Re: CVE request: zoneminder: local file inclusion vulnerability

[Salvatore Bonaccorso <carnil () debian org>]

Hi Kurt

Thank you for the CVE assignment!

On Wed, Feb 20, 2013 at 11:59:58PM -0700, Kurt Seifried wrote:
> > Hi
> >
> > In zoneminder forum the following announce was done already in
> > 2011:
> >
> > http://www.zoneminder.com/forums/viewtopic.php?f=1&t=17979
>
> Stupid Q, is there like an official security page? POsting stuff to a
> forum is not exactly the easiest place to find things, can they setup
> like zoneminder.com/security/ and at least list all the security
> issues and link to them there so people don't have to dig through the
> forums?
>
> I say this because this is the first cve request I've ever seen for
> zoneminder since I started assigning, and indeed, since 2008, so I'm
> guessing there's a few more missing ones......

I further know about the wikipage with the ChangeLog, but there is no
patch referenced (thus the forum post). It's here:

 [1] http://www.zoneminder.com/wiki/index.php/Change_History

But I have not read trough yet, to see if there are more changes
indicating some security implication. For the one of my request there
was only

FIX - Fixed Local File Inclusion (LFI) vulnerability. Please note a
patch for this is also available for 1.24.4 which the 1.24.4 tarball
also contains for recent downloads.

> If someone wants to big through the forums to find them and post them
> here that would probably be helpful (seriously, wanna pad your resume
> and get a reference from me? first person to make 100 good CVE
> requests wins).

I can check indeed if I find more. The the forum post for
CVE-2013-0232 there is still no answer from upstream[2]

 [2]: http://www.zoneminder.com/forums/viewtopic.php?f=29&t=20771

Regards,
Salvatore