==========================================================================
Ubuntu Security Notice USN-5889-1
February 27, 2023

zoneminder vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 16.04 ESM

Summary:

Several security issues were fixed in ZoneMinder.

Software Description:
- zoneminder: video camera security and surveillance solution

Details:

It was discovered that ZoneMinder was not properly sanitizing URL
parameters for certain views. An attacker could possibly use this issue to
perform a cross-site scripting (XSS) attack. This issue was only fixed in
Ubuntu 16.04 ESM. (CVE-2019-6777)

It was discovered that ZoneMinder was not properly sanitizing stored user
input later printed to the user in certain views. An attacker could
possibly use this issue to perform a cross-site scripting (XSS) attack.
This issue was only fixed in Ubuntu 16.04 ESM. (CVE-2019-6990,
CVE-2019-6992)

It was discovered that ZoneMinder was not properly limiting data size and
not properly performing bound checks when processing username and password
data, which could lead to a stack buffer overflow. An attacker could
possibly use this issue to bypass authentication, cause a denial of
service or execute arbitrary code. This issue was only fixed in Ubuntu
16.04 ESM. (CVE-2019-6991)

It was discovered that ZoneMinder was not properly defining and filtering
data that was appended to the webroot URL of a view. An attacker could
possibly use this issue to perform cross-site scripting (XSS) attacks.
This issue was only fixed in Ubuntu 16.04 ESM and Ubuntu 20.04 LTS.
(CVE-2019-7325, CVE-2019-7329)

It was discovered that ZoneMinder was not properly sanitizing stored user
input later printed to the user in certain views. An attacker could
possibly use this issue to perform a cross-site scripting (XSS) attack.
This issue was only fixed in Ubuntu 20.04 LTS. (CVE-2019-7326)

It was discovered that ZoneMinder was not properly sanitizing URL
parameters for certain views. An attacker could possibly use this issue to
perform a cross-site scripting (XSS) attack. This issue was only fixed in
Ubuntu 20.04 LTS. (CVE-2019-7327, CVE-2019-7328, CVE-2019-7330,
CVE-2019-7332)

It was discovered that ZoneMinder was not properly sanitizing user input
in the monitor editing view. An attacker could possibly use this issue to
perform a cross-site scripting (XSS) attack. This issue was only fixed in
Ubuntu 16.04 ESM and Ubuntu 20.04 LTS. (CVE-2019-7331)

It was discovered that ZoneMinder was not properly sanitizing data related
to file paths in a system. An attacker could possibly use this issue to
execute arbitrary code. (CVE-2022-29806)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 22.04 LTS:
   zoneminder                      1.36.12+dfsg1-1ubuntu0.1~esm1

Ubuntu 20.04 LTS:
   zoneminder                      1.32.3-2ubuntu2+esm1

Ubuntu 16.04 ESM:
   zoneminder                      1.29.0+dfsg-1ubuntu2+esm1

In general, a standard system update will make all the necessary changes.

References:
   https://ubuntu.com/security/notices/USN-5889-1
   CVE-2019-6777, CVE-2019-6990, CVE-2019-6991, CVE-2019-6992,
   CVE-2019-7325, CVE-2019-7326, CVE-2019-7327, CVE-2019-7328,
   CVE-2019-7329, CVE-2019-7330, CVE-2019-7331, CVE-2019-7332,
   CVE-2022-29806

Package Information: