[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: cacti LTS



On 26/06/16 09:23, Paul Gevers wrote:
> Hi Emilio
> 
> On 25-06-16 22:03, Emilio Pozuelo Monfort wrote:
>>> Just in case somebody starts working on it, I'd like to review proposed
>>> uploads of cacti to LTS. CVE-2016-2313 was initially wrongly fixed (a
>>> sledgehammer for a simple nail). CVE-2016-3659 still needs reproducing
>>> in Debian and a check if the fix by a contributer in the upstream bug
>>> report is causing other damage. The third CVE has a trivial patch.
>>
>> I've had a look at this. I set up cacti on a wheezy VM, and I could reproduce
>> CVE-2016-3172. However, like you, I couldn't reproduce CVE-2016-3659. I don't
>> know if we are vulnerable or not, maybe we are and the attack needs some
>> changes. In any case, I think the fix is very safe, sanitizing parenthesis, so I
>> think we can just ship it. What do you think? Please see the attached debdiff.
> 
> The patch for CVE-2016-3659 is accepted by upstream, so should be OK to
> apply.
> 
> The issue with CVE-2016-2313 has been resolved upstream, the
> sledgehammer has been replaced by an appropriate hammer for the size of
> the nail:
> https://github.com/Cacti/cacti/commit/6e5f3be49b3f52e30c88ec75a576f89bb72c4e52
> 
> I believe CVE-2016-2313 should be included in this fix.

Certainly! I have backported the fix and included in this new debdiff.
Unfortunately I'm not sure how to trigger the bug.

> Please be advised that since my previous e-mail, I actually created a
> brute force regression test for cacti, see
> http://anonscm.debian.org/cgit/pkg-cacti/cacti.git/tree/debian/tests/check-all-pages

Ah, nice. I don't think we have ci.debian.net running for wheezy, but this can
be useful to do some basic testing after an update.

Cheers,
Emilio
diff -Nru cacti-0.8.8a+dfsg/debian/changelog cacti-0.8.8a+dfsg/debian/changelog
--- cacti-0.8.8a+dfsg/debian/changelog	2016-02-24 21:00:15.000000000 +0100
+++ cacti-0.8.8a+dfsg/debian/changelog	2016-06-26 10:18:07.000000000 +0200
@@ -1,3 +1,15 @@
+cacti (0.8.8a+dfsg-5+deb7u9) wheezy-security; urgency=medium
+
+  * Non-maintainer upload.
+  * debian/patches/CVE-2016-3172-sql-injection.patch:
+    + CVE-2016-3172: Fix sql injection in tree.php.
+  * debian/patches/CVE-2016-3659-sql-injection.patch:
+    + CVE-2016-3659: Fix sql injection in graph_view.php.
+  * debian/patches/CVE-2016-2313-authentication-bypass.patch:
+    + CVE-2016-2313: Fix authentication bypass.
+
+ -- Emilio Pozuelo Monfort <pochu@debian.org>  Sun, 26 Jun 2016 10:18:04 +0200
+
 cacti (0.8.8a+dfsg-5+deb7u8) wheezy-security; urgency=high
 
   * CVE-2015-8377: Fix SQL Injection vulnerability in graphs_new.php
diff -Nru cacti-0.8.8a+dfsg/debian/patches/CVE-2016-2313-authentication-bypass.patch cacti-0.8.8a+dfsg/debian/patches/CVE-2016-2313-authentication-bypass.patch
--- cacti-0.8.8a+dfsg/debian/patches/CVE-2016-2313-authentication-bypass.patch	1970-01-01 01:00:00.000000000 +0100
+++ cacti-0.8.8a+dfsg/debian/patches/CVE-2016-2313-authentication-bypass.patch	2016-06-26 10:16:50.000000000 +0200
@@ -0,0 +1,23 @@
+Backport fix for CVE-2016-2313.
+
+This is http://svn.cacti.net/viewvc?view=rev&revision=7770
+and https://github.com/Cacti/cacti/commit/6e5f3be49b3f52e30c88ec75a576f89bb72c4e52
+
+Bug: http://bugs.cacti.net/view.php?id=2656
+
+--- a/auth_login.php
++++ b/auth_login.php
+@@ -86,6 +86,13 @@
+ 		/* Locate user in database */
+ 		$user = db_fetch_row("SELECT * FROM user_auth WHERE username = " . $cnn_id->qstr($username) . " AND realm = 2");
+ 
++		if (!$user && read_config_option('user_template') == '0') {
++			cacti_log("ERROR: User '" . $username . "' authenticated by Web Server, but a Template User is not defined in Cacti.  Exiting.", false, 'AUTH');
++			$username = htmlspecialchars($username);
++			auth_display_custom_error_message("$username authenticated by Web Server, but a Template User is not defined in Cacti.");
++			exit;			
++		}
++
+ 		break;
+ 	case "3":
+ 		/* LDAP Auth */
diff -Nru cacti-0.8.8a+dfsg/debian/patches/CVE-2016-3172-sql-injection.patch cacti-0.8.8a+dfsg/debian/patches/CVE-2016-3172-sql-injection.patch
--- cacti-0.8.8a+dfsg/debian/patches/CVE-2016-3172-sql-injection.patch	1970-01-01 01:00:00.000000000 +0100
+++ cacti-0.8.8a+dfsg/debian/patches/CVE-2016-3172-sql-injection.patch	2016-06-25 21:57:13.000000000 +0200
@@ -0,0 +1,10 @@
+--- a/tree.php	2016/05/08 15:10:45	7804
++++ a/tree.php	2016/05/08 15:35:30	7805
+@@ -153,6 +153,7 @@
+ 	/* ================= input validation ================= */
+ 	input_validate_input_number(get_request_var("id"));
+ 	input_validate_input_number(get_request_var("tree_id"));
++	input_validate_input_number(get_request_var("parent_id"));
+ 	/* ==================================================== */
+ 
+ 	if (!empty($_GET["id"])) {
diff -Nru cacti-0.8.8a+dfsg/debian/patches/CVE-2016-3659-sql-injection.patch cacti-0.8.8a+dfsg/debian/patches/CVE-2016-3659-sql-injection.patch
--- cacti-0.8.8a+dfsg/debian/patches/CVE-2016-3659-sql-injection.patch	1970-01-01 01:00:00.000000000 +0100
+++ cacti-0.8.8a+dfsg/debian/patches/CVE-2016-3659-sql-injection.patch	2016-06-25 21:57:24.000000000 +0200
@@ -0,0 +1,13 @@
+--- a/lib/functions.php	2016/03/06 23:29:28	7800
++++ a/lib/functions.php	2016/05/08 14:41:02	7801
+@@ -2138,8 +2138,8 @@
+    @arg $string - the original raw search string
+    @returns - the sanitized search string */
+ function sanitize_search_string($string) {
+-	static $drop_char_match =   array('^', '$', '<', '>', '`', '\'', '"', '|', ',', '?', '+', '[', ']', '{', '}', '#', ';', '!', '=', '*');
+-	static $drop_char_replace = array(' ', ' ', ' ', ' ',  '',   '', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ');
++	static $drop_char_match   = array('(',')','^', '$', '<', '>', '`', '\'', '"', '|', ',', '?', '+', '[', ']', '{', '}', '#', ';', '!', '=', '*');
++	static $drop_char_replace = array('','',' ', ' ', ' ', ' ', '', '', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ');
+ 
+ 	/* Replace line endings by a space */
+ 	$string = preg_replace('/[\n\r]/is', ' ', $string);
diff -Nru cacti-0.8.8a+dfsg/debian/patches/series cacti-0.8.8a+dfsg/debian/patches/series
--- cacti-0.8.8a+dfsg/debian/patches/series	2016-02-24 21:00:15.000000000 +0100
+++ cacti-0.8.8a+dfsg/debian/patches/series	2016-06-26 10:08:53.000000000 +0200
@@ -28,3 +28,6 @@
 CVE-2015-8369_sql_injection_in_graph.php.patch
 CVE-2015-8377-sql-injection-in-graph-php-host_new_graphs_save.patch
 CVE-2015-8604-sql-injection-in-graphs_new.patch
+CVE-2016-3172-sql-injection.patch
+CVE-2016-3659-sql-injection.patch
+CVE-2016-2313-authentication-bypass.patch

Reply to: