[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#830805: marked as done (jessie-pu: package cacti/0.8.8b+dfsg-8+deb8u4)

Your message dated Sat, 17 Sep 2016 13:08:06 +0100
with message-id <1474114086.2011.126.camel@adam-barratt.org.uk>
and subject line Closing p-u bugs for updates in 8.6
has caused the Debian Bug report #830805,
regarding jessie-pu: package cacti/0.8.8b+dfsg-8+deb8u4
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
830805: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=830805
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

There are currently three CVE's open against the cacti package in jessie that
have a patch available¹. Non of the issues are severe enough to warrent a
security upload, but I still think it is a good idea to get this fixed in
jessie. Could you please consider the attached debdiff?

Paul

¹ The forth open CVE against cacti is open since 2009 and not likely to get fixed.

- -- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (500, 'testing'), (60, 'unstable'), (50, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.6.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEbBAEBCAAGBQJXg+VnAAoJEJxcmesFvXUK1cYH91B+Lolr1dE2yVXXeUWvGdlD
CDUl2sRWspaIcYkeFxFQv7FXlPnyTf8q6CXKUK6ALY/tV5GLWwTAHFuSF5rMEo5x
Dmiqm2yzZ5FIFcr7R6qfjaFK2nnKEix4HOxMK7wnVJq08n0UuHA6D5uRnRKmyJ/x
3Ves4ZNTMtlYOZZIMyyahODkqJFuKbFvnYzt4SnY/dQpwPnyxi1jkH9PjLHHyA8H
4Cxs1+rT58Zn4ZvskB2/JKzo0zAGwI7XA8PI6eacBoj7Gi42fJuAUUhWx/Qh3QwM
8DSpUZlNdJRWAfIS+MWn6S5zl41+GsYSIMBLVHalRBFSNeSH5XHQRmxMjVsHKQ==
=qmJ/
-----END PGP SIGNATURE-----

diff -Nru cacti-0.8.8b+dfsg/debian/changelog cacti-0.8.8b+dfsg/debian/changelog
--- cacti-0.8.8b+dfsg/debian/changelog	2016-02-24 20:47:55.000000000 +0100
+++ cacti-0.8.8b+dfsg/debian/changelog	2016-07-09 20:26:32.000000000 +0200
@@ -1,3 +1,15 @@
+cacti (0.8.8b+dfsg-8+deb8u5) jessie-proposed-updates; urgency=medium
+
+  [ Emilio Pozuelo Monfort ]
+  * debian/patches/CVE-2016-3172-sql-injection.patch:
+    + CVE-2016-3172: Fix sql injection in tree.php (Closes: #818647)
+  * debian/patches/CVE-2016-3659-sql-injection.patch:
+    + CVE-2016-3659: Fix sql injection in graph_view.php (Closes: #820521)
+  * debian/patches/CVE-2016-2313-authentication-bypass.patch:
+    + CVE-2016-2313: Fix authentication bypass (Closes: #814353)
+
+ -- Paul Gevers <elbrus@debian.org>  Sat, 09 Jul 2016 20:05:41 +0200
+
 cacti (0.8.8b+dfsg-8+deb8u4) jessie-security; urgency=high
 
