Bug#1106692: marked as done (unblock: nagvis/1:1.9.47-1)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Wed, 28 May 2025 11:28:46 +0000
with message-id <E1uKExi-004zpI-2s@respighi.debian.org>
and subject line unblock nagvis
has caused the Debian Bug report #1106692,
regarding unblock: nagvis/1:1.9.47-1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1106692: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1106692
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: unblock: nagvis/1:1.9.47-1
• From: Bas Couwenberg <sebastic@xs4all.nl>
• Date: Wed, 28 May 2025 05:42:16 +0200
• Message-id: <[🔎] 174840373613.3996168.5547071209774060973.reportbug@osiris.linuxminded.xs4all.nl>

Package: release.debian.org
Severity: normal
X-Debbugs-Cc: nagvis@packages.debian.org
Control: affects -1 + src:nagvis
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package nagvis

The CVEs fixed in 1.9.47 were not marked no-dsa as I had expected.

[ Reason ]
The security team filed #1106686 to get the CVE fixes into trixie.

[ Impact ]
Unfixed security issues.

[ Tests ]
None

[ Risks ]
Low, has few users.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

[ Other info ]
N/A

unblock nagvis/1:1.9.47-1

Kind Regards,

Bas

diff -Nru nagvis-1.9.46/ChangeLog nagvis-1.9.47/ChangeLog
--- nagvis-1.9.46/ChangeLog	2025-04-04 18:02:07.000000000 +0200
+++ nagvis-1.9.47/ChangeLog	2025-05-23 08:56:15.000000000 +0200
@@ -1,3 +1,10 @@
+1.9.47
+  * FIX: Don't show complete backtrace if crashing. Now the backtrace is being logged to the apache error log
+  * FIX: Fix potential XSS via WYSIWYG editor. Now the option to edit these such elements is moved to a specific
+   permission and only administrators can use this editor per default. (CVE-2024-47090)
+  * FIX: Fix possible livestatus injection via dynmaps (CVE-2024-38866) (#398 Thanks to Shortfinga)
+   (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:L)
+
 1.9.46
   * Feature: add option to verify session cookie via curl. Before when having allow_url_fopen
     disabled, NagVis was not able to verify the session cookie. Now you can use curl to verify
diff -Nru nagvis-1.9.46/debian/changelog nagvis-1.9.47/debian/changelog
--- nagvis-1.9.46/debian/changelog	2025-04-05 13:34:03.000000000 +0200
+++ nagvis-1.9.47/debian/changelog	2025-05-28 05:34:26.000000000 +0200
@@ -1,3 +1,19 @@
+nagvis (1:1.9.47-1) unstable; urgency=medium
+
+  * Team upload.
+  * Move from experimental to unstable.
+
+ -- Bas Couwenberg <sebastic@debian.org>  Wed, 28 May 2025 05:34:26 +0200
+
+nagvis (1:1.9.47-1~exp1) experimental; urgency=medium
+
+  * Team upload.
+  * New upstream release.
+    Fixes: CVE-2024-38866 & CVE-2024-47090.
+  * Add Catalan debconf translation by Carles Pina i Estany.
+
+ -- Bas Couwenberg <sebastic@debian.org>  Fri, 23 May 2025 15:10:32 +0200
+
 nagvis (1:1.9.46-1) unstable; urgency=medium
 
