Hi Paul,
> Just in case somebody starts working on it, I'd like to review proposed
> uploads of cacti to LTS. CVE-2016-2313 was initially wrongly fixed (a
> sledgehammer for a simple nail). CVE-2016-3659 still needs reproducing
> in Debian and a check if the fix by a contributer in the upstream bug
> report is causing other damage. The third CVE has a trivial patch.
I've had a look at this. I set up cacti on a wheezy VM, and I could reproduce
CVE-2016-3172. However, like you, I couldn't reproduce CVE-2016-3659. I don't
know if we are vulnerable or not, maybe we are and the attack needs some
changes. In any case, I think the fix is very safe, sanitizing parenthesis, so I
think we can just ship it. What do you think? Please see the attached debdiff.
Thanks,
Emilio
diff -Nru cacti-0.8.8a+dfsg/debian/changelog cacti-0.8.8a+dfsg/debian/changelog
--- cacti-0.8.8a+dfsg/debian/changelog 2016-02-24 21:00:15.000000000 +0100
+++ cacti-0.8.8a+dfsg/debian/changelog 2016-06-25 21:58:57.000000000 +0200
@@ -1,3 +1,13 @@
+cacti (0.8.8a+dfsg-5+deb7u9) wheezy-security; urgency=medium
+
+ * Non-maintainer upload.
+ * debian/patches/CVE-2016-3172-sql-injection.patch
+ + CVE-2016-3172: Fix sql injection in tree.php.
+ debian/patches/CVE-2016-3659-sql-injection.patch
+ + CVE-2016-3659: Fix sql injection in graph_view.php.
+
+ -- Emilio Pozuelo Monfort <po...@debian.org> Sat, 25 Jun 2016 21:57:43 +0200
+
cacti (0.8.8a+dfsg-5+deb7u8) wheezy-security; urgency=high
* CVE-2015-8377: Fix SQL Injection vulnerability in graphs_new.php
diff -Nru cacti-0.8.8a+dfsg/debian/patches/CVE-2016-3172-sql-injection.patch
cacti-0.8.8a+dfsg/debian/patches/CVE-2016-3172-sql-injection.patch
--- cacti-0.8.8a+dfsg/debian/patches/CVE-2016-3172-sql-injection.patch
1970-01-01 01:00:00.000000000 +0100
+++ cacti-0.8.8a+dfsg/debian/patches/CVE-2016-3172-sql-injection.patch
2016-06-25 21:57:13.000000000 +0200
@@ -0,0 +1,10 @@
+--- a/tree.php 2016/05/08 15:10:45 7804
++++ a/tree.php 2016/05/08 15:35:30 7805
+@@ -153,6 +153,7 @@
+ /* ================= input validation ================= */
+ input_validate_input_number(get_request_var("id"));
+ input_validate_input_number(get_request_var("tree_id"));
++ input_validate_input_number(get_request_var("parent_id"));
+ /* ==================================================== */
+
+ if (!empty($_GET["id"])) {
diff -Nru cacti-0.8.8a+dfsg/debian/patches/CVE-2016-3659-sql-injection.patch
cacti-0.8.8a+dfsg/debian/patches/CVE-2016-3659-sql-injection.patch
--- cacti-0.8.8a+dfsg/debian/patches/CVE-2016-3659-sql-injection.patch
1970-01-01 01:00:00.000000000 +0100
+++ cacti-0.8.8a+dfsg/debian/patches/CVE-2016-3659-sql-injection.patch
2016-06-25 21:57:24.000000000 +0200
@@ -0,0 +1,13 @@
+--- a/lib/functions.php 2016/03/06 23:29:28 7800
++++ a/lib/functions.php 2016/05/08 14:41:02 7801
+@@ -2138,8 +2138,8 @@
+ @arg $string - the original raw search string
+ @returns - the sanitized search string */
+ function sanitize_search_string($string) {
+- static $drop_char_match = array('^', '$', '<', '>', '`', '\'', '"',
'|', ',', '?', '+', '[', ']', '{', '}', '#', ';', '!', '=', '*');
+- static $drop_char_replace = array(' ', ' ', ' ', ' ', '', '', ' ', '
', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ');
++ static $drop_char_match = array('(',')','^', '$', '<', '>', '`',
'\'', '"', '|', ',', '?', '+', '[', ']', '{', '}', '#', ';', '!', '=', '*');
++ static $drop_char_replace = array('','',' ', ' ', ' ', ' ', '', '', '
', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ');
+
+ /* Replace line endings by a space */
+ $string = preg_replace('/[\n\r]/is', ' ', $string);
diff -Nru cacti-0.8.8a+dfsg/debian/patches/series
cacti-0.8.8a+dfsg/debian/patches/series
--- cacti-0.8.8a+dfsg/debian/patches/series 2016-02-24 21:00:15.000000000
+0100
+++ cacti-0.8.8a+dfsg/debian/patches/series 2016-06-25 21:55:31.000000000
+0200
@@ -28,3 +28,5 @@
CVE-2015-8369_sql_injection_in_graph.php.patch
CVE-2015-8377-sql-injection-in-graph-php-host_new_graphs_save.patch
CVE-2015-8604-sql-injection-in-graphs_new.patch
+CVE-2016-3172-sql-injection.patch
+CVE-2016-3659-sql-injection.patch
