Le jeudi 22 août 2024, 18:01:02 UTC Adam D. Barratt a écrit : > Control: tags -1 + moreinfo > > On Thu, 2024-08-22 at 15:38 +0000, Bastien Roucariès wrote: > > [ Reason ] > > Security upload. Except CVE-2024-27082 that need > > coordination with other packages. > > You appear to have forgotten the debdiff. Yes I just resend > > Regards, > > Adam >
diff -Nru cacti-1.2.24+ds1/debian/changelog cacti-1.2.24+ds1/debian/changelog
--- cacti-1.2.24+ds1/debian/changelog 2024-03-15 09:53:35.000000000 +0000
+++ cacti-1.2.24+ds1/debian/changelog 2024-08-11 17:28:54.000000000 +0000
@@ -1,3 +1,71 @@
+cacti (1.2.24+ds1-1+deb12u3) unstable; urgency=medium
+
+ * Non-maintainer upload by the LTS Security Team.
+ * Fix CVE-2024-25641: RCE vulnerability when importing packages
+ An arbitrary file write vulnerability, exploitable through the
+ "Package Import" feature, allows authenticated users having
+ the "Import Templates" permission to execute arbitrary PHP
+ code on the web server (RCE).
+ * Fix CVE-2024-29894: XSS vulnerability when using JavaScript
+ based messaging API.
+ raise_message_javascript from lib/functions.php now uses purify.js
+ to fix CVE-2023-50250 (among others).
+ However it still generates the code out of unescaped
+ PHP variables $title and $header.
+ If those variables contain single quotes, they can be used
+ to inject JavaScript code.
+ * Fix CVE-2024-31443. XSS vulnerability when managing data queries
+ Some of the data stored in form_save() function in data_queries.php
+ is not thoroughly checked and is used to concatenate the
+ HTML statement in grow_right_pane_tree() function from lib/html.php,
+ finally resulting in XSS.
+ * Fix CVE-2024-31444: XSS vulnerability when reading tree rules with
+ Automation API.
+ Some of the data stored in automation_tree_rules_form_save() function
+ in automation_tree_rules.php is not thoroughly checked and is used
+ to concatenate the HTML statement in form_confirm() function from
+ lib/html.php , finally resulting in XSS.
+ * Fix CVE-2024-31445: SQL injection vulnerability
+ A SQL injection vulnerability in `automation_get_new_graphs_sql`
+ function of `api_automation.php` allows authenticated users to exploit
+ these SQL injection vulnerabilities to perform privilege escalation
+ and remote code execution. In `api_automation.php` line 856, the
+ `get_request_var('filter')` is being concatenated into the SQL
+ statement without any sanitization. In `api_automation.php` line 717,
+ The filter of `'filter'` is `FILTER_DEFAULT`, which means there is no
+ filter for it
+ * Fix CVE-2024-31458: SQL injection vulnerability
+ Some of the data stored in `form_save()` function in
+ `graph_template_inputs.php` is not thoroughly checked and is used to
+ concatenate the SQL statement in
+ `draw_nontemplated_fields_graph_item()` function from
+ `lib/html_form_templates.php` , finally resulting in SQL injection
+ * Fix CVE-2024-31459: Remote code execution
+ There is a file inclusion issue in the lib/plugin.php file.
+ Combined with SQL injection vulnerabilities, RCE can be implemented.
+ * Fix CVE-2024-31460: SQL code injection
+ Some of the data stored in `automation_tree_rules.php` is not
+ thoroughly checked and is used to concatenate the SQL statement in
+ `create_all_header_nodes()` function from `lib/api_automation.php` ,
+ finally resulting in SQL injection. Using SQL based secondary
+ injection technology, attackers can modify the contents of the Cacti
+ database, and based on the modified content, it may be possible to
+ achieve further impact, such as arbitrary file reading, and even
+ remote code execution through arbitrary file writing
+ * Fix CVE-2024-34340: type juggling vulnerability
+ Cacti calls `compat_password_hash` when users set their
+ password. `compat_password_hash` use `password_hash` if there is it,
+ else use `md5`. When verifying password, it calls
+ `compat_password_verify`. In `compat_password_verify`,
+ `password_verify` is called if there is it, else use
+ `md5`. `password_verify` and `password_hash` are supported on PHP <
+ 5.5.0, following PHP manual. The vulnerability is in
+ `compat_password_verify`. Md5-hashed user input is compared with
+ correct password in database by `$md5 == $hash`. It is a loose
+ comparison, not `===`.
+
+ -- Bastien Roucariès <rouca@debian.org> Sun, 11 Aug 2024 17:28:54 +0000
+
cacti (1.2.24+ds1-1+deb12u2) bookworm-security; urgency=high
[Sylvain Beucler]
diff -Nru cacti-1.2.24+ds1/debian/patches/0026-CVE-2024-25641-Merge-pull-request-from-GHSA-7cmj-g5q.patch cacti-1.2.24+ds1/debian/patches/0026-CVE-2024-25641-Merge-pull-request-from-GHSA-7cmj-g5q.patch
--- cacti-1.2.24+ds1/debian/patches/0026-CVE-2024-25641-Merge-pull-request-from-GHSA-7cmj-g5q.patch 1970-01-01 00:00:00.000000000 +0000
+++ cacti-1.2.24+ds1/debian/patches/0026-CVE-2024-25641-Merge-pull-request-from-GHSA-7cmj-g5q.patch 2024-08-11 17:28:54.000000000 +0000
@@ -0,0 +1,94 @@
+From: Petr Macek <petr.macek@kostax.cz>
+Date: Sun, 7 Apr 2024 16:25:58 +0200
+Subject: CVE-2024-25641: Merge pull request from GHSA-7cmj-g5qc-pj88
+
+* QA: Fixing Package Import CVE
+
+For now, we will only accept the Cacti public keys until such time as we are a registered CNA and have the ability to verify third parties or we make other arrangements.
+
+* QA: The keys in our package have trailing spaces
+
+[description]
+Cacti provides an operational monitoring and fault management
+framework. Prior to version 1.2.27, an arbitrary file write
+vulnerability, exploitable through the "Package Import" feature,
+allows authenticated users having the "Import Templates" permission to
+execute arbitrary PHP code on the web server. The vulnerability is
+located within the `import_package()` function defined into the
+`/lib/import.php` script. The function blindly trusts the filename and
+file content provided within the XML data, and writes such files into
+the Cacti base path (or even outside, since path traversal sequences
+are not filtered). This can be exploited to write or overwrite
+arbitrary files on the web server, leading to execution of arbitrary
+PHP code or other security impacts. Version 1.2.27 contains a patch
+for this issue.
+
+bug: https://github.com/Cacti/cacti/security/advisories/GHSA-7cmj-g5qc-pj88
+bug-debian-security: https://security-tracker.debian.org/tracker/CVE-2024-25641
+origin: backport, https://github.com/Cacti/cacti/commit/eff35b0ff26cc27c82d7880469ed6d5e3bef6210
+---
+ lib/import.php | 19 ++++++++++++++-----
+ package_import.php | 2 ++
+ 2 files changed, 16 insertions(+), 5 deletions(-)
+
+diff --git a/lib/import.php b/lib/import.php
+index c1320c8..fc4e3ad 100644
+--- a/lib/import.php
++++ b/lib/import.php
+@@ -510,14 +510,20 @@ function import_package($xmlfile, $profile_id = 1, $remove_orphans = false, $rep
+ $fdata = base64_decode($f['data']);
+ $name = $f['name'];
+
++ /* The xml file without path is the main template of the package. It is processed below using $debug_data */
+ if (strpos($name, 'scripts/') !== false || strpos($name, 'resource/') !== false) {
+ $filename = $config['base_path'] . "/$name";
+-
+ if (!$preview) {
+- if (!cacti_sizeof($import_files) || in_array($name, $import_files)) {
+- cacti_log('Writing file: ' . $filename, false, 'IMPORT', POLLER_VERBOSITY_MEDIUM);
++ if (!cacti_sizeof($import_files) || in_array($name, $import_files, true)) {
++ cacti_log('Checking filepath: ' . $filename, false, 'IMPORT', POLLER_VERBOSITY_MEDIUM);
++
++ if (!preg_match('/^(scripts|resource)[a-zA-Z0-9_\-\/]*$/', dirname($name))) {
++ cacti_log('FATAL: Incorrect path: ' . $filename, true, 'IMPORT', POLLER_VERBOSITY_LOW);
++
++ $filestatus[$filename] = __('incorrect path, file not saved');
++ } elseif ((is_writeable(dirname($filename)) && !file_exists($filename)) || is_writable($filename)) {
++ cacti_log('Writing file: ' . $filename, false, 'IMPORT', POLLER_VERBOSITY_MEDIUM);
+
+- if ((is_writeable(dirname($filename)) && !file_exists($filename)) || is_writable($filename)) {
+ $file = fopen($filename, 'wb');
+
+ if (is_resource($file)) {
+@@ -549,7 +555,9 @@ function import_package($xmlfile, $profile_id = 1, $remove_orphans = false, $rep
+ $existing = md5_file($filename);
+ }
+
+- if (is_writeable(dirname($filename))) {
++ if (!preg_match('/^(scripts|resource)[a-zA-Z0-9_\-\/]*$/', dirname($name))) {
++ $filestatus[$filename] = 'incorrect path';
++ } elseif (is_writeable(dirname($filename))) {
+ if (file_exists($filename) && is_writable($filename)) {
+ if ($new == $existing) {
+ $filestatus[$filename] = 'writable, identical';
+@@ -576,6 +584,7 @@ function import_package($xmlfile, $profile_id = 1, $remove_orphans = false, $rep
+ } else {
+ $filestatus[$filename] = 'not writable, new';
+ }
++
+ }
+ } else {
+ if (!$preview) {
+diff --git a/package_import.php b/package_import.php
+index 797350d..84b432e 100644
+--- a/package_import.php
++++ b/package_import.php
+@@ -546,6 +546,8 @@ function import_display_package_data($templates, $files, $package_name, $xmlfile
+ $nstatus .= ($nstatus != '' ? ', ':'') . __('Writable');
+ } elseif ($s == 'new') {
+ $nstatus .= ($nstatus != '' ? ', ':'') . __('New');
++ } elseif ($s == 'incorrect path') {
++ $nstatus .= ($nstatus != '' ? ', ':'') . __('Incorrect path, will not be imported');
+ } else {
+ $nstatus .= ($nstatus != '' ? ', ':'') . __('Unknown');
+ }
diff -Nru cacti-1.2.24+ds1/debian/patches/0027-1-2-CVE-2024-29894-Merge-pull-request-from-GHSA-grj5.patch cacti-1.2.24+ds1/debian/patches/0027-1-2-CVE-2024-29894-Merge-pull-request-from-GHSA-grj5.patch
--- cacti-1.2.24+ds1/debian/patches/0027-1-2-CVE-2024-29894-Merge-pull-request-from-GHSA-grj5.patch 1970-01-01 00:00:00.000000000 +0000
+++ cacti-1.2.24+ds1/debian/patches/0027-1-2-CVE-2024-29894-Merge-pull-request-from-GHSA-grj5.patch 2024-08-11 17:28:54.000000000 +0000
@@ -0,0 +1,46 @@
+From: Beuc <beuc@beuc.net>
+Date: Sun, 7 Apr 2024 16:06:56 +0200
+Subject: [1/2] CVE-2024-29894 Merge pull request from GHSA-grj5-8fcj-34gh
+
+Cacti contain a residual cross-site scripting vulnerability caused by an
+incomplete fix for CVE-2023-50250. `raise_message_javascript` from
+`lib/functions.php` now uses purify.js to fix CVE-2023-50250 (among
+others). However, it still generates the code out of unescaped PHP
+variables `$title` and `$header`. If those variables contain single
+quotes, they can be used to inject JavaScript code. An attacker
+exploiting this vulnerability could execute actions on behalf of
+other users. This ability to impersonate users could lead to
+unauthorized changes to settings.
+
+[Summary]
+
+CVE-2023-50250, fixed in 1.2.26, can still be triggered with a non-empty file named "');alert(1);('".xml.
+
+[Details]
+
+raise_message_javascript from lib/functions.php now uses purify.js to fix CVE-2023-50250 (among others).
+However it still generates the code out of unescaped PHP variables $title and $header.
+If those variables contain single quotes, they can be used to inject JavaScript code.
+
+bug: https://github.com/Cacti/cacti/security/advisories/GHSA-grj5-8fcj-34gh
+origin: https://github.com/Cacti/cacti/commit/9c75f8da5b609d17c8c031fd46362f730358b792
+bug-debian-security: https://security-tracker.debian.org/tracker/CVE-2024-29894
+---
+ lib/functions.php | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/lib/functions.php b/lib/functions.php
+index 89429bd..1d04f9a 100644
+--- a/lib/functions.php
++++ b/lib/functions.php
+@@ -1041,8 +1041,8 @@ function raise_message($message_id, $message = '', $message_level = MESSAGE_LEVE
+ function raise_message_javascript($title, $header, $message) {
+ ?>
+ <script type='text/javascript'>
+- var mixedReasonTitle = DOMPurify.sanitize('<?php print $title;?>');
+- var mixedOnPage = DOMPurify.sanitize('<?php print $header;?>');
++ var mixedReasonTitle = DOMPurify.sanitize(<?php print json_encode($title, JSON_THROW_ON_ERROR);?>);
++ var mixedOnPage = DOMPurify.sanitize(<?php print json_encode($header, JSON_THROW_ON_ERROR);?>);
+ sessionMessage = {
+ message: DOMPurify.sanitize('<?php print $message;?>'),
+ level: MESSAGE_LEVEL_MIXED
diff -Nru cacti-1.2.24+ds1/debian/patches/0028-2-2-CVE-2024-29894-GHSA-grj5-8fcj-34gh-follow-up-fix.patch cacti-1.2.24+ds1/debian/patches/0028-2-2-CVE-2024-29894-GHSA-grj5-8fcj-34gh-follow-up-fix.patch
--- cacti-1.2.24+ds1/debian/patches/0028-2-2-CVE-2024-29894-GHSA-grj5-8fcj-34gh-follow-up-fix.patch 1970-01-01 00:00:00.000000000 +0000
+++ cacti-1.2.24+ds1/debian/patches/0028-2-2-CVE-2024-29894-GHSA-grj5-8fcj-34gh-follow-up-fix.patch 2024-08-11 17:28:54.000000000 +0000
@@ -0,0 +1,28 @@
+From: Beuc <beuc@beuc.net>
+Date: Sat, 18 May 2024 14:36:41 +0200
+Subject: [2/2] CVE-2024-29894 GHSA-grj5-8fcj-34gh follow-up fix (#5751)
+
+Not sure how this was lost during the back&forth during the
+GHSA process but we missed escaping the 3rd parameter of
+raise_message_javascript().
