Bug#926867: unblock: cacti/1.2.2+ds1-2

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#926867: unblock: cacti/1.2.2+ds1-2
From: Paul Gevers <elbrus@debian.org>
Date: Thu, 11 Apr 2019 15:26:42 +0200
Message-id: <[🔎] 153d1b93-390f-8078-1a9b-2c0e28ab59d9@debian.org>
Reply-to: Paul Gevers <elbrus@debian.org>, 926867@bugs.debian.org

Package: release.debian.org
User: release.debian.org@packages.debian.org
Usertags: unblock
Severity: normal

Please unblock package cacti

A CVE was found in cacti. The patch that I applied to the cacti package
comes from upstream. Closes https://bugs.debian.org/926700

debdiff attached.

unblock cacti/1.2.2+ds1-2

-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'testing-debug'), (200,
'testing'), (100, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-4-amd64 (SMP w/2 CPU cores)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE,
TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

diff -Nru cacti-1.2.2+ds1/debian/changelog cacti-1.2.2+ds1/debian/changelog
--- cacti-1.2.2+ds1/debian/changelog	2019-02-26 21:48:07.000000000 +0100
+++ cacti-1.2.2+ds1/debian/changelog	2019-04-09 20:42:38.000000000 +0200
@@ -1,3 +1,12 @@
+cacti (1.2.2+ds1-2) unstable; urgency=medium
+
+  * Add 0001-Resolving-Issue-2581.patch from upstream (Closes: #926700)
+    CVE-2019-11025: In clearFilter() in utilities.php no escaping occurs
+    before printing out the value of the SNMP community string (SNMP
+    Options) in the View poller cache, leading to XSS.
+
+ -- Paul Gevers <elbrus@debian.org>  Tue, 09 Apr 2019 20:42:38 +0200
+
 cacti (1.2.2+ds1-1) unstable; urgency=medium
 
   * New upstream release 1.2.2
diff -Nru cacti-1.2.2+ds1/debian/patches/0001-Resolving-Issue-2581.patch cacti-1.2.2+ds1/debian/patches/0001-Resolving-Issue-2581.patch
--- cacti-1.2.2+ds1/debian/patches/0001-Resolving-Issue-2581.patch	1970-01-01 01:00:00.000000000 +0100
+++ cacti-1.2.2+ds1/debian/patches/0001-Resolving-Issue-2581.patch	2019-04-09 20:38:47.000000000 +0200
@@ -0,0 +1,68 @@
+From c373e66a6a224e221a1db037164144ce59b20736 Mon Sep 17 00:00:00 2001
+From: cigamit <jimmy@sqmail.org>
+Date: Thu, 28 Mar 2019 06:37:45 -0500
+Subject: [PATCH] Resolving Issue #2581
+
+Stored XSS in "SNMP community string" field
+---
+ CHANGELOG     |  1 +
+ utilities.php | 11 ++++++-----
+ 2 files changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/utilities.php b/utilities.php
+index f5478d23..dc9439c4 100644
+--- a/utilities.php
++++ b/utilities.php
+@@ -1543,7 +1543,7 @@ function utilities_view_snmp_cache() {
+ 			<?php print filter_value($item['name'], get_request_var('filter'));?>
+ 		</td>
+ 		<td>
+-			<?php print $item['snmp_index'];?>
++			<?php print html_escape($item['snmp_index']);?>
+ 		</td>
+ 		<td>
+ 			<?php print filter_value($item['field_name'], get_request_var('filter'));?>
+@@ -1837,7 +1837,7 @@ function utilities_view_poller_cache() {
+ 				</td>
+ 
+ 				<td>
+-					<?php print $item['description'];?>
++					<?php print html_escape($item['description']);?>
+ 				</td>
+ 
+ 				<td>
+@@ -1846,12 +1846,12 @@ function utilities_view_poller_cache() {
+ 					if ($item['snmp_version'] != 3) {
+ 						$details =
+ 							__('SNMP Version:') . ' ' . $item['snmp_version'] . ', ' .
+-							__('Community:') . ' ' . $item['snmp_community'] . ', ' .
++							__('Community:') . ' ' . html_escape($item['snmp_community']) . ', ' .
+ 							__('OID:') . ' ' . filter_value($item['arg1'], get_request_var('filter'));
+ 					} else {
+ 						$details =
+ 							__('SNMP Version:') . ' ' . $item['snmp_version'] . ', ' .
+-							__('User:') . ' ' . $item['snmp_username'] . ', ' . __('OID:') . ' ' . $item['arg1'];
++							__('User:') . ' ' . html_escape($item['snmp_username']) . ', ' . __('OID:') . ' ' . html_escape($item['arg1']);
+ 					}
+ 				} elseif ($item['action'] == 1) {
+ 						$details = __('Script:') . ' ' . filter_value($item['arg1'], get_request_var('filter'));
+@@ -1860,6 +1860,7 @@ function utilities_view_poller_cache() {
+ 				}
+ 
+ 				print $details;
++
+ 				?>
+ 				</td>
+ 			</tr>
+@@ -1869,7 +1870,7 @@ function utilities_view_poller_cache() {
+ 				<td colspan='2'>
+ 				</td>
+ 				<td>
+-					<?php print __('RRD:');?> <?php print $item['rrd_path'];?>
++					<?php print __('RRD:');?> <?php print html_escape($item['rrd_path']);?>
+ 				</td>
+ 			</tr>
+ 			<?php
+-- 
+2.20.1
+
diff -Nru cacti-1.2.2+ds1/debian/patches/series cacti-1.2.2+ds1/debian/patches/series
--- cacti-1.2.2+ds1/debian/patches/series	2019-01-22 20:31:40.000000000 +0100
+++ cacti-1.2.2+ds1/debian/patches/series	2019-04-09 20:38:14.000000000 +0200
@@ -2,3 +2,4 @@
 enable-system-jqueryui-by-putting-cacti-changes-in-main.css.patch
 perl-path.patch
 font-awesome-path.patch
+0001-Resolving-Issue-2581.patch

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to:

Follow-Ups:
- Bug#926867: marked as done (unblock: cacti/1.2.2+ds1-2)
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: Bug#926853: unblock: openssh/1:7.9p1-10
Next by Date: Bug#926870: stretch-pu: package ca-certificates-java/20170929~deb9u2
Previous by thread: Bug#926853: marked as done (unblock: openssh/1:7.9p1-10)
Next by thread: Bug#926867: marked as done (unblock: cacti/1.2.2+ds1-2)
Index(es):
- Date
- Thread