
++ * Parameters: fping         - [IN] location of fping program                 *
++ *             out           - [OUT] stdout and stderr values                 *
++ *             error         - [OUT] error string if function fails           *
++ *             max_error_len - [IN] length of error buffer                    *
++ *                                                                            *
++ * Return value: SUCCEED if processed successfully or FAIL otherwise          *
++ *                                                                            *
++ ******************************************************************************/
++static int	get_fping_out(const char *fping, const char *address, char **out, char *error, size_t max_error_len)
++{
++	FILE		*f;
++	size_t		buf_size = 0, offset = 0, len;
++	ssize_t		n;
++	char		tmp[MAX_STRING_LEN], *buffer = NULL;
++	int		ret = FAIL, fd;
++	sigset_t	mask, orig_mask;
++	char		filename[MAX_STRING_LEN];
++
++	if (FAIL == zbx_validate_hostname(address) && FAIL == is_supported_ip(address))
++	{
++		zbx_strlcpy(error, "Invalid host name or IP address", max_error_len);
++		return FAIL;
++	}
++
++	zbx_snprintf(filename, sizeof(filename), "%s/%s_XXXXXX", CONFIG_TMPDIR, progname);
++	if (-1 == (fd = mkstemp(filename)))
++	{
++		zbx_snprintf(error, max_error_len, "Cannot create temporary file \"%s\": %s", filename,
++				zbx_strerror(errno));
++
++		return FAIL;
++	}
++
++	sigemptyset(&mask);
++	sigaddset(&mask, SIGINT);
++	sigaddset(&mask, SIGQUIT);
++
++	len = strlen(address);
++	if (-1 == (n = write(fd, address, len)))
++	{
++		zbx_snprintf(error, max_error_len, "Cannot write address into temporary file: %s", zbx_strerror(errno));
++		(void)close(fd);
++		goto out;
++	}
++
++	if (n != (ssize_t)len)
++	{
++		zbx_strlcpy(error, "Cannot write full address into temporary file", max_error_len);
++		(void)close(fd);
++		goto out;
++	}
++
++	if (-1 == close(fd))
++	{
++		zbx_snprintf(error, max_error_len, "Cannot close temporary file: %s", zbx_strerror(errno));
++		goto out;
++	}
++
++	zbx_snprintf(tmp, sizeof(tmp), "%s 2>&1 < %s", fping, filename);
++
++	if (0 > sigprocmask(SIG_BLOCK, &mask, &orig_mask))
++		zbx_error("cannot set sigprocmask to block the user signal");
++
++	zabbix_log(LOG_LEVEL_DEBUG, "executing %s", tmp);
++
++	if (NULL == (f = popen(tmp, "r")))
++	{
++		zbx_strlcpy(error, zbx_strerror(errno), max_error_len);
++		goto out;
++	}
++
++	while (NULL != zbx_fgets(tmp, sizeof(tmp), f))
++	{
++		len = strlen(tmp);
++
++		if (MAX_EXECUTE_OUTPUT_LEN < offset + len)
++			break;
++
++		zbx_strncpy_alloc(&buffer, &buf_size, &offset, tmp, len);
++	}
++
++	pclose(f);
++
++	if (NULL == buffer)
++	{
++		zbx_strlcpy(error, "Cannot obtain the program output", max_error_len);
++		goto out;
++	}
++
++	*out = buffer;
++	ret = SUCCEED;
++out:
++	unlink(filename);
++
++	if (0 > sigprocmask(SIG_SETMASK, &orig_mask, NULL))
++		zbx_error("cannot restore sigprocmask");
++
++	return ret;
++}
++
+ /******************************************************************************
+  *                                                                            *
+  * Function: get_interval_option                                              *
+@@ -137,19 +243,12 @@ static int	get_interval_option(const char *fping, ZBX_FPING_HOST *hosts, int hos
+
+			zabbix_log(LOG_LEVEL_DEBUG, "testing fping interval %u ms", intervals[j]);
+
+-			zbx_snprintf(tmp, sizeof(tmp), "%s -c1 -t50 -i%u %s", fping, intervals[j], dst);
++			zbx_snprintf(tmp, sizeof(tmp), "%s -c1 -t50 -i%u", fping, intervals[j]);
+
+			zbx_free(out);
+
+			/* call fping, ignore its exit code but mind execution failures */
+-			if (TIMEOUT_ERROR == (ret_exec = zbx_execute(tmp, &out, err, sizeof(err), 1,
+-					ZBX_EXIT_CODE_CHECKS_DISABLED, NULL)))
+-			{
+-				zbx_snprintf(error, max_error_len, "Timeout while executing \"%s\"", tmp);