+
+bug: https://github.com/Cacti/cacti/pull/5751
+origin: https://github.com/Cacti/cacti/pull/5751/commits/7c60ef33e2a87b3047d66f651d7a2a096d108e58
+bug-debian-security: https://security-tracker.debian.org/tracker/CVE-2024-29894
+---
+ lib/functions.php | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/functions.php b/lib/functions.php
+index 1d04f9a..d8460a3 100644
+--- a/lib/functions.php
++++ b/lib/functions.php
+@@ -1044,7 +1044,7 @@ function raise_message_javascript($title, $header, $message) {
+ var mixedReasonTitle = DOMPurify.sanitize(<?php print json_encode($title, JSON_THROW_ON_ERROR);?>);
+ var mixedOnPage = DOMPurify.sanitize(<?php print json_encode($header, JSON_THROW_ON_ERROR);?>);
+ sessionMessage = {
+- message: DOMPurify.sanitize('<?php print $message;?>'),
++ message: DOMPurify.sanitize(<?php print json_encode($message, JSON_THROW_ON_ERROR);?>),
+ level: MESSAGE_LEVEL_MIXED
+ };
+
diff -Nru cacti-1.2.24+ds1/debian/patches/0029-CVE-2024-31443-Merge-pull-request-from-GHSA-rqc8-78c.patch cacti-1.2.24+ds1/debian/patches/0029-CVE-2024-31443-Merge-pull-request-from-GHSA-rqc8-78c.patch
--- cacti-1.2.24+ds1/debian/patches/0029-CVE-2024-31443-Merge-pull-request-from-GHSA-rqc8-78c.patch 1970-01-01 00:00:00.000000000 +0000
+++ cacti-1.2.24+ds1/debian/patches/0029-CVE-2024-31443-Merge-pull-request-from-GHSA-rqc8-78c.patch 2024-08-11 17:28:54.000000000 +0000
@@ -0,0 +1,42 @@
+From: TheWitness <thewitness@cacti.net>
+Date: Sun, 7 Apr 2024 10:08:10 -0400
+Subject: CVE-2024-31443: Merge pull request from GHSA-rqc8-78cm-85j3
+
+some of the data stored in `form_save()` function in
+`data_queries.php` is not thoroughly checked and is used to
+concatenate the HTML statement in `grow_right_pane_tree()` function
+from `lib/html.php` , finally resulting in cross-site scripting.
+
+Co-authored-by: ishgard <ishgard@njust.edu.cn>
+---
+ lib/html_tree.php | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/lib/html_tree.php b/lib/html_tree.php
+index 029c5c7..ed470e6 100644
+--- a/lib/html_tree.php
++++ b/lib/html_tree.php
+@@ -917,6 +917,7 @@ function grow_right_pane_tree($tree_id, $leaf_id, $host_group_data) {
+ WHERE id = ?',
+ array($host_group_data_array[1]));
+
++ $name = html_escape($name);
+ $host_group_data_name = '<strong>' . __('Graph Template:'). '</strong> ' . $name;
+ $graph_template_id = $host_group_data_array[1];
+ } elseif ($host_group_data_array[0] == 'dq') {
+@@ -925,6 +926,7 @@ function grow_right_pane_tree($tree_id, $leaf_id, $host_group_data) {
+ WHERE id = ?',
+ array($host_group_data_array[1]));
+
++ $name = html_escape($name);
+ $host_group_data_name = '<strong>' . __('Graph Template:') . '</strong> ' . (empty($host_group_data_array[1]) ? __('Non Query Based') : $name);
+ $data_query_id = $host_group_data_array[1];
+ } elseif ($host_group_data_array[0] == 'dqi') {
+@@ -933,6 +935,7 @@ function grow_right_pane_tree($tree_id, $leaf_id, $host_group_data) {
+ WHERE id = ?',
+ array($host_group_data_array[1]));
+
++ $name = html_escape($name);
+ $host_group_data_name = '<strong>' . __('Graph Template:') . '</strong> ' . (empty($host_group_data_array[1]) ? __('Non Query Based') : $name) . '-> ' . (empty($host_group_data_array[2]) ? __('Template Based') : get_formatted_data_query_index($leaf['host_id'], $host_group_data_array[1], $host_group_data_array[2]));
+ $data_query_id = $host_group_data_array[1];
+ $data_query_index = $host_group_data_array[2];
diff -Nru cacti-1.2.24+ds1/debian/patches/0030-CVE-2024-31444-GHSA-p4ch-7hjw-6m87-XSS-vulnerability.patch cacti-1.2.24+ds1/debian/patches/0030-CVE-2024-31444-GHSA-p4ch-7hjw-6m87-XSS-vulnerability.patch
