Hi all, I intend to upload cacti 0.8.7g-1+squeeze6 soon (tomorrow, hopefully). However, due to differences in the mysql version I am not able to test the changes easily myself. I will try to upload the package to some location for testing before, but at this moment I can't find how I can put stuff on e.g. people.debian.org (it must be somewhere in the documentation).
Debdiff attached, package builds correctly. Paul
diff -u cacti-0.8.7g/debian/changelog cacti-0.8.7g/debian/changelog --- cacti-0.8.7g/debian/changelog +++ cacti-0.8.7g/debian/changelog @@ -1,3 +1,19 @@ +cacti (0.8.7g-1+squeeze6) squeeze-lts; urgency=high + + * Security update + - CVE-2015-2665 Cross-site scripting (XSS) vulnerability in Cacti + before 0.8.8d allows remote attackers to inject arbitrary web script + or HTML via unspecified vectors. + - CVE-2015-4342 SQL Injection and Location header injection from cdef + id + - CVE-2015-4454 SQL injection vulnerability in the + get_hash_graph_template function in lib/functions.php in Cacti before + 0.8.8d allows remote attackers to execute arbitrary SQL commands via + the graph_template_id parameter to graph_templates.php. + - Unassigned CVE SQL injection VN:JVN#78187936 / TN:JPCERT#98968540 + + -- Paul Gevers <elb...@debian.org> Tue, 23 Jun 2015 21:22:55 +0200 + cacti (0.8.7g-1+squeeze5) squeeze-lts; urgency=high * Fix regression caused by fixing CVE-2014-4002 at least plugin autom8 diff -u cacti-0.8.7g/debian/patches/series cacti-0.8.7g/debian/patches/series --- cacti-0.8.7g/debian/patches/series +++ cacti-0.8.7g/debian/patches/series @@ -22,0 +23,4 @@ +CVE-2015-2665_XSS_in_graphs.php.patch +CVE-2015-4342_SQL_injection_in_cdef.php.patch +CVE-2015-4454_SQL_injection_in_get_hash_graph_template.patch +CVE-2015-XXXX_SQL_injection_in_tab.patch only in patch2: unchanged: --- cacti-0.8.7g.orig/debian/patches/CVE-2015-2665_XSS_in_graphs.php.patch +++ cacti-0.8.7g/debian/patches/CVE-2015-2665_XSS_in_graphs.php.patch @@ -0,0 +1,18 @@ +Description: CVE-2015-2665 Cross-site scripting (XSS) vulnerability in Cacti + before 0.8.8d allows remote attackers to inject arbitrary web script + or HTML via unspecified vectors. +Source: http://svn.cacti.net/viewvc/cacti/tags/0.8.8d/graphs.php?r1=7716&r2=7717&view=patch + +Index: cacti/graphs.php +=================================================================== +--- cacti.orig/graphs.php ++++ cacti/graphs.php +@@ -1325,7 +1325,7 @@ function graph() { + /* we're escaping strings here, so no need to escape them on form_selectable_cell */ + $template_name = ((empty($graph["name"])) ? "<em>None</em>" : htmlspecialchars($graph["name"])); + form_alternate_row_color($colors["alternate"], $colors["light"], $i, 'line' . $graph["local_graph_id"]); $i++; +- form_selectable_cell("<a class='linkEditMain' href='" . htmlspecialchars("graphs.php?action=graph_edit&id=" . $graph["local_graph_id"]) . "' title='" . htmlspecialchars($graph["title_cache"]) . "'>" . ((get_request_var_request("filter") != "") ? eregi_replace("(" . preg_quote(get_request_var_request("filter")) . ")", "<span style='background-color: #F8D93D;'>\\1</span>", title_trim(htmlspecialchars($graph["title_cache"]), read_config_option("max_title_graph"))) : title_trim(htmlspecialchars($graph["title_cache"]), read_config_option("max_title_graph"))) . "</a>", $graph["local_graph_id"]); ++ form_selectable_cell("<a class='linkEditMain' href='" . htmlspecialchars("graphs.php?action=graph_edit&id=" . $graph["local_graph_id"]) . "' title='" . htmlspecialchars($graph["title_cache"], ENT_QUOTES) . "'>" . ((get_request_var_request("filter") != "") ? eregi_replace("(" . preg_quote(get_request_var_request("filter")) . ")", "<span style='background-color: #F8D93D;'>\\1</span>", title_trim(htmlspecialchars($graph["title_cache"]), read_config_option("max_title_graph"))) : title_trim(htmlspecialchars($graph["title_cache"]), read_config_option("max_title_graph"))) . "</a>", $graph["local_graph_id"]); + form_selectable_cell($graph["local_graph_id"], $graph["local_graph_id"]); + form_selectable_cell(((get_request_var_request("filter") != "") ? eregi_replace("(" . preg_quote(get_request_var_request("filter")) . ")", "<span style='background-color: #F8D93D;'>\\1</span>", $template_name) : $template_name), $graph["local_graph_id"]); + form_selectable_cell($graph["height"] . "x" . $graph["width"], $graph["local_graph_id"]); only in patch2: unchanged: --- cacti-0.8.7g.orig/debian/patches/CVE-2015-4342_SQL_injection_in_cdef.php.patch +++ cacti-0.8.7g/debian/patches/CVE-2015-4342_SQL_injection_in_cdef.php.patch @@ -0,0 +1,39 @@ +Description: CVE-2015-4342 SQL Injection and Location header injection + from cdef id +Bug: http://bugs.cacti.net/view.php?id=2571 +Source: http://svn.cacti.net/viewvc?view=rev&revision=7719 + +Index: cacti/lib/functions.php +=================================================================== +--- cacti.orig/lib/functions.php ++++ cacti/lib/functions.php +@@ -1947,6 +1947,9 @@ function get_hash_data_input($data_input + @arg $sub_type (optional) return the hash for a particlar sub-type of this type + @returns - a 128-bit, hexadecimal hash */ + function get_hash_cdef($cdef_id, $sub_type = "cdef") { ++ if (! is_numeric($cdef_id)) { ++ $cdef_id = -1; ++ } + if ($sub_type == "cdef") { + $hash = db_fetch_cell("select hash from cdef where id=$cdef_id"); + }elseif ($sub_type == "cdef_item") { +Index: cacti/cdef.php +=================================================================== +--- cacti.orig/cdef.php ++++ cacti/cdef.php +@@ -107,6 +107,15 @@ function draw_cdef_preview($cdef_id) { + -------------------------- */ + + function form_save() { ++ ++ // make sure ids are numeric ++ if (isset($_POST["id"]) && ! is_numeric($_POST["id"])) { ++ $_POST["id"] = 0; ++ } ++ if (isset($_POST["cdef_id"]) && ! is_numeric($_POST["cdef_id"])) { ++ $_POST["cdef_id"] = 0; ++ } ++ + if (isset($_POST["save_component_cdef"])) { + $save["id"] = $_POST["id"]; + $save["hash"] = get_hash_cdef($_POST["id"]); only in patch2: unchanged: --- cacti-0.8.7g.orig/debian/patches/CVE-2015-4454_SQL_injection_in_get_hash_graph_template.patch +++ cacti-0.8.7g/debian/patches/CVE-2015-4454_SQL_injection_in_get_hash_graph_template.patch @@ -0,0 +1,24 @@ +Description: CVE-2015-4454 SQL injection vulnerability in the + get_hash_graph_template function in lib/functions.php in Cacti before + 0.8.8d allows remote attackers to execute arbitrary SQL commands via + the graph_template_id parameter to graph_templates.php. +Bug: http://bugs.cacti.net/view.php?id=2572 +Source: http://svn.cacti.net/viewvc?view=rev&revision=7720 + +Index: cacti/graph_templates.php +=================================================================== +--- cacti.orig/graph_templates.php ++++ cacti/graph_templates.php +@@ -85,6 +85,12 @@ switch ($_REQUEST["action"]) { + -------------------------- */ + + function form_save() { ++ ++ // sanitize ids ++ if (isset($_POST["graph_template_id"]) && ! is_numeric($_POST["graph_template_id"])) { ++ $_POST["graph_template_id"] = 0; ++ } ++ + if (isset($_POST["save_component_template"])) { + $save1["id"] = $_POST["graph_template_id"]; + $save1["hash"] = get_hash_graph_template($_POST["graph_template_id"]); only in patch2: unchanged: --- cacti-0.8.7g.orig/debian/patches/CVE-2015-XXXX_SQL_injection_in_tab.patch +++ cacti-0.8.7g/debian/patches/CVE-2015-XXXX_SQL_injection_in_tab.patch @@ -0,0 +1,20 @@ +Description: Unassigned CVE SQL injection vulnerability + reported via VN:JVN#78187936 / TN:JPCERT#98968540 +Source: http://svn.cacti.net/viewvc?view=rev&revision=7718 + +Index: cacti/settings.php +=================================================================== +--- cacti.orig/settings.php ++++ cacti/settings.php +@@ -58,6 +58,11 @@ case 'save': + default: + include("./include/top_header.php"); + ++ /* clean up tab string */ ++ if (isset($_REQUEST['tab'])) { ++ $_REQUEST['tab'] = sanitize_search_string(get_request_var_request('tab')); ++ } ++ + /* set the default settings category */ + if (!isset($_GET["tab"])) { + /* there is no selected tab; select the first one */
signature.asc
Description: OpenPGP digital signature
