On 26/06/16 09:23, Paul Gevers wrote: > Hi Emilio > > On 25-06-16 22:03, Emilio Pozuelo Monfort wrote: >>> Just in case somebody starts working on it, I'd like to review proposed >>> uploads of cacti to LTS. CVE-2016-2313 was initially wrongly fixed (a >>> sledgehammer for a simple nail). CVE-2016-3659 still needs reproducing >>> in Debian and a check if the fix by a contributer in the upstream bug >>> report is causing other damage. The third CVE has a trivial patch. >> >> I've had a look at this. I set up cacti on a wheezy VM, and I could reproduce >> CVE-2016-3172. However, like you, I couldn't reproduce CVE-2016-3659. I don't >> know if we are vulnerable or not, maybe we are and the attack needs some >> changes. In any case, I think the fix is very safe, sanitizing parenthesis, >> so I >> think we can just ship it. What do you think? Please see the attached >> debdiff. > > The patch for CVE-2016-3659 is accepted by upstream, so should be OK to > apply. > > The issue with CVE-2016-2313 has been resolved upstream, the > sledgehammer has been replaced by an appropriate hammer for the size of > the nail: > https://github.com/Cacti/cacti/commit/6e5f3be49b3f52e30c88ec75a576f89bb72c4e52 > > I believe CVE-2016-2313 should be included in this fix.
Certainly! I have backported the fix and included in this new debdiff. Unfortunately I'm not sure how to trigger the bug. > Please be advised that since my previous e-mail, I actually created a > brute force regression test for cacti, see > http://anonscm.debian.org/cgit/pkg-cacti/cacti.git/tree/debian/tests/check-all-pages Ah, nice. I don't think we have ci.debian.net running for wheezy, but this can be useful to do some basic testing after an update. Cheers, Emilio
diff -Nru cacti-0.8.8a+dfsg/debian/changelog cacti-0.8.8a+dfsg/debian/changelog --- cacti-0.8.8a+dfsg/debian/changelog 2016-02-24 21:00:15.000000000 +0100 +++ cacti-0.8.8a+dfsg/debian/changelog 2016-06-26 10:18:07.000000000 +0200 @@ -1,3 +1,15 @@ +cacti (0.8.8a+dfsg-5+deb7u9) wheezy-security; urgency=medium + + * Non-maintainer upload. + * debian/patches/CVE-2016-3172-sql-injection.patch: + + CVE-2016-3172: Fix sql injection in tree.php. + * debian/patches/CVE-2016-3659-sql-injection.patch: + + CVE-2016-3659: Fix sql injection in graph_view.php. + * debian/patches/CVE-2016-2313-authentication-bypass.patch: + + CVE-2016-2313: Fix authentication bypass. + + -- Emilio Pozuelo Monfort <po...@debian.org> Sun, 26 Jun 2016 10:18:04 +0200 + cacti (0.8.8a+dfsg-5+deb7u8) wheezy-security; urgency=high * CVE-2015-8377: Fix SQL Injection vulnerability in graphs_new.php diff -Nru cacti-0.8.8a+dfsg/debian/patches/CVE-2016-2313-authentication-bypass.patch cacti-0.8.8a+dfsg/debian/patches/CVE-2016-2313-authentication-bypass.patch --- cacti-0.8.8a+dfsg/debian/patches/CVE-2016-2313-authentication-bypass.patch 1970-01-01 01:00:00.000000000 +0100 +++ cacti-0.8.8a+dfsg/debian/patches/CVE-2016-2313-authentication-bypass.patch 2016-06-26 10:16:50.000000000 +0200 @@ -0,0 +1,23 @@ +Backport fix for CVE-2016-2313. + +This is http://svn.cacti.net/viewvc?view=rev&revision=7770 +and https://github.com/Cacti/cacti/commit/6e5f3be49b3f52e30c88ec75a576f89bb72c4e52 + +Bug: http://bugs.cacti.net/view.php?id=2656 + +--- a/auth_login.php ++++ b/auth_login.php +@@ -86,6 +86,13 @@ + /* Locate user in database */ + $user = db_fetch_row("SELECT * FROM user_auth WHERE username = " . $cnn_id->qstr($username) . " AND realm = 2"); + ++ if (!