--- cacti-1.2.24+ds1/debian/patches/0030-CVE-2024-31444-GHSA-p4ch-7hjw-6m87-XSS-vulnerability.patch 1970-01-01 00:00:00.000000000 +0000
+++ cacti-1.2.24+ds1/debian/patches/0030-CVE-2024-31444-GHSA-p4ch-7hjw-6m87-XSS-vulnerability.patch 2024-08-11 17:28:54.000000000 +0000
@@ -0,0 +1,54 @@
+From: TheWitness <thewitness@cacti.net>
+Date: Tue, 9 Apr 2024 06:59:40 -0400
+Subject: CVE-2024-31444 GHSA-p4ch-7hjw-6m87 XSS vulnerability when reading
+ tree rules with Automation API
+
+some of the data stored in `automation_tree_rules_form_save()`
+function in `automation_tree_rules.php` is not thoroughly checked and
+is used to concatenate the HTML statement in `form_confirm()` function
+from `lib/html.php` , finally resulting in cross-site
+scripting. Version 1.2.27 contains a patch for the issue.
+
+origin: https://github.com/Cacti/cacti/commit/86d614c38c54e0ce58774d86617ecfbb853fb57b
+bug: https://github.com/Cacti/cacti/security/advisories/GHSA-p4ch-7hjw-6m87
+bug-debian-security: https://security-tracker.debian.org/tracker/CVE-2024-31444
+---
+ lib/html.php | 20 ++++++++++++--------
+ 1 file changed, 12 insertions(+), 8 deletions(-)
+
+diff --git a/lib/html.php b/lib/html.php
+index 681aa37..11827c8 100644
+--- a/lib/html.php
++++ b/lib/html.php
+@@ -1631,19 +1631,23 @@ function DrawMatrixHeaderItem($matrix_name, $matrix_text_color, $column_span = 1
+ <?php
+ }
+
+-function form_area($text) { ?>
++function form_area($text) {
++ ?>
+ <tr>
+ <td class='textArea'>
+- <?php print $text;?>
++ <?php print html_escape($text);?>
+ </td>
+ </tr>
+-<?php }
++ <?php
++}
+
+-/* is_console_page - determines if current passed url is considered to be
+- a console page
+- @arg url - url to be checked
+- @returns true if console page, false if not
+-*/
++/**
++ * is_console_page - determines if current passed url is considered to be a console page
++ *
++ * @param url - url to be checked
++ *
++ * @return true if console page, false if not
++ */
+ function is_console_page($url) {
+ global $menu;
+
diff -Nru cacti-1.2.24+ds1/debian/patches/0031-CVE-2024-31445-GHSA-vjph-r677-6pcc-SQL-injection-vul.patch cacti-1.2.24+ds1/debian/patches/0031-CVE-2024-31445-GHSA-vjph-r677-6pcc-SQL-injection-vul.patch
--- cacti-1.2.24+ds1/debian/patches/0031-CVE-2024-31445-GHSA-vjph-r677-6pcc-SQL-injection-vul.patch 1970-01-01 00:00:00.000000000 +0000
+++ cacti-1.2.24+ds1/debian/patches/0031-CVE-2024-31445-GHSA-vjph-r677-6pcc-SQL-injection-vul.patch 2024-08-11 17:28:54.000000000 +0000
@@ -0,0 +1,33 @@
+From: TheWitness <thewitness@cacti.net>
+Date: Sun, 7 Apr 2024 10:24:07 -0400
+Subject: CVE-2024-31445 GHSA-vjph-r677-6pcc SQL injection vulnerability
+
+A SQL injection vulnerability in `automation_get_new_graphs_sql`
+function of `api_automation.php` allows authenticated users to exploit
+these SQL injection vulnerabilities to perform privilege escalation
+and remote code execution. In `api_automation.php` line 856, the
+`get_request_var('filter')` is being concatenated into the SQL
+statement without any sanitization. In `api_automation.php` line 717,
+The filter of `'filter'` is `FILTER_DEFAULT`, which means there is no
+filter for it
+
+bug: https://github.com/Cacti/cacti/security/advisories/GHSA-vjph-r677-6pcc
+origin: https://github.com/Cacti/cacti/commit/fd93c6e47651958b77c3bbe6a01fff695f81e886
+bug-debian-security: https://security-tracker.debian.org/tracker/CVE-2024-31445
+---
