Hi Paul, Sorry for the delayed reply.
On Fri, Nov 10, 2017 at 09:26:17PM +0100, Paul Gevers wrote: > Control: severity -1 important > Control: tags -1 pending > > Hi all, > > On 07-11-17 22:17, Salvatore Bonaccorso wrote: > > Severity: grave > > CVE-2017-16641[0]: > > | lib/rrd.php in Cacti 1.1.27 allows remote authenticated administrators > > | to execute arbitrary OS commands via the path_rrdtool parameter in an > > | action=save request to settings.php. > > Although this is true, and this parameter is not meant to be used like > this, the cacti *admin* has always had this possibility via the "Data > Input Method" freedom, which caused CVE-2009-4112 / bug 561339 to be > raised. I just confirmed that I could indeed still do the via that > (trivial) route. > > So just to be clear (and I don't particularly like it), the power of the > cacti *admin* has been long known and has been accepted as unfixed for > multiple Debian releases. Therefor I lower the severity of this bug. > > Unfortunately the upstream patch for this bug does not simply apply to > pre 1.x versions of cacti. I am not comfortable (yet) with creating a > patch for those versions, and due to CVE-2009-4112, I don't think it is > worth fixing this in stable and older. Ok! Your arguing makes sense to me, and I went ahead to mark the issue as no-dsa for stretch and jessie. Still if upstream provides help in adressing any of those two issues would be great to se fixes at some point e.g. via a point release or picked up in a DSA as well. Regards, Salvatore