zabbix: fix CVE-2023-29450

JavaScript pre-processing can be used by the attacker to gain
access to the file system (read-only access on behalf of user
"zabbix") on the Zabbix Server or Zabbix Proxy, potentially
leading to unauthorized access to sensitive data.

Reference:
https://support.zabbix.com/browse/ZBX-22588

Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>

meta-oe/recipes-connectivity/zabbix/zabbix/CVE-2023-29450.patch

@@ -0,0 +1,241 @@
+From 76f6a80cb3d6131e9c3e98918305c1bf1805fa2a Mon Sep 17 00:00:00 2001
+From: Vladislavs Sokurenko <vladislavs.sokurenko@zabbix.com>
+Date: Thu, 27 Jul 2023 12:43:02 +0000
+Subject: [PATCH] ...G...PS. [DEV-2429] fixed unauthorised file system access
+ when using cURL
+
+Merge in ZBX/zabbix from feature/DEV-2429-6.0 to release/6.0
+
+* commit 'abf345230ee185d61cc0bd70d432fa4b093b8a53':
+  ...G...PS. [DEV-2429] fixed unautorized file system access when using curl
+  .......PS. [DEV-2429] fixed unautorized file system access in JS preprocessing
+
+CVE: CVE-2023-29450
+
+Upstream-Status: Backport [https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/76f6a80cb3d]
+
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ src/libs/zbxembed/httprequest.c            |  4 +++
+ src/libs/zbxhistory/history_elastic.c      | 30 ++++++++++++++++++++++
+ src/libs/zbxhttp/http.c                    |  9 +++++++
+ src/libs/zbxmedia/email.c                  |  6 +++++
+ src/libs/zbxsysinfo/common/http.c          |  9 +++++++
+ src/libs/zbxsysinfo/simple/simple.c        | 11 ++++++++
+ src/zabbix_server/httppoller/httptest.c    |  9 +++++++
+ src/zabbix_server/reporter/report_writer.c | 10 ++++++++
+ src/zabbix_server/vmware/vmware.c          |  9 +++++++
+ 9 files changed, 97 insertions(+)
+
+diff --git a/src/libs/zbxembed/httprequest.c b/src/libs/zbxembed/httprequest.c
+index 7f0eed9..871b925 100644
+--- a/src/libs/zbxembed/httprequest.c
++++ b/src/libs/zbxembed/httprequest.c
+@@ -354,6 +354,10 @@ static duk_ret_t	es_httprequest_query(duk_context *ctx, const char *http_request
+	ZBX_CURL_SETOPT(ctx, request->handle, CURLOPT_CUSTOMREQUEST, http_request, err);
+	ZBX_CURL_SETOPT(ctx, request->handle, CURLOPT_TIMEOUT_MS, timeout_ms - elapsed_ms, err);
+	ZBX_CURL_SETOPT(ctx, request->handle, CURLOPT_POSTFIELDS, ZBX_NULL2EMPTY_STR(contents), err);
++#if LIBCURL_VERSION_NUM >= 0x071304
++	/* CURLOPT_PROTOCOLS is supported starting with version 7.19.4 (0x071304) */
++	ZBX_CURL_SETOPT(ctx, request->handle, CURLOPT_PROTOCOLS, CURLPROTO_HTTP | CURLPROTO_HTTPS, err);
++#endif
+
+	request->data_offset = 0;
+	request->headers_in_offset = 0;
+diff --git a/src/libs/zbxhistory/history_elastic.c b/src/libs/zbxhistory/history_elastic.c
+index 8b3ea84..fc881da 100644
+--- a/src/libs/zbxhistory/history_elastic.c
++++ b/src/libs/zbxhistory/history_elastic.c
+@@ -406,6 +406,16 @@ static void	elastic_writer_add_iface(zbx_history_iface_t *hist)
+		goto out;
+	}
+
++#if LIBCURL_VERSION_NUM >= 0x071304
++	/* CURLOPT_PROTOCOLS is supported starting with version 7.19.4 (0x071304) */
++	if (CURLE_OK != (err = curl_easy_setopt(data->handle, opt = CURLOPT_PROTOCOLS,
++			CURLPROTO_HTTP | CURLPROTO_HTTPS)))
++	{
++		zabbix_log(LOG_LEVEL_ERR, "cannot set cURL option %d: [%s]", (int)opt, curl_easy_strerror(err));
++		goto out;
++	}
++#endif
++
+	*page_w[hist->value_type].errbuf = '\0';
+
+	if (CURLE_OK != (err = curl_easy_setopt(data->handle, opt = CURLOPT_PRIVATE, &page_w[hist->value_type])))
+@@ -722,6 +732,16 @@ static int	elastic_get_values(zbx_history_iface_t *hist, zbx_uint64_t itemid, in
+		goto out;
+	}
+
++#if LIBCURL_VERSION_NUM >= 0x071304
++	/* CURLOPT_PROTOCOLS is supported starting with version 7.19.4 (0x071304) */
++	if (CURLE_OK != (err = curl_easy_setopt(data->handle, opt = CURLOPT_PROTOCOLS,
++			CURLPROTO_HTTP | CURLPROTO_HTTPS)))
++	{
++		zabbix_log(LOG_LEVEL_ERR, "cannot set cURL option %d: [%s]", (int)opt, curl_easy_strerror(err));
++		goto out;
++	}
++#endif
++
+	zabbix_log(LOG_LEVEL_DEBUG, "sending query to %s; post data: %s", data->post_url, query.buffer);
+
+	page_r.offset = 0;
+@@ -1065,6 +1085,16 @@ void	zbx_elastic_version_extract(struct zbx_json *json)
+		goto clean;
+	}
+
++#if LIBCURL_VERSION_NUM >= 0x071304
++	/* CURLOPT_PROTOCOLS is supported starting with version 7.19.4 (0x071304) */
++	if (CURLE_OK != (err = curl_easy_setopt(handle, opt = CURLOPT_PROTOCOLS,
++			CURLPROTO_HTTP | CURLPROTO_HTTPS)))
++	{
++		zabbix_log(LOG_LEVEL_WARNING, "cannot set cURL option %d: [%s]", (int)opt, curl_easy_strerror(err));
++		goto clean;
++	}
++#endif
++
+	*errbuf = '\0';
+
+	if (CURLE_OK != (err = curl_easy_perform(handle)))
+diff --git a/src/libs/zbxhttp/http.c b/src/libs/zbxhttp/http.c
+index c10922c..36774cc 100644
+--- a/src/libs/zbxhttp/http.c
++++ b/src/libs/zbxhttp/http.c
+@@ -333,6 +333,15 @@ int	zbx_http_get(const char *url, const char *header, long timeout, char **out,
+		goto clean;
+	}
+
++#if LIBCURL_VERSION_NUM >= 0x071304
++	/* CURLOPT_PROTOCOLS is supported starting with version 7.19.4 (0x071304) */
++	if (CURLE_OK != (err = curl_easy_setopt(easyhandle, CURLOPT_PROTOCOLS, CURLPROTO_HTTP | CURLPROTO_HTTPS)))
++	{
++		*error = zbx_dsprintf(NULL, "Cannot set allowed protocols: %s", curl_easy_strerror(err));
++		goto clean;
++	}
++#endif
++
+	if (CURLE_OK != (err = curl_easy_setopt(easyhandle, CURLOPT_URL, url)))
+	{
+		*error = zbx_dsprintf(NULL, "Cannot specify URL: %s", curl_easy_strerror(err));
+diff --git a/src/libs/zbxmedia/email.c b/src/libs/zbxmedia/email.c
+index 3b987d9..d3af744 100644
+--- a/src/libs/zbxmedia/email.c
++++ b/src/libs/zbxmedia/email.c
+@@ -661,6 +661,12 @@ static int	send_email_curl(const char *smtp_server, unsigned short smtp_port, co
+	if ('\0' != *smtp_helo)
+		zbx_snprintf(url + url_offset, sizeof(url) - url_offset, "/%s", smtp_helo);
+
++#if LIBCURL_VERSION_NUM >= 0x071304
++	/* CURLOPT_PROTOCOLS is supported starting with version 7.19.4 (0x071304) */
++	if (CURLE_OK != (err = curl_easy_setopt(easyhandle, CURLOPT_PROTOCOLS, CURLPROTO_SMTPS | CURLPROTO_SMTP)))
++		goto error;
++#endif
++
+	if (CURLE_OK != (err = curl_easy_setopt(easyhandle, CURLOPT_URL, url)))
+		goto error;
+
+diff --git a/src/libs/zbxsysinfo/common/http.c b/src/libs/zbxsysinfo/common/http.c
+index acd77e1..8dc4793 100644
+--- a/src/libs/zbxsysinfo/common/http.c
++++ b/src/libs/zbxsysinfo/common/http.c
+@@ -176,6 +176,15 @@ static int	curl_page_get(char *url, char **buffer, char **error)
+		goto out;
+	}
+
++#if LIBCURL_VERSION_NUM >= 0x071304
++	/* CURLOPT_PROTOCOLS is supported starting with version 7.19.4 (0x071304) */
++	if (CURLE_OK != (err = curl_easy_setopt(easyhandle, CURLOPT_PROTOCOLS, CURLPROTO_HTTP | CURLPROTO_HTTPS)))
++	{
++		*error = zbx_dsprintf(*error, "Cannot set allowed protocols: %s", curl_easy_strerror(err));
++		goto out;
++	}
++#endif
++
+	if (CURLE_OK == (err = curl_easy_perform(easyhandle)))
+	{
+		if (NULL != buffer)
+diff --git a/src/libs/zbxsysinfo/simple/simple.c b/src/libs/zbxsysinfo/simple/simple.c
+index be1b9f9..80c5eac 100644
+--- a/src/libs/zbxsysinfo/simple/simple.c
++++ b/src/libs/zbxsysinfo/simple/simple.c
+@@ -189,6 +189,17 @@ static int	check_https(const char *host, unsigned short port, int timeout, int *
+		goto clean;
+	}
+
++#if LIBCURL_VERSION_NUM >= 0x071304
++	/* CURLOPT_PROTOCOLS is supported starting with version 7.19.4 (0x071304) */
++	if (CURLE_OK != (err = curl_easy_setopt(easyhandle, opt = CURLOPT_PROTOCOLS,
++			CURLPROTO_HTTP | CURLPROTO_HTTPS)))
++	{
++		zabbix_log(LOG_LEVEL_DEBUG, "%s: could not set cURL option [%d]: %s",
++				__func__, (int)opt, curl_easy_strerror(err));
++		goto clean;
++	}
++#endif
++
+	if (NULL != CONFIG_SOURCE_IP)
+	{
+		if (CURLE_OK != (err = curl_easy_setopt(easyhandle, opt = CURLOPT_INTERFACE, CONFIG_SOURCE_IP)))
+diff --git a/src/zabbix_server/httppoller/httptest.c b/src/zabbix_server/httppoller/httptest.c
+index 0ff70ef..0201442 100644
+--- a/src/zabbix_server/httppoller/httptest.c
++++ b/src/zabbix_server/httppoller/httptest.c
+@@ -696,6 +696,15 @@ static void	process_httptest(DC_HOST *host, zbx_httptest_t *httptest)
+		goto clean;
+	}
+
++#if LIBCURL_VERSION_NUM >= 0x071304
++	/* CURLOPT_PROTOCOLS is supported starting with version 7.19.4 (0x071304) */
++	if (CURLE_OK != (err = curl_easy_setopt(easyhandle, CURLOPT_PROTOCOLS, CURLPROTO_HTTP | CURLPROTO_HTTPS)))
++	{
++		err_str = zbx_strdup(err_str, curl_easy_strerror(err));
++		goto clean;
++	}
++#endif
++
+	if (SUCCEED != zbx_http_prepare_ssl(easyhandle, httptest->httptest.ssl_cert_file,
+			httptest->httptest.ssl_key_file, httptest->httptest.ssl_key_password,
+			httptest->httptest.verify_peer, httptest->httptest.verify_host, &err_str))
+diff --git a/src/zabbix_server/reporter/report_writer.c b/src/zabbix_server/reporter/report_writer.c
+index 87d1364..7530ed0 100644
+--- a/src/zabbix_server/reporter/report_writer.c
++++ b/src/zabbix_server/reporter/report_writer.c
+@@ -162,6 +162,16 @@ static int	rw_get_report(const char *url, const char *cookie, int width, int hei
+		goto out;
+	}
+
++#if LIBCURL_VERSION_NUM >= 0x071304
++	/* CURLOPT_PROTOCOLS is supported starting with version 7.19.4 (0x071304) */
++	if (CURLE_OK != (err = curl_easy_setopt(curl, opt = CURLOPT_PROTOCOLS, CURLPROTO_HTTP | CURLPROTO_HTTPS)))
++	{
++		*error = zbx_dsprintf(*error, "Cannot set cURL option %d: %s.", (int)opt,
++				(curl_error = rw_curl_error(err)));
++		goto out;
++	}
++#endif
++
+	if (NULL != CONFIG_TLS_CA_FILE && '\0' != *CONFIG_TLS_CA_FILE)
+	{
+		if (CURLE_OK != (err = curl_easy_setopt(curl, opt = CURLOPT_CAINFO, CONFIG_TLS_CA_FILE)) ||
+diff --git a/src/zabbix_server/vmware/vmware.c b/src/zabbix_server/vmware/vmware.c
+index b02c8c7..718d519 100644
+--- a/src/zabbix_server/vmware/vmware.c
++++ b/src/zabbix_server/vmware/vmware.c
+@@ -2045,6 +2045,15 @@ static int	vmware_service_authenticate(zbx_vmware_service_t *service, CURL *easy
+		goto out;
+	}
+
++#if LIBCURL_VERSION_NUM >= 0x071304
++	/* CURLOPT_PROTOCOLS is supported starting with version 7.19.4 (0x071304) */
++	if (CURLE_OK != (err = curl_easy_setopt(easyhandle, opt = CURLOPT_PROTOCOLS, CURLPROTO_HTTP | CURLPROTO_HTTPS)))
++	{
++		*error = zbx_dsprintf(*error, "Cannot set cURL option %d: %s.", (int)opt, curl_easy_strerror(err));
++		goto out;
++	}
++#endif
++
+	if (NULL != CONFIG_SOURCE_IP)
+	{
+		if (CURLE_OK != (err = curl_easy_setopt(easyhandle, opt = CURLOPT_INTERFACE, CONFIG_SOURCE_IP)))
+--
+2.35.5

meta-oe/recipes-connectivity/zabbix/zabbix_5.4.12.bb

@@ -30,6 +30,7 @@ SRC_URI = "https://cdn.zabbix.com/zabbix/sources/stable/5.4/${BPN}-${PV}.tar.gz
     file://CVE-2022-46768.patch \
     file://CVE-2023-29451.patch \
     file://CVE-2023-29449.patch \
+    file://CVE-2023-29450.patch \
 "
 
 SRC_URI[md5sum] = "f295fd2df86143d72f6ff26e47d9e39e"