+ lib/api_automation.php | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/api_automation.php b/lib/api_automation.php
+index a93b188..78d15ad 100644
+--- a/lib/api_automation.php
++++ b/lib/api_automation.php
+@@ -1566,7 +1566,7 @@ function build_graph_object_sql_having($rule, $filter) {
+ $i = 0;
+
+ foreach($field_names as $column) {
+- $sql_having .= ($i == 0 ? '':' OR ') . '`' . implode('`.`', explode('.', $column['field_name'])) . '`' . ' LIKE "%' . $filter . '%"';
++ $sql_having .= ($i == 0 ? '':' OR ') . '`' . implode('`.`', explode('.', $column['field_name'])) . '`' . ' LIKE ' . db_qstr('%' . $filter . '%');
+ $i++;
+ }
+
diff -Nru cacti-1.2.24+ds1/debian/patches/0032-CVE-2024-31458-GHSA-jrxg-8wh8-943x-SQL-injection.patch cacti-1.2.24+ds1/debian/patches/0032-CVE-2024-31458-GHSA-jrxg-8wh8-943x-SQL-injection.patch
--- cacti-1.2.24+ds1/debian/patches/0032-CVE-2024-31458-GHSA-jrxg-8wh8-943x-SQL-injection.patch 1970-01-01 00:00:00.000000000 +0000
+++ cacti-1.2.24+ds1/debian/patches/0032-CVE-2024-31458-GHSA-jrxg-8wh8-943x-SQL-injection.patch 2024-08-11 17:28:54.000000000 +0000
@@ -0,0 +1,39 @@
+From: TheWitness <thewitness@cacti.net>
+Date: Sun, 7 Apr 2024 10:28:28 -0400
+Subject: CVE-2024-31458 GHSA-jrxg-8wh8-943x SQL injection
+
+some of the data stored in `form_save()` function in `graph_template_inputs.php` is
+not thoroughly checked and is used to concatenate the SQL statement in
+`draw_nontemplated_fields_graph_item()` function from
+`lib/html_form_templates.php` , finally resulting in SQL injection.
+
+bug: https://github.com/Cacti/cacti/security/advisories/GHSA-jrxg-8wh8-943x
+origin: https://github.com/Cacti/cacti/commit/9e87882007b6091171d1a4786f0de4ae20efef7b
+bug-debian-security: https://security-tracker.debian.org/tracker/CVE-2024-31458
+---
+ lib/html_form_template.php | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/lib/html_form_template.php b/lib/html_form_template.php
+index 635c68c..5478248 100644
+--- a/lib/html_form_template.php
++++ b/lib/html_form_template.php
+@@ -156,6 +156,18 @@ function draw_nontemplated_fields_graph_item($graph_template_id, $local_graph_id
+
+ if (cacti_sizeof($input_item_list)) {
+ foreach ($input_item_list as $item) {
++ if (!db_column_exists('graph_templates_item', $item['column_name'])) {
++ raise_message_javascript(
++ __('Attempted SQL Injection'),
++ __('There was a SQL Injection attempted on the page'),
++ __('A client attempted to create a SQL Injection into Cacti likely from an external host with the address %s', get_client_addr())
++ );
++
++ cacti_log(sprintf('ERROR: A client attempted to create a SQL Injection into Cacti likely from an external host with the address %s', get_client_addr()), false, 'SECURITY');
++
++ exit;
++ }
++
+ $form_array = array();
+
+ if (!empty($local_graph_id)) {
diff -Nru cacti-1.2.24+ds1/debian/patches/0033-CVE-2024-31459-GHSA-cx8g-hvq8-p2rv-remote-code-execu.patch cacti-1.2.24+ds1/debian/patches/0033-CVE-2024-31459-GHSA-cx8g-hvq8-p2rv-remote-code-execu.patch
--- cacti-1.2.24+ds1/debian/patches/0033-CVE-2024-31459-GHSA-cx8g-hvq8-p2rv-remote-code-execu.patch 1970-01-01 00:00:00.000000000 +0000
+++ cacti-1.2.24+ds1/debian/patches/0033-CVE-2024-31459-GHSA-cx8g-hvq8-p2rv-remote-code-execu.patch 2024-08-11 17:28:54.000000000 +0000
@@ -0,0 +1,30 @@
+From: TheWitness <thewitness@cacti.net>
+Date: Sun, 7 Apr 2024 10:28:13 -0400
+Subject: CVE-2024-31459 GHSA-cx8g-hvq8-p2rv remote code execution
+
+There is a file inclusion issue in the lib/plugin.php file.
+Combined with SQL injection vulnerabilities, RCE can be implemented.