   * Team upload.
diff -Nru nagvis-1.9.46/debian/po/ca.po nagvis-1.9.47/debian/po/ca.po
--- nagvis-1.9.46/debian/po/ca.po	1970-01-01 01:00:00.000000000 +0100
+++ nagvis-1.9.47/debian/po/ca.po	2025-05-23 15:08:01.000000000 +0200
@@ -0,0 +1,72 @@
+# Catalan translation of nagvis's debconf messages
+# Copyright © 2025 Free Software Foundation, Inc.
+# This file is distributed under the same license as the nagvis package.
+# poc senderi <pocsenderi@protonmail.com>, 2025.
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: nagvis\n"
+"Report-Msgid-Bugs-To: nagvis@packages.debian.org\n"
+"POT-Creation-Date: 2020-01-21 20:05+0100\n"
+"PO-Revision-Date: 2025-04-03 21:25+0200\n"
+"Last-Translator: poc senderi <pocsenderi@protonmail.com>\n"
+"Language-Team: Catalan <debian-l10n-catalan@lists.debian.org>\n"
+"Language: ca\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"X-Generator: Poedit 2.4.2\n"
+
+#. Type: select
+#. Choices
+#: ../nagvis.templates:2001
+msgid "shinken"
+msgstr "shinken"
+
+#. Type: select
+#. Description
+#: ../nagvis.templates:2002
+msgid "Monitoring suite used with NagVis:"
+msgstr "Suite de monitorització utilitzada amb el NagVis:"
+
+#. Type: select
+#. Description
+#: ../nagvis.templates:2002
+msgid ""
+"The NagVis package supports Icinga as well as Nagios, using the check-mk-"
+"live broker backend."
+msgstr ""
+"El paquet NagVis és compatible amb l'Icinga i amb el Nagios, utilitzant el "
+"dorsal intermediari «check-mk-live»."
+
+#. Type: select
+#. Description
+#: ../nagvis.templates:2002
+msgid ""
+"If you would like to use NagVis with a different backend or a different "
+"monitoring suite, please choose \"other\". You'll have to configure it "
+"manually."
+msgstr ""
+"Si voleu utilitzar el NagVis amb un dorsal diferent o amb una suite de "
+"monitorització diferent, trieu «other». S'haurà de configurar manualment."
+
+#. Type: boolean
+#. Description
+#: ../nagvis.templates:3001
+msgid "Delete NagVis data when purging the package?"
+msgstr "Voleu suprimir les dades del NagVis al purgar el paquet?"
+
+#. Type: boolean
+#. Description
+#: ../nagvis.templates:3001
+msgid ""
+"NagVis creates files in /var/{cache,lib}/nagvis and /etc/nagvis (for "
+"instance background images and map files), including a small database for "
+"authentification. If you don't need any of these files, they can be removed "
+"now, or you may want to keep them and clean up by hand later."
+msgstr ""
+"El NagVis crea fitxers a «/var/{cache,lib}/nagvis» i a «/etc/nagvis» (per "
+"exemple, imatges de fons i fitxers de mapa), incloent una petita base de "
+"dades per a l'autenticació. Si no necessiteu cap d'aquests fitxers, es "
+"poden eliminar ara, o també és possible que mantenir-los i fer neteja "
+"manualment més endavant."
diff -Nru nagvis-1.9.46/share/server/core/classes/CoreAuthorisationHandler.php nagvis-1.9.47/share/server/core/classes/CoreAuthorisationHandler.php
--- nagvis-1.9.46/share/server/core/classes/CoreAuthorisationHandler.php	2025-04-04 18:02:07.000000000 +0200
+++ nagvis-1.9.47/share/server/core/classes/CoreAuthorisationHandler.php	2025-05-23 08:56:15.000000000 +0200
@@ -53,6 +53,7 @@
             'createObject' => 'edit',
             'deleteObject' => 'edit',
             'addModify' => 'edit',
+            'editHtml' => 'edit',
         ),
         'Overview' => Array(
             'getOverviewRotations' => 'view',
diff -Nru nagvis-1.9.46/share/server/core/classes/GlobalMapCfg.php nagvis-1.9.47/share/server/core/classes/GlobalMapCfg.php
--- nagvis-1.9.46/share/server/core/classes/GlobalMapCfg.php	2025-04-04 18:02:07.000000000 +0200
+++ nagvis-1.9.47/share/server/core/classes/GlobalMapCfg.php	2025-05-23 08:56:15.000000000 +0200
@@ -800,7 +800,7 @@
         if(isset($params['source_file']))
             unset($params['source_file']);
         $param_values = $this->paramsToString($params);
-        $cacheFile = cfg('paths','var').'source-'.$this->name.'.cfg-'.$param_values.'-'.$this->isView.'-'.CONST_VERSION.'.cache';
+        $cacheFile = cfg('paths','var').'source-'.$this->name.'.cfg-'.sha1($param_values.'-'.$this->isView.'-'.CONST_VERSION).'.cache';
         $CACHE = new GlobalFileCache(array(), $cacheFile);
 
