Hi LTS maintainers, On 05-01-16 20:55, Antoine Beaupré wrote: > Cacti still shows up in the list of opened issues in squeeze... Are you > going to take care of CVE-2015-8604 next? Apart from CVE-2015-8604, which I have a (attached) patch ready for upload to sid, I also consider the patch for CVE-2015-8377 incomplete (where should this actually be reported, bts?). The vulnerable variable is a 3D array and both runs of "each" should be checked. Unfortunately the upstream bug tracker is down now, but I will update the patch there. please find it attached as well (line numbers may not be for squeeze). After I take care of wheezy and jessie debdiff's I can take care of this in squeeze myself, but I don't mind if somebody beats me to it. But please use the attached patches or discuss why they are not good enough. Paul
Description: SQL injection vulnerability in the host_new_graphs_save function in graphs_new.php in Cacti 0.8.8f and earlier allows remote authenticated users to execute arbitrary SQL commands via crafted serialized data in the selected_graphs_array parameter in a save action. Author: Chris Lamb <lamby@debian.org> and Paul Gevers <elbrus@debian.org> Bug: http://bugs.cacti.net/view.php?id=2655 Index: cacti/graphs_new.php =================================================================== --- cacti.orig/graphs_new.php +++ cacti/graphs_new.php @@ -183,11 +183,17 @@ function host_new_graphs_save() { while (list($form_id1, $form_array2) = each($form_array)) { /* enumerate information from the arrays stored in post variables */ + /* ================= input validation ================= */ + input_validate_input_number($form_id1); + /* ==================================================== */ if ($form_type == "cg") { $graph_template_id = $form_id1; }elseif ($form_type == "sg") { while (list($form_id2, $form_array3) = each($form_array2)) { $snmp_index_array = $form_array3; + /* ================= input validation ================= */ + input_validate_input_number($form_id2); + /* ==================================================== */ $snmp_query_array["snmp_query_id"] = $form_id1; $snmp_query_array["snmp_index_on"] = get_best_data_query_index_type($_POST["host_id"], $form_id1);
Description: SQL injection vulnerability in the host_new_graphs function in graphs_new.php in Cacti 0.8.8f and earlier allows remote authenticated users to execute arbitrary SQL commands via crafted serialized data in the selected_graphs_array parameter in a save action. Author: Paul Gevers <elbrus@debian.org> Bug: http://bugs.cacti.net/view.php?id=2652 Index: cacti/graphs_new.php =================================================================== --- cacti.orig/graphs_new.php +++ cacti/graphs_new.php @@ -252,6 +252,9 @@ function host_new_graphs($host_id, $host while (list($form_type, $form_array) = each($selected_graphs_array)) { while (list($form_id1, $form_array2) = each($form_array)) { + /* ================= input validation ================= */ + input_validate_input_number($form_id1); + /* ==================================================== */ if ($form_type == "cg") { $graph_template_id = $form_id1; @@ -260,6 +263,7 @@ function host_new_graphs($host_id, $host while (list($form_id2, $form_array3) = each($form_array2)) { /* ================= input validation ================= */ input_validate_input_number($snmp_query_id); + input_validate_input_number($form_id2); /* ==================================================== */ $snmp_query_id = $form_id1;
Attachment:
signature.asc
Description: OpenPGP digital signature