+
+origin: https://github.com/Cacti/cacti/commit/96d9a4c60693d87ba0e347f1c7d33047b4effc61
+bug: https://github.com/Cacti/cacti/security/advisories/GHSA-cx8g-hvq8-p2rv
+bug-debian-security: https://security-tracker.debian.org/tracker/CVE-2024-31459
+---
+ lib/plugins.php | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/lib/plugins.php b/lib/plugins.php
+index 8b91c6a..000cb6d 100644
+--- a/lib/plugins.php
++++ b/lib/plugins.php
+@@ -73,6 +73,11 @@ function api_plugin_hook($name) {
+
+ if (!empty($result)) {
+ foreach ($result as $hdata) {
++ // Security check
++ if (strpos($hdata['file'], '..') !== false) {
++ cacti_log("ERROR: Attempted inclusion of not plugin file $plugin_file from $plugin_name with the hook name $name", false, 'SECURITY');
++ continue;
++ }
+ if (!in_array($hdata['name'], $plugins_integrated, true)) {
+ if (file_exists($config['base_path'] . '/plugins/' . $hdata['name'] . '/' . $hdata['file'])) {
+ include_once($config['base_path'] . '/plugins/' . $hdata['name'] . '/' . $hdata['file']);
diff -Nru cacti-1.2.24+ds1/debian/patches/0034-CVE-2024-31460-GHSA-gj3f-p326-gh8r-SQL-injection.patch cacti-1.2.24+ds1/debian/patches/0034-CVE-2024-31460-GHSA-gj3f-p326-gh8r-SQL-injection.patch
--- cacti-1.2.24+ds1/debian/patches/0034-CVE-2024-31460-GHSA-gj3f-p326-gh8r-SQL-injection.patch 1970-01-01 00:00:00.000000000 +0000
+++ cacti-1.2.24+ds1/debian/patches/0034-CVE-2024-31460-GHSA-gj3f-p326-gh8r-SQL-injection.patch 2024-08-11 17:28:54.000000000 +0000
@@ -0,0 +1,70 @@
+From: TheWitness <thewitness@cacti.net>
+Date: Sun, 7 Apr 2024 10:27:22 -0400
+Subject: CVE-2024-31460 GHSA-gj3f-p326-gh8r SQL injection
+
+some of the data stored in `automation_tree_rules.php` is not
+thoroughly checked and is used to concatenate the SQL statement in
+`create_all_header_nodes()` function from `lib/api_automation.php` ,
+finally resulting in SQL injection. Using SQL based secondary
+injection technology, attackers can modify the contents of the Cacti
+database, and based on the modified content, it may be possible to
+achieve further impact, such as arbitrary file reading, and even
+remote code execution through arbitrary file writing
+
+bug: https://github.com/Cacti/cacti/security/advisories/GHSA-gj3f-p326-gh8r
+origin: https://github.com/Cacti/cacti/commit/8b516cb9a73322ad532231e74000c2ee097b495e
+bug-debian-security: https://security-tracker.debian.org/tracker/CVE-2024-31460
+---
+ lib/api_automation.php | 25 +++++++++++++++++++++++--
+ 1 file changed, 23 insertions(+), 2 deletions(-)
+
+diff --git a/lib/api_automation.php b/lib/api_automation.php
+index 78d15ad..f25f223 100644
+--- a/lib/api_automation.php
++++ b/lib/api_automation.php
+@@ -1136,7 +1136,7 @@ function display_matching_trees ($rule_id, $rule_type, $item, $url) {
+ if ($leaf_type == TREE_ITEM_TYPE_HOST) {
+ $sql_tables = 'FROM host AS h
+ LEFT JOIN host_template AS ht
+- ON (h.host_template_id=ht.id)';
++ ON (h.host_template_id = ht.id)';
+
+ $sql_where = 'WHERE h.deleted = ""';
+ } elseif ($leaf_type == TREE_ITEM_TYPE_GRAPH) {
+@@ -1185,7 +1185,14 @@ function display_matching_trees ($rule_id, $rule_type, $item, $url) {
+ $sql_filter = build_matching_objects_filter($rule_id, AUTOMATION_RULE_TYPE_TREE_MATCH);
+
+ $templates = array();
+- $sql_field = $item['field'] . ' AS source ';
++
++ if (api_automation_column_exists($item['field'], array('host', 'host_template', 'graph_local', 'graph_templates_graph', 'graph_templates'))) {
++ $sql_field = $item['field'] . ' AS source ';
++ } else {
++ $sql_field = '"SQL Injection" AS source ';
++ cacti_log('Attempted SQL Injection found in Tree Automation for the field variable.', false, 'AUTOM8');
++ raise_message('sql_injection', __('Attempted SQL Injection found in Tree Automation for the field variable.'), MESSAGE_LEVEL_ERROR);
++ }
+
+ /* now we build up a new query for counting the rows */
+ $rows_query = "SELECT h.id AS host_id, h.hostname, h.description,
+@@ -1271,6 +1278,20 @@ function display_matching_trees ($rule_id, $rule_type, $item, $url) {
+ print "</form>\n";
+ }
+
++function api_automation_column_exists($column, $tables) {
++ $column = str_replace(array('h.', 'ht.', 'gt.', 'gl.', 'gtg.'), '', 1);
++
++ if (cacti_sizeof($tables)) {
++ foreach($tables as $table) {
++ if (db_column_exists($table, $column)) {
++ return true;
++ }
++ }
++ }
++
++ return false;
++}
++
+ function display_match_rule_items($title, $rule_id, $rule_type, $module) {
+ global $automation_op_array, $automation_oper, $automation_tree_header_types;
+
diff -Nru cacti-1.2.24+ds1/debian/patches/0035-CVE-2024-34340-GHSA-37x7-mfjv-mm7m-type-juggling-vul.patch cacti-1.2.24+ds1/debian/patches/0035-CVE-2024-34340-GHSA-37x7-mfjv-mm7m-type-juggling-vul.patch
--- cacti-1.2.24+ds1/debian/patches/0035-CVE-2024-34340-GHSA-37x7-mfjv-mm7m-type-juggling-vul.patch 1970-01-01 00:00:00.000000000 +0000
+++ cacti-1.2.24+ds1/debian/patches/0035-CVE-2024-34340-GHSA-37x7-mfjv-mm7m-type-juggling-vul.patch 2024-08-11 17:28:54.000000000 +0000
@@ -0,0 +1,38 @@
+From: TheWitness <thewitness@cacti.net>
+Date: Tue, 7 May 2024 12:57:11 -0400
+Subject: CVE-2024-34340 GHSA-37x7-mfjv-mm7m type juggling vulnerability
+
+Cacti calls `compat_password_hash` when users set their
+password. `compat_password_hash` use `password_hash` if there is it,
+else use `md5`. When verifying password, it calls
+`compat_password_verify`. In `compat_password_verify`,
+`password_verify` is called if there is it, else use
+`md5`. `password_verify` and `password_hash` are supported on PHP <
+5.5.0, following PHP manual. The vulnerability is in
+`compat_password_verify`. Md5-hashed user input is compared with
+correct password in database by `$md5 == $hash`. It is a loose
+comparison, not `===`. It is a type juggling vulnerability
+
+[backport]
+Drop changelog and french translation update
+
+origin: backport, https://github.com/Cacti/cacti/commit/6183961089980322dfd9fd8011ade0f41703eaea
+bug: https://github.com/Cacti/cacti/security/advisories/GHSA-37x7-mfjv-mm7m
+bug-debian-security: https://security-tracker.debian.org/tracker/CVE-2024-34340
+---
+ lib/auth.php | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/auth.php b/lib/auth.php
+index 5e43d0e..5cc193c 100644
+--- a/lib/auth.php
++++ b/lib/auth.php
+@@ -4403,7 +4403,7 @@ function compat_password_verify($password, $hash) {
+
+ $md5 = md5($password);
+
+- return ($md5 == $hash);
++ return ($md5 === $hash);
+ }
+
+ /**
diff -Nru cacti-1.2.24+ds1/debian/patches/series cacti-1.2.24+ds1/debian/patches/series
--- cacti-1.2.24+ds1/debian/patches/series 2024-03-15 09:53:35.000000000 +0000
+++ cacti-1.2.24+ds1/debian/patches/series 2024-08-11 17:28:54.000000000 +0000
@@ -18,9 +18,18 @@
CVE-2023-39365.patch
0001-Fixing-5318-Multiple-minor-stored-XSS-vulnerabilitie.patch
0001-Fixing-5318-Additional-XSS-in-Cacti.patch
-
CVE-2023-39513.patch
CVE-2023-49084.patch
CVE-2023-49085.patch
CVE-2023-49086.patch
CVE-2023-49088,50250,50569.patch
+0026-CVE-2024-25641-Merge-pull-request-from-GHSA-7cmj-g5q.patch
+0027-1-2-CVE-2024-29894-Merge-pull-request-from-GHSA-grj5.patch
+0028-2-2-CVE-2024-29894-GHSA-grj5-8fcj-34gh-follow-up-fix.patch
+0029-CVE-2024-31443-Merge-pull-request-from-GHSA-rqc8-78c.patch
+0030-CVE-2024-31444-GHSA-p4ch-7hjw-6m87-XSS-vulnerability.patch
+0031-CVE-2024-31445-GHSA-vjph-r677-6pcc-SQL-injection-vul.patch
+0032-CVE-2024-31458-GHSA-jrxg-8wh8-943x-SQL-injection.patch
+0033-CVE-2024-31459-GHSA-cx8g-hvq8-p2rv-remote-code-execu.patch
+0034-CVE-2024-31460-GHSA-gj3f-p326-gh8r-SQL-injection.patch
+0035-CVE-2024-34340-GHSA-37x7-mfjv-mm7m-type-juggling-vul.patch
Attachment:
signature.asc
Description: This is a digitally signed message part.