Re: another squeeze cacti update?

To: debian-lts@lists.debian.org
Subject: Re: another squeeze cacti update?
From: Paul Gevers <elbrus@debian.org>
Date: Sun, 10 Jan 2016 21:30:42 +0100
Message-id: <[🔎] 5692BF72.3010802@debian.org>
In-reply-to: <[🔎] 569100D0.5030502@debian.org>
References: <E1aG47d-0000fc-3Q@franck.debian.org> <[🔎] 568ACF72.5080900@debian.org> <[🔎] 1451949782.1605961.482867026.37FF8E2A@webmail.messagingengine.com> <[🔎] 87y4c3x0l8.fsf@marcos.anarc.at> <[🔎] 569100D0.5030502@debian.org>

Hi all,

On 09-01-16 13:45, Paul Gevers wrote:
> After I take care of wheezy and jessie debdiff's I can take care of this
> in squeeze myself, but I don't mind if somebody beats me to it. But
> please use the attached patches or discuss why they are not good enough.

Please find attached my proposal for squeeze. I would appreciate it when
someone looks over the debdiff and comments. Ideally someone with a
setup to actually quickly run the package.

Paul

diff -u cacti-0.8.7g/debian/changelog cacti-0.8.7g/debian/changelog
--- cacti-0.8.7g/debian/changelog
+++ cacti-0.8.7g/debian/changelog
@@ -1,3 +1,12 @@
+cacti (0.8.7g-1+squeeze9+deb6u14) squeeze-lts; urgency=medium
+
+  * CVE-2015-8377: Improve fix for SQL injection vulnerability in
+    graphs_new.php where a second instance of the variable wasn't checked
+    in the original fix
+  * CVE-2015-8604: Fix SQL injection vulnerability in graphs_new.php
+
+ -- Paul Gevers <elbrus@debian.org>  Sun, 10 Jan 2016 20:51:51 +0100
+
 cacti (0.8.7g-1+squeeze9+deb6u13) squeeze-lts; urgency=high
 
   * Correct yet another regression in patch for CVE-2015-8369, introduced in
diff -u cacti-0.8.7g/debian/patches/series cacti-0.8.7g/debian/patches/series
--- cacti-0.8.7g/debian/patches/series
+++ cacti-0.8.7g/debian/patches/series
@@ -30,0 +31 @@
+CVE-2015-8604-sql-injection-in-graphs_new.patch
diff -u cacti-0.8.7g/debian/patches/CVE-2015-8377-sql-injection-in-graph-php-host_new_graphs_save.patch cacti-0.8.7g/debian/patches/CVE-2015-8377-sql-injection-in-graph-php-host_new_graphs_save.patch
--- cacti-0.8.7g/debian/patches/CVE-2015-8377-sql-injection-in-graph-php-host_new_graphs_save.patch
+++ cacti-0.8.7g/debian/patches/CVE-2015-8377-sql-injection-in-graph-php-host_new_graphs_save.patch
@@ -1,6 +1,22 @@
---- cacti-0.8.7g.orig/graphs_new.php
-+++ cacti-0.8.7g/graphs_new.php
-@@ -183,6 +183,9 @@ function host_new_graphs_save() {
+Description: SQL injection vulnerability in the host_new_graphs_save function
+ in graphs_new.php in Cacti 0.8.8f and earlier allows remote authenticated users
+ to execute arbitrary SQL commands via crafted serialized data in the
+ selected_graphs_array parameter in a save action.
+Author: Chris Lamb <lamby@debian.org> and Paul Gevers <elbrus@debian.org>
+Bug: http://bugs.cacti.net/view.php?id=2655
+Index: cacti/graphs_new.php
+===================================================================
+--- cacti.orig/graphs_new.php
++++ cacti/graphs_new.php
+@@ -178,11 +178,17 @@ function host_new_graphs_save() {
+ 
+ 		while (list($form_id1, $form_array2) = each($form_array)) {
+ 			/* enumerate information from the arrays stored in post variables */
++			/* ================= input validation ================= */
++			input_validate_input_number($form_id1);
++			/* ==================================================== */
+ 			if ($form_type == "cg") {
+ 				$graph_template_id = $form_id1;
  			}elseif ($form_type == "sg") {
  				while (list($form_id2, $form_array3) = each($form_array2)) {
  					$snmp_index_array = $form_array3;
only in patch2:
unchanged:
--- cacti-0.8.7g.orig/debian/patches/CVE-2015-8604-sql-injection-in-graphs_new.patch
+++ cacti-0.8.7g/debian/patches/CVE-2015-8604-sql-injection-in-graphs_new.patch
@@ -0,0 +1,28 @@
+Description: SQL injection vulnerability in the host_new_graphs function in
+ graphs_new.php in Cacti 0.8.8f and earlier allows remote authenticated users
+ to execute arbitrary SQL commands via crafted serialized data in the
+ selected_graphs_array parameter in a save action.
+Author: Paul Gevers <elbrus@debian.org>
+Bug: http://bugs.cacti.net/view.php?id=2652
+Index: cacti/graphs_new.php
+===================================================================
+--- cacti.orig/graphs_new.php
++++ cacti/graphs_new.php
+@@ -249,6 +249,9 @@ function host_new_graphs($host_id, $host
+ 
+ 	while (list($form_type, $form_array) = each($selected_graphs_array)) {
+ 		while (list($form_id1, $form_array2) = each($form_array)) {
++            /* ================= input validation ================= */
++            input_validate_input_number($form_id1);
++            /* ==================================================== */
+ 			if ($form_type == "cg") {
+ 				$graph_template_id = $form_id1;
+ 
+@@ -257,6 +260,7 @@ function host_new_graphs($host_id, $host
+ 				while (list($form_id2, $form_array3) = each($form_array2)) {
+ 					/* ================= input validation ================= */
+ 					input_validate_input_number($snmp_query_id);
++					input_validate_input_number($form_id2);
+ 					/* ==================================================== */
+ 
+ 					$snmp_query_id = $form_id1;

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to:

References:
- Re: Accepted cacti 0.8.7g-1+squeeze9+deb6u13 (source all) into squeeze-lts
  - From: Paul Gevers <elbrus@debian.org>
- Re: Accepted cacti 0.8.7g-1+squeeze9+deb6u13 (source all) into squeeze-lts
  - From: Chris Lamb <chris@chris-lamb.co.uk>
- another squeeze cacti update?
  - From: Antoine Beaupré <anarcat@orangeseeds.org>
- Re: another squeeze cacti update?
  - From: Paul Gevers <elbrus@debian.org>

Prev by Date: Re: squeeze update of librsvg?
Next by Date: isc-dhcp-server in squeeze-lst broken after update
Previous by thread: Re: another squeeze cacti update?
Next by thread: Missing DLA mail for DLA-378-1 (linux-2.6)?
Index(es):
- Date
- Thread