   * CVE-2015-8377: Fix SQL Injection vulnerability in graphs_new.php
diff -Nru cacti-0.8.8b+dfsg/debian/patches/CVE-2016-2313-authentication-bypass.patch cacti-0.8.8b+dfsg/debian/patches/CVE-2016-2313-authentication-bypass.patch
--- cacti-0.8.8b+dfsg/debian/patches/CVE-2016-2313-authentication-bypass.patch	1970-01-01 01:00:00.000000000 +0100
+++ cacti-0.8.8b+dfsg/debian/patches/CVE-2016-2313-authentication-bypass.patch	2016-07-09 20:04:07.000000000 +0200
@@ -0,0 +1,23 @@
+Backport fix for CVE-2016-2313.
+
+This is http://svn.cacti.net/viewvc?view=rev&revision=7770
+and https://github.com/Cacti/cacti/commit/6e5f3be49b3f52e30c88ec75a576f89bb72c4e52
+
+Bug: http://bugs.cacti.net/view.php?id=2656
+
+--- a/auth_login.php
++++ b/auth_login.php
+@@ -86,6 +86,13 @@
+ 		/* Locate user in database */
+ 		$user = db_fetch_row("SELECT * FROM user_auth WHERE username = " . $cnn_id->qstr($username) . " AND realm = 2");
+ 
++		if (!$user && read_config_option('user_template') == '0') {
++			cacti_log("ERROR: User '" . $username . "' authenticated by Web Server, but a Template User is not defined in Cacti.  Exiting.", false, 'AUTH');
++			$username = htmlspecialchars($username);
++			auth_display_custom_error_message("$username authenticated by Web Server, but a Template User is not defined in Cacti.");
++			exit;			
++		}
++
+ 		break;
+ 	case "3":
+ 		/* LDAP Auth */
diff -Nru cacti-0.8.8b+dfsg/debian/patches/CVE-2016-3172-sql-injection.patch cacti-0.8.8b+dfsg/debian/patches/CVE-2016-3172-sql-injection.patch
--- cacti-0.8.8b+dfsg/debian/patches/CVE-2016-3172-sql-injection.patch	1970-01-01 01:00:00.000000000 +0100
+++ cacti-0.8.8b+dfsg/debian/patches/CVE-2016-3172-sql-injection.patch	2016-07-09 20:04:07.000000000 +0200
@@ -0,0 +1,10 @@
+--- a/tree.php	2016/05/08 15:10:45	7804
++++ a/tree.php	2016/05/08 15:35:30	7805
+@@ -153,6 +153,7 @@
+ 	/* ================= input validation ================= */
+ 	input_validate_input_number(get_request_var("id"));
+ 	input_validate_input_number(get_request_var("tree_id"));
++	input_validate_input_number(get_request_var("parent_id"));
+ 	/* ==================================================== */
+ 
+ 	if (!empty($_GET["id"])) {
diff -Nru cacti-0.8.8b+dfsg/debian/patches/CVE-2016-3659-sql-injection.patch cacti-0.8.8b+dfsg/debian/patches/CVE-2016-3659-sql-injection.patch
--- cacti-0.8.8b+dfsg/debian/patches/CVE-2016-3659-sql-injection.patch	1970-01-01 01:00:00.000000000 +0100
+++ cacti-0.8.8b+dfsg/debian/patches/CVE-2016-3659-sql-injection.patch	2016-07-09 20:04:07.000000000 +0200
@@ -0,0 +1,13 @@
+--- a/lib/functions.php	2016/03/06 23:29:28	7800
++++ a/lib/functions.php	2016/05/08 14:41:02	7801
+@@ -2138,8 +2138,8 @@
+    @arg $string - the original raw search string
+    @returns - the sanitized search string */
+ function sanitize_search_string($string) {
+-	static $drop_char_match =   array('^', '$', '<', '>', '`', '\'', '"', '|', ',', '?', '+', '[', ']', '{', '}', '#', ';', '!', '=', '*');
+-	static $drop_char_replace = array(' ', ' ', ' ', ' ',  '',   '', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ');
++	static $drop_char_match   = array('(',')','^', '$', '<', '>', '`', '\'', '"', '|', ',', '?', '+', '[', ']', '{', '}', '#', ';', '!', '=', '*');
++	static $drop_char_replace = array('','',' ', ' ', ' ', ' ', '', '', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ');
+ 
+ 	/* Replace line endings by a space */
+ 	$string = preg_replace('/[\n\r]/is', ' ', $string);
diff -Nru cacti-0.8.8b+dfsg/debian/patches/series cacti-0.8.8b+dfsg/debian/patches/series
--- cacti-0.8.8b+dfsg/debian/patches/series	2016-02-24 20:47:56.000000000 +0100
+++ cacti-0.8.8b+dfsg/debian/patches/series	2016-07-09 20:04:07.000000000 +0200
@@ -28,3 +28,6 @@
 CVE-2015-8369_sql_injection_in_graph.php.patch
 CVE-2015-8377-sql-injection-in-graph-php-host_new_graphs_save.patch
 CVE-2015-8604-sql-injection-in-graphs_new.patch
+CVE-2016-3172-sql-injection.patch
+CVE-2016-3659-sql-injection.patch
+CVE-2016-2313-authentication-bypass.patch

--- End Message ---
--- Begin Message --- 
Version: 8.6

The updates referred to in each of these bugs were included in today's
stable point release.

Regards,

Adam

--- End Message ---
Reply to: