[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#980762: marked as done (buster-pu: package cacti/1.2.2+ds1-2+deb10u4)

Your message dated Sat, 06 Feb 2021 10:39:26 +0000
with message-id <6425525e38201ecf9a2d3e0f1e63c0d3b08e0fc0.camel@adam-barratt.org.uk>
and subject line Closing p-u bugs for updates in 10.8
has caused the Debian Bug report #980762,
regarding buster-pu: package cacti/1.2.2+ds1-2+deb10u4
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
980762: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=980762
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
User: release.debian.org@packages.debian.org
Usertags: pu
Tags: buster
Severity: normal

Hi Adam, all,

[ Reason ]
A CVE was discovered in cacti and fixed upstream. I backported the patch
to the buster package. Related, other security issues were discovered
and fixed.

[ Impact ]
A SQL injection vulnerability in data_debug.php allows remote
authenticated attackers to execute arbitrary SQL commands via the
site_id parameter. This can lead to remote code execution. CVE-2020-35701.

Additionally, there are a few places in the current code where an
attacker, once having gained access to the Cacti database through a SQL
injection, could modify data in tables to possibly expose an stored XSS
bug in Cacti.

[ Tests ]
I have run the autopkgtest included in the source package.

[ Risks ]
The call to the input sanitizer is moved from within the default
alternative to the start of the code. Hence, the change is simple and
the actual code has always been in the default code path, so I think the
risk for the CVE fix is low.

The patch for the other issues didn't apply, so I had to adapt it to the
code base in buster. I've inspected both the final patch and the diff
between upstream's changes and the final patch, both look sane. The
changes are exclusively calling an existing used function to sanitize
input additionally or instead of a text trim command (which upstream
claims is not needed anymore). I think the risk is low.

[ Checklist ]
  [✓] *all* changes are documented in the d/changelog
  [✓] I reviewed all changes and I approve them
  [✓] attach debdiff against the package in stable
  [✓] the issue is verified as fixed in unstable

[ Changes ]
Upstream patches added to the patch set.

[ Other info ]
I've discussed with carnil if this warrants a DSA but we thought this
made sense to fix via a point release.

I have already uploaded the package.

Paul

diff -Nru cacti-1.2.2+ds1/debian/changelog cacti-1.2.2+ds1/debian/changelog
--- cacti-1.2.2+ds1/debian/changelog	2020-06-18 22:34:41.000000000 +0200
+++ cacti-1.2.2+ds1/debian/changelog	2021-01-21 20:16:38.000000000 +0100
@@ -1,3 +1,15 @@
+cacti (1.2.2+ds1-2+deb10u4) buster; urgency=medium
+
+  * Add 0001-Fixing-Issue-4022.patch (Closes: #979998)
+    - CVE-2020-35701: SQL injection via data_debug.php
+  * Add 0001-Fixing-Issue-4019.patch
+    There are a few places in the current code where an attacker, once
+    having gained access to the Cacti database through a SQL injection,
+    could modify data in tables to possibly expose an stored XSS bug in
+    Cacti.
+
+ -- Paul Gevers <elbrus@debian.org>  Thu, 21 Jan 2021 20:16:38 +0100
+
 cacti (1.2.2+ds1-2+deb10u3) buster; urgency=medium
 
   * Unix timestamps after Sep 13 2020 are rejected as graph start/end
diff -Nru cacti-1.2.2+ds1/debian/patches/0001-Fixing-Issue-4019.patch cacti-1.2.2+ds1/debian/patches/0001-Fixing-Issue-4019.patch
--- cacti-1.2.2+ds1/debian/patches/0001-Fixing-Issue-4019.patch	1970-01-01 01:00:00.000000000 +0100
+++ cacti-1.2.2+ds1/debian/patches/0001-Fixing-Issue-4019.patch	2021-01-21 20:16:38.000000000 +0100
@@ -0,0 +1,222 @@
+From ef10fe1c340ed932dc18b6a566b21f9dd15933c2 Mon Sep 17 00:00:00 2001
+From: TheWitness <thewitness@cacti.net>
+Date: Wed, 23 Dec 2020 16:33:27 -0500
+Subject: [PATCH] Fixing Issue #4019
+
+* In a recent audit of core Cacti code, there were a few stored XSS issues that can be exposed
+* Also removed a few spurious title_trims, that should no longer be a problem.
+---
+ CHANGELOG              |  1 +
+ automation_devices.php | 10 +++++-----
+ data_debug.php         |  6 +++---
+ data_sources.php       |  2 +-
+ lib/api_automation.php | 22 +++++++++++-----------
+ lib/html.php           |  9 +++++----
+ lib/html_graph.php     | 10 +++++-----
+ lib/html_tree.php      |  4 ++--
+ managers.php           |  2 +-
+ utilities.php          | 20 ++++++++++----------
+ 10 files changed, 44 insertions(+), 42 deletions(-)
+
+Index: cacti/automation_devices.php
+===================================================================
+--- cacti.orig/automation_devices.php
++++ cacti/automation_devices.php
+@@ -466,7 +466,7 @@ function draw_filter() {
+ 							<?php
+ 							if (cacti_sizeof($networks)) {
+ 							foreach ($networks as $key => $name) {
+-								print "<option value='" . $key . "'"; if (get_request_var('network') == $key) { print ' selected'; } print '>' . $name . "</option>\n";
++								print "<option value='" . html_escape($key) . "'"; if (get_request_var('network') == $key) { print ' selected'; } print '>' . html_escape($name) . "</option>\n";
+ 							}
+ 							}
+ 							?>
+@@ -496,7 +496,7 @@ function draw_filter() {
+ 							<?php
+ 							if (cacti_sizeof($status_arr)) {
+ 							foreach ($status_arr as $st) {
+-								print "<option value='" . $st . "'"; if (get_request_var('status') == $st) { print ' selected'; } print '>' . $st . "</option>\n";
++								print "<option value='" . html_escape($st) . "'"; if (get_request_var('status') == $st) { print ' selected'; } print '>' . html_escape($st) . "</option>\n";
+ 							}
+ 							}
+ 							?>
+@@ -511,7 +511,7 @@ function draw_filter() {
+ 							<?php
+ 							if (cacti_sizeof($os_arr)) {
+ 							foreach ($os_arr as $st) {
+-								print "<option value='" . $st . "'"; if (get_request_var('os') == $st) { print ' selected'; } print '>' . $st . "</option>\n";
++								print "<option value='" . html_escape($st) . "'"; if (get_request_var('os') == $st) { print ' selected'; } print '>' . html_escape($st) . "</option>\n";
+ 							}
+ 							}
+ 							?>
+@@ -526,7 +526,7 @@ function draw_filter() {
+ 							<?php
+ 							if (cacti_sizeof($status_arr)) {
+ 							foreach ($status_arr as $st) {
+-								print "<option value='" . $st . "'"; if (get_request_var('snmp') == $st) { print ' selected'; } print '>' . $st . "</option>\n";
++								print "<option value='" . html_escape($st) . "'"; if (get_request_var('snmp') == $st) { print ' selected'; } print '>' . html_escape($st) . "</option>\n";
+ 							}
+ 							}
+ 							?>
+@@ -541,7 +541,7 @@ function draw_filter() {
+ 							<?php
+ 							if (cacti_sizeof($item_rows) > 0) {
+ 							foreach ($item_rows as $key => $value) {
+-								print "<option value='" . $key . "'"; if (get_request_var('rows') == $key) { print ' selected'; } print '>' . $value . "</option>\n";
++								print "<option value='" . $key . "'"; if (get_request_var('rows') == $key) { print ' selected'; } print '>' . html_escape($value) . "</option>\n";
+ 							}
+ 							}
+ 							?>
+Index: cacti/lib/api_automation.php
+===================================================================
+--- cacti.orig/lib/api_automation.php
++++ cacti/lib/api_automation.php
+@@ -155,7 +155,7 @@ function display_matching_hosts($rule, $
+ 
+ 								if (cacti_sizeof($host_templates)) {
+ 									foreach ($host_templates as $host_template) {
+-										print "<option value='" . $host_template['id'] . "'"; if (get_request_var('host_template_id') == $host_template['id']) { print ' selected'; } print '>' . $host_template['name'] . "</option>\n";
++										print "<option value='" . $host_template['id'] . "'"; if (get_request_var('host_template_id') == $host_template['id']) { print ' selected'; } print '>' . html_escape($host_template['name']) . "</option>\n";
+ 									}
+ 								}
+ 								?>
+@@ -452,7 +452,7 @@ function display_matching_graphs($rule,
+ 
+ 								if (cacti_sizeof($templates) > 0) {
+ 									foreach ($templates as $template) {
+-										print "<option value=' " . $template['id'] . "'"; if (get_request_var('template_id') == $template['id']) { print ' selected'; } print '>' . title_trim($template['name'], 40) . "</option>\n";
++										print "<option value=' " . $template['id'] . "'"; if (get_request_var('template_id') == $template['id']) { print ' selected'; } print '>' . html_escape($template['name']) . "</option>\n";
+ 									}
+ 								}
+ 								?>
+@@ -1074,7 +1074,7 @@ function display_matching_trees ($rule_i
+ 
+ 							if (cacti_sizeof($host_templates) > 0) {
+ 							foreach ($host_templates as $host_template) {
+-								print "<option value='" . $host_template['id'] . "'"; if (get_request_var('host_template_id') == $host_template['id']) { print ' selected'; } print '>' . $host_template['name'] . "</option>\n";
++								print "<option value='" . $host_template['id'] . "'"; if (get_request_var('host_template_id') == $host_template['id']) { print ' selected'; } print '>' . html_escape($host_template['name']) . "</option>\n";
+ 							}
+ 							}
+ 							?>
+Index: cacti/lib/html.php
+===================================================================
+--- cacti.orig/lib/html.php
++++ cacti/lib/html.php
+@@ -954,7 +954,7 @@ function html_create_list($form_data, $c
+ 					print ' selected';
+ 				}
+ 
+-				print '>' . title_trim(null_out_substitutions(html_escape($form_data[$id])), 75) . "</option>\n";
++				print '>' . html_escape(null_out_substitutions($form_data[$id])) . "</option>\n";
+ 			}
+ 		}
+ 	} else {
+@@ -967,9 +967,9 @@ function html_create_list($form_data, $c
+ 				}
+ 
+ 				if (isset($row['host_id'])) {
+-					print '>' . title_trim(html_escape($row[$column_display]), 75) . "</option>\n";
++					print '>' . html_escape($row[$column_display]) . "</option>\n";
+ 				} else {
+-					print '>' . title_trim(null_out_substitutions(html_escape($row[$column_display])), 75) . "</option>\n";
++					print '>' . html_escape(null_out_substitutions($row[$column_display])) . "</option>\n";
+ 				}
+ 			}
+ 		}
+Index: cacti/lib/html_graph.php
+===================================================================
+--- cacti.orig/lib/html_graph.php
++++ cacti/lib/html_graph.php
+@@ -260,7 +260,7 @@ function html_graph_preview_filter($page
+ 
+ 							if (cacti_sizeof($graph_timespans)) {
+ 								foreach($graph_timespans as $value => $text) {
+-									print "<option value='$value'"; if ($_SESSION['sess_current_timespan'] == $value) { print ' selected'; } print '>' . $text . "</option>\n";
++									print "<option value='$value'"; if ($_SESSION['sess_current_timespan'] == $value) { print ' selected'; } print '>' . html_escape($text) . "</option>\n";
+ 								}
+ 							}
+ 							?>
+@@ -293,7 +293,7 @@ function html_graph_preview_filter($page
+ 								$end_val = cacti_sizeof($graph_timeshifts)+1;
+ 								if (cacti_sizeof($graph_timeshifts) > 0) {
+ 									for ($shift_value=$start_val; $shift_value < $end_val; $shift_value++) {
+-										print "<option value='$shift_value'"; if ($_SESSION['sess_current_timeshift'] == $shift_value) { print ' selected'; } print '>' . title_trim($graph_timeshifts[$shift_value], 40) . "</option>\n";
++										print "<option value='$shift_value'"; if ($_SESSION['sess_current_timeshift'] == $shift_value) { print ' selected'; } print '>' . html_escape($graph_timeshifts[$shift_value]) . "</option>\n";
+ 									}
+ 								}
+ 								?>
+Index: cacti/lib/html_tree.php
+===================================================================
+--- cacti.orig/lib/html_tree.php
++++ cacti/lib/html_tree.php
+@@ -1056,7 +1056,7 @@ function grow_right_pane_tree($tree_id,
+ 
+ 							if (cacti_sizeof($graph_timespans)) {
+ 								foreach($graph_timespans as $value => $text) {
+-									print "<option value='$value'"; if ($_SESSION['sess_current_timespan'] == $value) { print ' selected'; } print '>' . $text . "</option>\n";
++									print "<option value='$value'"; if ($_SESSION['sess_current_timespan'] == $value) { print ' selected'; } print '>' . html_escape($text) . "</option>\n";
+ 								}
+ 							}
+ 							?>
+@@ -1089,7 +1089,7 @@ function grow_right_pane_tree($tree_id,
+ 								$end_val = cacti_sizeof($graph_timeshifts)+1;
+ 								if (cacti_sizeof($graph_timeshifts)) {
+ 									for ($shift_value=$start_val; $shift_value < $end_val; $shift_value++) {
+-										print "<option value='$shift_value'"; if ($_SESSION['sess_current_timeshift'] == $shift_value) { print ' selected'; } print '>' . title_trim($graph_timeshifts[$shift_value], 40) . "</option>\n";
++										print "<option value='$shift_value'"; if ($_SESSION['sess_current_timeshift'] == $shift_value) { print ' selected'; } print '>' . html_escape($graph_timeshifts[$shift_value]) . "</option>\n";
+ 									}
+ 								}
+ 								?>
+Index: cacti/managers.php
+===================================================================
+--- cacti.orig/managers.php
++++ cacti/managers.php
+@@ -484,7 +484,7 @@ function manager_notifications($id, $hea
+ 								<?php
+ 								if (cacti_sizeof($mibs)) {
+ 									foreach ($mibs as $mib) {
+-										print "<option value='" . $mib['mib'] . "'"; if (get_request_var('mib') == $mib['mib']) { print ' selected'; } print '>' . $mib['mib'] . '</option>';
++										print "<option value='" . html_escape($mib['mib']) . "'"; if (get_request_var('mib') == $mib['mib']) { print ' selected'; } print '>' . html_escape($mib['mib']) . '</option>';
+ 									}
+ 								}
+ 								?>
+Index: cacti/utilities.php
+===================================================================
+--- cacti.orig/utilities.php
++++ cacti/utilities.php
+@@ -678,7 +678,7 @@ function utilities_view_user_log() {
+ 
+ 							if (cacti_sizeof($users)) {
+ 								foreach ($users as $user) {
+-									print "<option value='" . $user['username'] . "'"; if (get_request_var('username') == $user['username']) { print ' selected'; } print '>' . $user['username'] . "</option>\n";
++									print "<option value='" . html_escape($user['username']) . "'"; if (get_request_var('username') == $user['username']) { print ' selected'; } print '>' . html_escape($user['username']) . "</option>\n";
+ 								}
+ 							}
+ 							?>
+@@ -1067,7 +1067,7 @@ function utilities_view_logfile() {
+ 										continue;
+ 									}
+ 
+-									print "<option value='" . $logFile . "'";
++									print "<option value='" . html_escape($logFile) . "'";
+ 
+ 									if ($selectedFile == $logFile) {
+ 										print ' selected';
+@@ -2407,7 +2407,7 @@ function snmpagent_utilities_run_cache()
+ 								<?php
+ 								if (cacti_sizeof($mibs) > 0) {
+ 									foreach ($mibs as $mib) {
+-										print "<option value='" . $mib['mib'] . "'"; if (get_request_var('mib') == $mib['mib']) { print ' selected'; } print '>' . html_escape($mib['mib']) . "</option>\n";
++										print "<option value='" . html_escape($mib['mib']) . "'"; if (get_request_var('mib') == $mib['mib']) { print ' selected'; } print '>' . html_escape($mib['mib']) . "</option>\n";
+ 									}
+ 								}
+ 								?>
+@@ -2670,7 +2670,7 @@ function snmpagent_utilities_run_eventlo
+ 								<option value='-1'<?php if (get_request_var('receiver') == '-1') {?> selected<?php }?>><?php print __('Any');?></option>
+ 								<?php
+ 								foreach ($receivers as $receiver) {
+-									print "<option value='" . $receiver['manager_id'] . "'"; if (get_request_var('receiver') == $receiver['manager_id']) { print ' selected'; } print '>' . $receiver['hostname'] . "</option>\n";
++									print "<option value='" . $receiver['manager_id'] . "'"; if (get_request_var('receiver') == $receiver['manager_id']) { print ' selected'; } print '>' . html_escape($receiver['hostname']) . "</option>\n";
+ 								}
+ 								?>
+ 							</select>
diff -Nru cacti-1.2.2+ds1/debian/patches/0001-Fixing-Issue-4022.patch cacti-1.2.2+ds1/debian/patches/0001-Fixing-Issue-4022.patch
--- cacti-1.2.2+ds1/debian/patches/0001-Fixing-Issue-4022.patch	1970-01-01 01:00:00.000000000 +0100
+++ cacti-1.2.2+ds1/debian/patches/0001-Fixing-Issue-4022.patch	2021-01-21 20:16:38.000000000 +0100
@@ -0,0 +1,36 @@
+From 565e0604a53f4988dc5b544d01f4a631eaa80d82 Mon Sep 17 00:00:00 2001
+From: TheWitness <thewitness@cacti.net>
+Date: Thu, 24 Dec 2020 10:39:50 -0500
+Subject: [PATCH] Fixing Issue #4022
+
+SQL Injection in data_debug.php
+---
+ CHANGELOG      | 3 ++-
+ data_debug.php | 4 ++--
+ 2 files changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/data_debug.php b/data_debug.php
+index 1bbed6a0a..a7ffe0829 100644
+--- a/data_debug.php
++++ b/data_debug.php
+@@ -35,6 +35,8 @@ ini_set('memory_limit', '-1');
+ 
+ set_default_action();
+ 
++validate_request_vars();
++
+ switch (get_request_var('action')) {
+ 	case 'actions':
+ 		form_actions();
+@@ -123,8 +125,6 @@ switch (get_request_var('action')) {
+ 
+ 		break;
+ 	default:
+-		validate_request_vars();
+-
+ 		$refresh = array(
+ 			'seconds' => get_request_var('refresh'),
+ 			'page'    => 'data_debug.php?header=false',
+-- 
+2.29.2
+
diff -Nru cacti-1.2.2+ds1/debian/patches/series cacti-1.2.2+ds1/debian/patches/series
--- cacti-1.2.2+ds1/debian/patches/series	2020-06-18 22:34:41.000000000 +0200
+++ cacti-1.2.2+ds1/debian/patches/series	2021-01-21 20:16:38.000000000 +0100
@@ -16,3 +16,5 @@
 107bfecebfdd060a81b91f146471648ebb7284a0.patch
 25abe64483752f7585ae17b699167b0abe849833.patch
 ec0d1f8422405500d7f4792071e3b313df10bd19.patch
+0001-Fixing-Issue-4022.patch
+0001-Fixing-Issue-4019.patch

Attachment: OpenPGP_signature
Description: OpenPGP digital signature


--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 10.8

Hi,

Each of the updates referenced by these bugs was included in today's
10.8 point release.

Regards,

Adam

--- End Message ---
Reply to: