zabbix: fix CVE-2023-29451

Refer: https://support.zabbix.com/browse/ZBX-22587 Signed-off-by: Changqing Li <changqing.li@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
2026-05-18 22:56:15 +00:00 · 2023-04-27 10:04:08 +08:00 · 2023-04-27 10:04:08 +08:00 · 4b0bd9c49b
commit 4b0bd9c49b
parent 63c520c344
2 changed files with 117 additions and 0 deletions
--- a/meta-oe/recipes-connectivity/zabbix/zabbix/CVE-2023-29451.patch
+++ b/meta-oe/recipes-connectivity/zabbix/zabbix/CVE-2023-29451.patch
@ -0,0 +1,116 @@
+From 90274a56b2505997cd1677f0bd6a8b89b21df163 Mon Sep 17 00:00:00 2001
+From: Changqing Li <changqing.li@windriver.com>
+Date: Wed, 26 Apr 2023 15:00:07 +0800
+Subject: [PATCH] Fix CVE-2023-29451
+
+.......PS. [DEV-2450] fixed JSON validation not detecting invalid unicode characters and out of bounds access with JSONPath on invalid unicode character
+
+Merge in ZBX/zabbix from feature/DEV-2450-6.0 to release/6.0
+
+* commit '97efb4ed5069d4febe825671e2c3d106478d082d':
+  .......PS. [DEV-2450] added mock test
+  .......PS. [DEV-2450] fixed JSON validation not detecting invalid unicode characters and out of bounds access with JSONPath on invalid unicode character
+  .......PS. [DEV-2450] fixed JSON validation not detecting invalid unicode characters and out of bounds access with JSONPath on invalid unicode character
+
+Upstream-Status: Backport
+[https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/3b6a8c84612a67daaf89879226349420104bff24]
+CVE: CVE-2023-29451
+
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ src/libs/zbxdiag/diag.c                      |  3 ++-
+ src/libs/zbxjson/json.c                      |  2 +-
+ src/libs/zbxjson/json.h                      |  1 +
+ src/libs/zbxjson/json_parser.c               | 15 +++++----------
+ src/zabbix_server/reporter/report_protocol.c |  3 ++-
+ 5 files changed, 11 insertions(+), 13 deletions(-)
+
+diff --git a/src/libs/zbxdiag/diag.c b/src/libs/zbxdiag/diag.c
+index 6fc5509..dc47407 100644
+--- a/src/libs/zbxdiag/diag.c
+++ b/src/libs/zbxdiag/diag.c
+@@ -673,7 +673,8 @@ static void	diag_get_simple_values(const struct zbx_json_parse *jp, char **msg)
+ 	{
+ 		if (FAIL == zbx_json_brackets_open(pnext, &jp_value))
+ 		{
+-			zbx_json_decodevalue_dyn(pnext, &value, &value_alloc, &type);
+			if (NULL == zbx_json_decodevalue_dyn(pnext, &value, &value_alloc, &type))
+				type = ZBX_JSON_TYPE_NULL;
+ 
+ 			if (0 != msg_offset)
+ 				zbx_chrcpy_alloc(msg, &msg_alloc, &msg_offset, ' ');
+diff --git a/src/libs/zbxjson/json.c b/src/libs/zbxjson/json.c
+index 4161ef0..c043d7e 100644
+--- a/src/libs/zbxjson/json.c
+++ b/src/libs/zbxjson/json.c
+@@ -764,7 +764,7 @@ static unsigned int	zbx_hex2num(char c)
+  *               0 on error (invalid escape sequence)                         *
+  *                                                                            *
+  ******************************************************************************/
+-static unsigned int	zbx_json_decode_character(const char **p, unsigned char *bytes)
+unsigned int	zbx_json_decode_character(const char **p, unsigned char *bytes)
+ {
+ 	bytes[0] = '\0';
+ 
+diff --git a/src/libs/zbxjson/json.h b/src/libs/zbxjson/json.h
+index c59646a..4008411 100644
+--- a/src/libs/zbxjson/json.h
+++ b/src/libs/zbxjson/json.h
+@@ -29,5 +29,6 @@
+ 	SKIP_WHITESPACE(src)
+ 
+ void	zbx_set_json_strerror(const char *fmt, ...) __zbx_attr_format_printf(1, 2);
+unsigned int	zbx_json_decode_character(const char **p, unsigned char *bytes);
+ 
+ #endif
+diff --git a/src/libs/zbxjson/json_parser.c b/src/libs/zbxjson/json_parser.c
+index c8dcee4..64d24cf 100644
+--- a/src/libs/zbxjson/json_parser.c
+++ b/src/libs/zbxjson/json_parser.c
+@@ -88,7 +88,7 @@ static zbx_int64_t	json_parse_string(const char *start, char **error)
+ 		if ('\\' == *ptr)
+ 		{
+ 			const char	*escape_start = ptr;
+-			int		i;
+			unsigned char	uc[4];	/* decoded Unicode character takes 1-4 bytes in UTF-8 */
+ 
+ 			/* unexpected end of string data, failing */
+ 			if ('\0' == *(++ptr))
+@@ -107,16 +107,11 @@ static zbx_int64_t	json_parse_string(const char *start, char **error)
+ 					break;
+ 				case 'u':
+ 					/* check if the \u is followed with 4 hex digits */
+-					for (i = 0; i < 4; i++)
+-					{
+-						if (0 == isxdigit((unsigned char)*(++ptr)))
+-						{
+-							return json_error("invalid escape sequence in string",
+-									escape_start, error);
+-						}
+					if (0 == zbx_json_decode_character(&ptr, uc)) {
+						return json_error("invalid escape sequence in string",
+							escape_start, error);
+ 					}
+-
+-					break;
+					continue;
+ 				default:
+ 					return json_error("invalid escape sequence in string data",
+ 							escape_start, error);
+diff --git a/src/zabbix_server/reporter/report_protocol.c b/src/zabbix_server/reporter/report_protocol.c
+index 5f55f51..ee0e02e 100644
+--- a/src/zabbix_server/reporter/report_protocol.c
+++ b/src/zabbix_server/reporter/report_protocol.c
+@@ -421,7 +421,8 @@ void	zbx_report_test(const struct zbx_json_parse *jp, zbx_uint64_t userid, struc
+ 			size_t		value_alloc = 0;
+ 			zbx_ptr_pair_t	pair;
+ 
+-			zbx_json_decodevalue_dyn(pnext, &value, &value_alloc, NULL);
+			if (NULL == zbx_json_decodevalue_dyn(pnext, &value, &value_alloc, NULL))
+				continue;
+ 			pair.first = zbx_strdup(NULL, key);
+ 			pair.second = value;
+ 			zbx_vector_ptr_pair_append(&params, pair);
+-- 
+2.25.1
+
--- a/meta-oe/recipes-connectivity/zabbix/zabbix_5.4.12.bb
+++ b/meta-oe/recipes-connectivity/zabbix/zabbix_5.4.12.bb
@ -28,6 +28,7 @@ SRC_URI = "https://cdn.zabbix.com/zabbix/sources/stable/5.4/${BPN}-${PV}.tar.gz
    file://zabbix-agent.service \
    file://CVE-2022-43515.patch \
    file://CVE-2022-46768.patch \
+    file://CVE-2023-29451.patch \
 "

 SRC_URI[md5sum] = "f295fd2df86143d72f6ff26e47d9e39e"