         // 2a. Check if the cache file exists
diff -Nru nagvis-1.9.46/share/server/core/classes/ViewMapAddModify.php nagvis-1.9.47/share/server/core/classes/ViewMapAddModify.php
--- nagvis-1.9.46/share/server/core/classes/ViewMapAddModify.php	2025-04-04 18:02:07.000000000 +0200
+++ nagvis-1.9.47/share/server/core/classes/ViewMapAddModify.php	2025-05-23 08:56:15.000000000 +0200
@@ -116,6 +116,11 @@
         $perm_user   = get_checkbox('perm_user');
         $show_dialog = false;
 
+        global $AUTHORISATION;
+        if(!$AUTHORISATION->isPermitted('Map', 'editHtml', '*')) {
+            throw new NagVisException(l('Cannot edit HTML. Please contact your administrator'));
+        }
+
         // Modification/Creation?
         // The object_id is known on modification. When it is not known 'type' is set
         // to create new objects
diff -Nru nagvis-1.9.46/share/server/core/defines/global.php nagvis-1.9.47/share/server/core/defines/global.php
--- nagvis-1.9.46/share/server/core/defines/global.php	2025-04-04 18:02:07.000000000 +0200
+++ nagvis-1.9.47/share/server/core/defines/global.php	2025-05-23 08:56:15.000000000 +0200
@@ -23,7 +23,7 @@
  *****************************************************************************/
  
 // NagVis Version
-define('CONST_VERSION', '1.9.46');
+define('CONST_VERSION', '1.9.47');
 
 // Set PHP error handling to standard level
 // Different levels for php versions below 5.1 because PHP 5.1 reports
diff -Nru nagvis-1.9.46/share/server/core/functions/html.php nagvis-1.9.47/share/server/core/functions/html.php
--- nagvis-1.9.46/share/server/core/functions/html.php	2025-04-04 18:02:07.000000000 +0200
+++ nagvis-1.9.47/share/server/core/functions/html.php	2025-05-23 08:56:15.000000000 +0200
@@ -271,6 +271,11 @@
     if (submitted($form_name))
         $default = post($name, $default);
 
+    global $AUTHORISATION;
+    if(!$AUTHORISATION->isPermitted('Map', 'editHtml', '*')) {
+        echo '<b>Cannot edit HTML. Please contact your administrator.</b>';
+        return;
+    }
     // plain <textarea>
     echo '<textarea id="textarea_'.$name.'" name="'.$name.'"'.$class.$style.'>'.escape_html($default).'</textarea>'.N;
 
diff -Nru nagvis-1.9.46/share/server/core/functions/nagvisErrorHandler.php nagvis-1.9.47/share/server/core/functions/nagvisErrorHandler.php
--- nagvis-1.9.46/share/server/core/functions/nagvisErrorHandler.php	2025-04-04 18:02:07.000000000 +0200
+++ nagvis-1.9.47/share/server/core/functions/nagvisErrorHandler.php	2025-05-23 08:56:15.000000000 +0200
@@ -37,7 +37,9 @@
             echo $OBJ;
         } else {
             echo "Error (".get_class($OBJ)."): ".$OBJ->getMessage();
-            var_dump(debug_backtrace());
+            echo "<br>";
+            echo "For more information check the apache error log.";
+            error_log(print_r(debug_backtrace(), true));
         }
 
         die();
diff -Nru nagvis-1.9.46/share/server/core/sources/dynmap.php nagvis-1.9.47/share/server/core/sources/dynmap.php
--- nagvis-1.9.46/share/server/core/sources/dynmap.php	2025-04-04 18:02:07.000000000 +0200
+++ nagvis-1.9.47/share/server/core/sources/dynmap.php	2025-05-23 08:56:15.000000000 +0200
@@ -7,7 +7,7 @@
     $objects = array();
 
     $type = $p['dynmap_object_types'];
-    $filter = str_replace('\n', "\n", $p['dynmap_object_filter']);
+    $filter = preg_replace('/(\\\\n)+/', "\n", $p['dynmap_object_filter']);
     foreach($MAPCFG->getValue(0, 'backend_id') AS $backend_id) {
         $ret = $_BACKEND->getBackend($backend_id)->getObjects($type, '', '', $filter);
         // only use the internal names

--- End Message ---

--- Begin Message ---

• To: 1106692-done@bugs.debian.org
• Subject: unblock nagvis
• From: Sebastian Ramacher <sramacher@respighi.debian.org>
• Date: Wed, 28 May 2025 11:28:46 +0000
• Message-id: <E1uKExi-004zpI-2s@respighi.debian.org>

Unblocked.

--- End Message ---