$user && read_config_option('user_template') == '0') { ++ cacti_log("ERROR: User '" . $username . "' authenticated by Web Server, but a Template User is not defined in Cacti. Exiting.", false, 'AUTH'); ++ $username = htmlspecialchars($username); ++ auth_display_custom_error_message("$username authenticated by Web Server, but a Template User is not defined in Cacti."); ++ exit; ++ } ++ + break; + case "3": + /* LDAP Auth */ diff -Nru cacti-0.8.8a+dfsg/debian/patches/CVE-2016-3172-sql-injection.patch cacti-0.8.8a+dfsg/debian/patches/CVE-2016-3172-sql-injection.patch --- cacti-0.8.8a+dfsg/debian/patches/CVE-2016-3172-sql-injection.patch 1970-01-01 01:00:00.000000000 +0100 +++ cacti-0.8.8a+dfsg/debian/patches/CVE-2016-3172-sql-injection.patch 2016-06-25 21:57:13.000000000 +0200 @@ -0,0 +1,10 @@ +--- a/tree.php 2016/05/08 15:10:45 7804 ++++ a/tree.php 2016/05/08 15:35:30 7805 +@@ -153,6 +153,7 @@ + /* ================= input validation ================= */ + input_validate_input_number(get_request_var("id")); + input_validate_input_number(get_request_var("tree_id")); ++ input_validate_input_number(get_request_var("parent_id")); + /* ==================================================== */ + + if (!empty($_GET["id"])) { diff -Nru cacti-0.8.8a+dfsg/debian/patches/CVE-2016-3659-sql-injection.patch cacti-0.8.8a+dfsg/debian/patches/CVE-2016-3659-sql-injection.patch --- cacti-0.8.8a+dfsg/debian/patches/CVE-2016-3659-sql-injection.patch 1970-01-01 01:00:00.000000000 +0100 +++ cacti-0.8.8a+dfsg/debian/patches/CVE-2016-3659-sql-injection.patch 2016-06-25 21:57:24.000000000 +0200 @@ -0,0 +1,13 @@ +--- a/lib/functions.php 2016/03/06 23:29:28 7800 ++++ a/lib/functions.php 2016/05/08 14:41:02 7801 +@@ -2138,8 +2138,8 @@ + @arg $string - the original raw search string + @returns - the sanitized search string */ + function sanitize_search_string($string) { +- static $drop_char_match = array('^', '$', '<', '>', '`', '\'', '"', '|', ',', '?', '+', '[', ']', '{', '}', '#', ';', '!', '=', '*'); +- static $drop_char_replace = array(' ', ' ', ' ', ' ', '', '', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' '); ++ static $drop_char_match = array('(',')','^', '$', '<', '>', '`', '\'', '"', '|', ',', '?', '+', '[', ']', '{', '}', '#', ';', '!', '=', '*'); ++ static $drop_char_replace = array('','',' ', ' ', ' ', ' ', '', '', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' '); + + /* Replace line endings by a space */ + $string = preg_replace('/[\n\r]/is', ' ', $string); diff -Nru cacti-0.8.8a+dfsg/debian/patches/series cacti-0.8.8a+dfsg/debian/patches/series --- cacti-0.8.8a+dfsg/debian/patches/series 2016-02-24 21:00:15.000000000 +0100 +++ cacti-0.8.8a+dfsg/debian/patches/series 2016-06-26 10:08:53.000000000 +0200 @@ -28,3 +28,6 @@ CVE-2015-8369_sql_injection_in_graph.php.patch CVE-2015-8377-sql-injection-in-graph-php-host_new_graphs_save.patch CVE-2015-8604-sql-injection-in-graphs_new.patch +CVE-2016-3172-sql-injection.patch +CVE-2016-3659-sql-injection.patch +CVE-2016-2313-authentication-bypass.patch