+-				goto out;
+-			}
+-
+-			if (FAIL == ret_exec)
++			if (SUCCEED != (ret_exec = get_fping_out(tmp, dst, &out, err, sizeof(err))))
+			{
+				zbx_snprintf(error, max_error_len, "Cannot execute \"%s\": %s", tmp, err);
+				goto out;
+@@ -251,10 +350,10 @@ static int	get_ipv6_support(const char * fping, const char *dst)
+	int	ret;
+	char	tmp[MAX_STRING_LEN], error[255], *out = NULL;
+
+-	zbx_snprintf(tmp, sizeof(tmp), "%s -6 -c1 -t50 %s", fping, dst);
++	zbx_snprintf(tmp, sizeof(tmp), "%s -6 -c1 -t50", fping);
+
+-	if ((SUCCEED == (ret = zbx_execute(tmp, &out, error, sizeof(error), 1, ZBX_EXIT_CODE_CHECKS_DISABLED, NULL)) &&
+-				ZBX_KIBIBYTE > strlen(out) && NULL != strstr(out, dst)) || TIMEOUT_ERROR == ret)
++	if (SUCCEED == (ret = get_fping_out(tmp, dst, &out, error, sizeof(error)) &&
++				ZBX_KIBIBYTE > strlen(out) && NULL != strstr(out, dst)))
+	{
+		ret = SUCCEED;
+	}
+@@ -538,7 +637,7 @@ static int	process_ping(ZBX_FPING_HOST *hosts, int hosts_count, int count, int i
+
+	fclose(f);
+
+-	zabbix_log(LOG_LEVEL_DEBUG, "%s", tmp);
++	zabbix_log(LOG_LEVEL_DEBUG, "executing %s", tmp);
+
+	sigemptyset(&mask);
+	sigaddset(&mask, SIGINT);
+--
+2.40.0
diff --git a/meta-oe/recipes-connectivity/zabbix/zabbix/CVE-2023-32727_0002.patch b/meta-oe/recipes-connectivity/zabbix/zabbix/CVE-2023-32727_0002.patch
new file mode 100644
index 0000000000..aabc675b6a
--- /dev/null
+++ b/meta-oe/recipes-connectivity/zabbix/zabbix/CVE-2023-32727_0002.patch
@@ -0,0 +1,49 @@
+From 610f9fdbb86667f4094972547deb936c6cdfc6d5 Mon Sep 17 00:00:00 2001
+From: Andris Zeila <andris.zeila@zabbix.com>
+Date: Fri, 12 Jan 2024 06:06:02 +0000
+Subject: [PATCH] .......PS. [DEV-2695] removed group/all access flags for
+ fping temporary files
+
+Merge in ZBX/zabbix from feature/DEV-2695-6.5 to master
+
+* commit 'cf07db1d5c2b8fe4a9de85fed22cf05035e08914':
+  .......PS. [DEV-2695] remove group/all access flags when creating fping input file for testing fping features
+
+(cherry picked from commit cd12f0a2d89c3ef05f0e9f50dcb73fdaf3a7e8a9)
+
+CVE: CVE-2023-32727
+Upstream_Status: Backport [https://github.com/zabbix/zabbix/commit/610f9fdbb86667f4094972547deb936c6cdfc6d5]
+
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ src/libs/zbxicmpping/icmpping.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/src/libs/zbxicmpping/icmpping.c b/src/libs/zbxicmpping/icmpping.c
+index 9a751b7..bab3d09 100644
+--- a/src/libs/zbxicmpping/icmpping.c
++++ b/src/libs/zbxicmpping/icmpping.c
+@@ -108,6 +108,7 @@ static int	get_fping_out(const char *fping, const char *address, char **out, cha
+	int		ret = FAIL, fd;
+	sigset_t	mask, orig_mask;
+	char		filename[MAX_STRING_LEN];
++	mode_t		mode;
+
+	if (FAIL == zbx_validate_hostname(address) && FAIL == is_supported_ip(address))
+	{
+@@ -116,7 +117,12 @@ static int	get_fping_out(const char *fping, const char *address, char **out, cha
+	}
+
+	zbx_snprintf(filename, sizeof(filename), "%s/%s_XXXXXX", CONFIG_TMPDIR, progname);
+-	if (-1 == (fd = mkstemp(filename)))
++
++	mode = umask(077);
++	fd = mkstemp(filename);
++	umask(mode);
++
++	if (-1 == fd)
+	{
+		zbx_snprintf(error, max_error_len, "Cannot create temporary file \"%s\": %s", filename,
+				zbx_strerror(errno));
+--
+2.40.0
diff --git a/meta-oe/recipes-connectivity/zabbix/zabbix_5.4.12.bb b/meta-oe/recipes-connectivity/zabbix/zabbix_5.4.12.bb
index 9bed74b214..2793f0ca5f 100644
--- a/meta-oe/recipes-connectivity/zabbix/zabbix_5.4.12.bb
+++ b/meta-oe/recipes-connectivity/zabbix/zabbix_5.4.12.bb
@@ -31,6 +31,9 @@ SRC_URI = "https://cdn.zabbix.com/zabbix/sources/stable/5.4/${BPN}-${PV}.tar.gz
     file://CVE-2023-29451.patch \
     file://CVE-2023-29449.patch \
     file://CVE-2023-29450.patch \
+    file://CVE-2023-32726.patch \
+    file://CVE-2023-32727_0001.patch \
+    file://CVE-2023-32727_0002.patch \
 "
 
 SRC_URI[md5sum] = "f295fd2df86143d72f6ff26e47d9e39e"