Hi all, On 09-01-16 13:45, Paul Gevers wrote: > After I take care of wheezy and jessie debdiff's I can take care of this > in squeeze myself, but I don't mind if somebody beats me to it. But > please use the attached patches or discuss why they are not good enough. Please find attached my proposal for squeeze. I would appreciate it when someone looks over the debdiff and comments. Ideally someone with a setup to actually quickly run the package. Paul
diff -u cacti-0.8.7g/debian/changelog cacti-0.8.7g/debian/changelog --- cacti-0.8.7g/debian/changelog +++ cacti-0.8.7g/debian/changelog @@ -1,3 +1,12 @@ +cacti (0.8.7g-1+squeeze9+deb6u14) squeeze-lts; urgency=medium + + * CVE-2015-8377: Improve fix for SQL injection vulnerability in + graphs_new.php where a second instance of the variable wasn't checked + in the original fix + * CVE-2015-8604: Fix SQL injection vulnerability in graphs_new.php + + -- Paul Gevers <elbrus@debian.org> Sun, 10 Jan 2016 20:51:51 +0100 + cacti (0.8.7g-1+squeeze9+deb6u13) squeeze-lts; urgency=high * Correct yet another regression in patch for CVE-2015-8369, introduced in diff -u cacti-0.8.7g/debian/patches/series cacti-0.8.7g/debian/patches/series --- cacti-0.8.7g/debian/patches/series +++ cacti-0.8.7g/debian/patches/series @@ -30,0 +31 @@ +CVE-2015-8604-sql-injection-in-graphs_new.patch diff -u cacti-0.8.7g/debian/patches/CVE-2015-8377-sql-injection-in-graph-php-host_new_graphs_save.patch cacti-0.8.7g/debian/patches/CVE-2015-8377-sql-injection-in-graph-php-host_new_graphs_save.patch --- cacti-0.8.7g/debian/patches/CVE-2015-8377-sql-injection-in-graph-php-host_new_graphs_save.patch +++ cacti-0.8.7g/debian/patches/CVE-2015-8377-sql-injection-in-graph-php-host_new_graphs_save.patch @@ -1,6 +1,22 @@ ---- cacti-0.8.7g.orig/graphs_new.php -+++ cacti-0.8.7g/graphs_new.php -@@ -183,6 +183,9 @@ function host_new_graphs_save() { +Description: SQL injection vulnerability in the host_new_graphs_save function + in graphs_new.php in Cacti 0.8.8f and earlier allows remote authenticated users + to execute arbitrary SQL commands via crafted serialized data in the + selected_graphs_array parameter in a save action. +Author: Chris Lamb <lamby@debian.org> and Paul Gevers <elbrus@debian.org> +Bug: http://bugs.cacti.net/view.php?id=2655 +Index: cacti/graphs_new.php +=================================================================== +--- cacti.orig/graphs_new.php ++++ cacti/graphs_new.php +@@ -178,11 +178,17 @@ function host_new_graphs_save() { + + while (list($form_id1, $form_array2) = each($form_array)) { + /* enumerate information from the arrays stored in post variables */ ++ /* ================= input validation ================= */ ++ input_validate_input_number($form_id1); ++ /* ==================================================== */ + if ($form_type == "cg") { + $graph_template_id = $form_id1; }elseif ($form_type == "sg") { while (list($form_id2, $form_array3) = each($form_array2)) { $snmp_index_array = $form_array3; only in patch2: unchanged: --- cacti-0.8.7g.orig/debian/patches/CVE-2015-8604-sql-injection-in-graphs_new.patch +++ cacti-0.8.7g/debian/patches/CVE-2015-8604-sql-injection-in-graphs_new.patch @@ -0,0 +1,28 @@ +Description: SQL injection vulnerability in the host_new_graphs function in + graphs_new.php in Cacti 0.8.8f and earlier allows remote authenticated users + to execute arbitrary SQL commands via crafted serialized data in the + selected_graphs_array parameter in a save action. +Author: Paul Gevers <elbrus@debian.org> +Bug: http://bugs.cacti.net/view.php?id=2652 +Index: cacti/graphs_new.php +=================================================================== +--- cacti.orig/graphs_new.php ++++ cacti/graphs_new.php +@@ -249,6 +249,9 @@ function host_new_graphs($host_id, $host + + while (list($form_type, $form_array) = each($selected_graphs_array)) { + while (list($form_id1, $form_array2) = each($form_array)) { ++ /* ================= input validation ================= */ ++ input_validate_input_number($form_id1); ++ /* ==================================================== */ + if ($form_type == "cg") { + $graph_template_id = $form_id1; + +@@ -257,6 +260,7 @@ function host_new_graphs($host_id, $host + while (list($form_id2, $form_array3) = each($form_array2)) { + /* ================= input validation ================= */ + input_validate_input_number($snmp_query_id); ++ input_validate_input_number($form_id2); + /* ==================================================== */ + + $snmp_query_id = $form_id1;
Attachment:
signature.asc
Description: OpenPGP digital signature