Bug#836700: jessie-pu: package cacti/0.8.8b+dfsg-8+deb8u6

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#836700: jessie-pu: package cacti/0.8.8b+dfsg-8+deb8u6
From: Paul Gevers <elbrus@debian.org>
Date: Sun, 04 Sep 2016 22:24:49 +0200
Message-id: <[🔎] 147302068963.14455.3871779253963295663.reportbug@ruapehu.marsaxlokk.dhcp.io>
Reply-to: Paul Gevers <elbrus@debian.org>, 836700@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

The fix for CVE-2016-2313 in 0.8.8b+dfsg-8+deb8u5 was reported¹ to contain a
regression. The attached debdiff contains the reporters patch that was accepted
upstream to fix the issue.

Can I upload to jessie-proposed-updates?

¹ https://lists.debian.org/debian-lts/2016/07/msg00164.html
  http://bugs.cacti.net/view.php?id=2697

- -- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (500, 'testing'), (60, 'unstable'), (50, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.6.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBCAAGBQJXzIMJAAoJEJxcmesFvXUKbwwH/itoIFNHgzxJPhcRhPmfhqbc
dYR6ZP5KSppLFRO4JLLVRzfsgESXA/WwVIyuN1xQQD+j74LabDVFE8F4fRoojwG3
+iTd3KNOcOm3PCtFSlpI+lGlTV+aKb6rfIH7bBdo8wZSVOEAsarCxg0iIoRQdc4H
UdSikfNRtOQMTlMnVQfVtKIEMD0DwsbtfRZGfSqpq31uUkbR8/rIAdtqZRBiUcuE
Mgz4VdzC2SnRl6GazxWMWGPZ0VBcOCaq5d2AvfUxevGP+m3kPwLkd/LqmJLCBaGf
jQq+hsRBJ3x+SV2tyO0VD0P73r+1YOv5ztxlBRb8xZKi3w4kpQIH23NhrnHAxpY=
=Fm8h
-----END PGP SIGNATURE-----

diff -Nru cacti-0.8.8b+dfsg/debian/changelog cacti-0.8.8b+dfsg/debian/changelog
--- cacti-0.8.8b+dfsg/debian/changelog	2016-07-09 20:26:32.000000000 +0200
+++ cacti-0.8.8b+dfsg/debian/changelog	2016-09-04 21:38:05.000000000 +0200
@@ -1,3 +1,12 @@
+cacti (0.8.8b+dfsg-8+deb8u6) jessie-proposed-updates; urgency=medium
+
+  [ Emilio Pozuelo Monfort ]
+  * CVE-2016-2313-guest-auth.patch:
+    + Fix regression in the fix for CVE-2016-2313 that broke guest user
+      logins. Thanks to Matus Uhlar for the report.
+
+ -- Paul Gevers <elbrus@debian.org>  Sun, 04 Sep 2016 21:37:36 +0200
+
 cacti (0.8.8b+dfsg-8+deb8u5) jessie-proposed-updates; urgency=medium
 
   [ Emilio Pozuelo Monfort ]
diff -Nru cacti-0.8.8b+dfsg/debian/patches/CVE-2016-2313-guest-auth.patch cacti-0.8.8b+dfsg/debian/patches/CVE-2016-2313-guest-auth.patch
--- cacti-0.8.8b+dfsg/debian/patches/CVE-2016-2313-guest-auth.patch	1970-01-01 01:00:00.000000000 +0100
+++ cacti-0.8.8b+dfsg/debian/patches/CVE-2016-2313-guest-auth.patch	2016-09-04 21:31:56.000000000 +0200
@@ -0,0 +1,27 @@
+From 69983495cd41bf0903fe02baeef84b1fa85f2846 Mon Sep 17 00:00:00 2001
+From: cigamit <jimmy@sqmail.org>
+Date: Sun, 14 Aug 2016 14:21:11 -0500
+Subject: [PATCH] fixing bug #2697
+
+web basic for guest accounts
+---
+ auth_login.php | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/auth_login.php
++++ b/auth_login.php
+@@ -86,10 +86,11 @@
+ 		/* Locate user in database */
+ 		$user = db_fetch_row("SELECT * FROM user_auth WHERE username = " . $cnn_id->qstr($username) . " AND realm = 2");
+ 
+-		if (!$user && read_config_option('user_template') == '0') {
+-			cacti_log("ERROR: User '" . $username . "' authenticated by Web Server, but a Template User is not defined in Cacti.  Exiting.", false, 'AUTH');
++		if (!$user && read_config_option('user_template') == '0' && read_config_option('guest_user') == '0') {
++			cacti_log("ERROR: User '" . $username . "' authenticated by Web Server, but both Template and Guest Users are not defined in Cacti.  Exiting.", false, 'AUTH');
++
+ 			$username = htmlspecialchars($username);
+-			auth_display_custom_error_message("$username authenticated by Web Server, but a Template User is not defined in Cacti.");
++			auth_display_custom_error_message("$username authenticated by Web Server, but a Template User and a Guest User are not defined in Cacti.");
+ 			exit;			
+ 		}
+ 
diff -Nru cacti-0.8.8b+dfsg/debian/patches/series cacti-0.8.8b+dfsg/debian/patches/series
--- cacti-0.8.8b+dfsg/debian/patches/series	2016-07-09 20:04:07.000000000 +0200
+++ cacti-0.8.8b+dfsg/debian/patches/series	2016-09-04 21:31:56.000000000 +0200
@@ -31,3 +31,4 @@
 CVE-2016-3172-sql-injection.patch
 CVE-2016-3659-sql-injection.patch
 CVE-2016-2313-authentication-bypass.patch
+CVE-2016-2313-guest-auth.patch

Reply to:

Follow-Ups:
- Processed: Re: Bug#836700: jessie-pu: package cacti/0.8.8b+dfsg-8+deb8u6
  - From: owner@bugs.debian.org (Debian Bug Tracking System)
- Bug#836700: jessie-pu: package cacti/0.8.8b+dfsg-8+deb8u6
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Processed: Re: Bug#836700: jessie-pu: package cacti/0.8.8b+dfsg-8+deb8u6
  - From: owner@bugs.debian.org (Debian Bug Tracking System)
- Processed: Re: Bug#836700: jessie-pu: package cacti/0.8.8b+dfsg-8+deb8u6
  - From: owner@bugs.debian.org (Debian Bug Tracking System)
- Processed: Re: Bug#836700: jessie-pu: package cacti/0.8.8b+dfsg-8+deb8u6
  - From: owner@bugs.debian.org (Debian Bug Tracking System)
- Bug#836700: marked as done (jessie-pu: package cacti/0.8.8b+dfsg-8+deb8u6)
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Bug#836571: jessie-pu: package rabbitvcs/0.16-1
Next by Date: Processed: Re: Bug#836700: jessie-pu: package cacti/0.8.8b+dfsg-8+deb8u6
Previous by thread: Processed: Re: Bug#825512: jessie-pu: package policykit-1/0.105-15~deb8u1
Next by thread: Processed: Re: Bug#836700: jessie-pu: package cacti/0.8.8b+dfsg-8+deb8u6
Index(es):
- Date
- Thread