[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: cacti LTS



Hi Paul,

> Just in case somebody starts working on it, I'd like to review proposed
> uploads of cacti to LTS. CVE-2016-2313 was initially wrongly fixed (a
> sledgehammer for a simple nail). CVE-2016-3659 still needs reproducing
> in Debian and a check if the fix by a contributer in the upstream bug
> report is causing other damage. The third CVE has a trivial patch.

I've had a look at this. I set up cacti on a wheezy VM, and I could reproduce
CVE-2016-3172. However, like you, I couldn't reproduce CVE-2016-3659. I don't
know if we are vulnerable or not, maybe we are and the attack needs some
changes. In any case, I think the fix is very safe, sanitizing parenthesis, so I
think we can just ship it. What do you think? Please see the attached debdiff.

Thanks,
Emilio
diff -Nru cacti-0.8.8a+dfsg/debian/changelog cacti-0.8.8a+dfsg/debian/changelog
--- cacti-0.8.8a+dfsg/debian/changelog	2016-02-24 21:00:15.000000000 +0100
+++ cacti-0.8.8a+dfsg/debian/changelog	2016-06-25 21:58:57.000000000 +0200
@@ -1,3 +1,13 @@
+cacti (0.8.8a+dfsg-5+deb7u9) wheezy-security; urgency=medium
+
+  * Non-maintainer upload.
+  * debian/patches/CVE-2016-3172-sql-injection.patch
+    + CVE-2016-3172: Fix sql injection in tree.php.
+    debian/patches/CVE-2016-3659-sql-injection.patch
+    + CVE-2016-3659: Fix sql injection in graph_view.php.
+
+ -- Emilio Pozuelo Monfort <pochu@debian.org>  Sat, 25 Jun 2016 21:57:43 +0200
+
 cacti (0.8.8a+dfsg-5+deb7u8) wheezy-security; urgency=high
 
   * CVE-2015-8377: Fix SQL Injection vulnerability in graphs_new.php
diff -Nru cacti-0.8.8a+dfsg/debian/patches/CVE-2016-3172-sql-injection.patch cacti-0.8.8a+dfsg/debian/patches/CVE-2016-3172-sql-injection.patch
--- cacti-0.8.8a+dfsg/debian/patches/CVE-2016-3172-sql-injection.patch	1970-01-01 01:00:00.000000000 +0100
+++ cacti-0.8.8a+dfsg/debian/patches/CVE-2016-3172-sql-injection.patch	2016-06-25 21:57:13.000000000 +0200
@@ -0,0 +1,10 @@
+--- a/tree.php	2016/05/08 15:10:45	7804
++++ a/tree.php	2016/05/08 15:35:30	7805
+@@ -153,6 +153,7 @@
+ 	/* ================= input validation ================= */
+ 	input_validate_input_number(get_request_var("id"));
+ 	input_validate_input_number(get_request_var("tree_id"));
++	input_validate_input_number(get_request_var("parent_id"));
+ 	/* ==================================================== */
+ 
+ 	if (!empty($_GET["id"])) {
diff -Nru cacti-0.8.8a+dfsg/debian/patches/CVE-2016-3659-sql-injection.patch cacti-0.8.8a+dfsg/debian/patches/CVE-2016-3659-sql-injection.patch
--- cacti-0.8.8a+dfsg/debian/patches/CVE-2016-3659-sql-injection.patch	1970-01-01 01:00:00.000000000 +0100
+++ cacti-0.8.8a+dfsg/debian/patches/CVE-2016-3659-sql-injection.patch	2016-06-25 21:57:24.000000000 +0200
@@ -0,0 +1,13 @@
+--- a/lib/functions.php	2016/03/06 23:29:28	7800
++++ a/lib/functions.php	2016/05/08 14:41:02	7801
+@@ -2138,8 +2138,8 @@
+    @arg $string - the original raw search string
+    @returns - the sanitized search string */
+ function sanitize_search_string($string) {
+-	static $drop_char_match =   array('^', '$', '<', '>', '`', '\'', '"', '|', ',', '?', '+', '[', ']', '{', '}', '#', ';', '!', '=', '*');
+-	static $drop_char_replace = array(' ', ' ', ' ', ' ',  '',   '', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ');
++	static $drop_char_match   = array('(',')','^', '$', '<', '>', '`', '\'', '"', '|', ',', '?', '+', '[', ']', '{', '}', '#', ';', '!', '=', '*');
++	static $drop_char_replace = array('','',' ', ' ', ' ', ' ', '', '', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ');
+ 
+ 	/* Replace line endings by a space */
+ 	$string = preg_replace('/[\n\r]/is', ' ', $string);
diff -Nru cacti-0.8.8a+dfsg/debian/patches/series cacti-0.8.8a+dfsg/debian/patches/series
--- cacti-0.8.8a+dfsg/debian/patches/series	2016-02-24 21:00:15.000000000 +0100
+++ cacti-0.8.8a+dfsg/debian/patches/series	2016-06-25 21:55:31.000000000 +0200
@@ -28,3 +28,5 @@
 CVE-2015-8369_sql_injection_in_graph.php.patch
 CVE-2015-8377-sql-injection-in-graph-php-host_new_graphs_save.patch
 CVE-2015-8604-sql-injection-in-graphs_new.patch
+CVE-2016-3172-sql-injection.patch
+CVE-2016-3659-sql-injection.patch

Reply to: