Bug#429224: patch for DoS

Fri, 03 Aug 2007 05:27:18 -0700 

Hi

I attached an NMU, including upstream's patch to fix this DoS.
Do you want me to upload this NMU or do you want to take care of this 
yourself?
Enjoy the rest of your holidays :)

Cheers
Steffen

diff -u cacti-0.8.6j/debian/patches/00list cacti-0.8.6j/debian/patches/00list
--- cacti-0.8.6j/debian/patches/00list
+++ cacti-0.8.6j/debian/patches/00list
@@ -7,0 +8 @@
+08_security-CVE.dpatch
diff -u cacti-0.8.6j/debian/changelog cacti-0.8.6j/debian/changelog
--- cacti-0.8.6j/debian/changelog
+++ cacti-0.8.6j/debian/changelog
@@ -1,3 +1,12 @@
+cacti (0.8.6j-1.1) unstable; urgency=high
+
+  * Non-maintainer upload
+  * Fix DoS caused by large values passed to the graph_height,
+    graph_width, graph_start and graph_end parameter parameters
+    (Closes: #429224) Fixes: CVE-2007-3112, CVE-2007-3113
+
+ -- Steffen Joeris <[EMAIL PROTECTED]>  Fri, 03 Aug 2007 12:02:25 +0000
+
 cacti (0.8.6j-1) unstable; urgency=low
 
   * New upstream release.  Any further etch-targeted changes will be
only in patch2:
unchanged:
--- cacti-0.8.6j.orig/debian/patches/08_security-CVE.dpatch
+++ cacti-0.8.6j/debian/patches/08_security-CVE.dpatch
@@ -0,0 +1,35 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 08_security-CVE.dpatch
+##
+## DP: Fix DoS for large value input
+
[EMAIL PROTECTED]@
+--- graph_image.php.orig	2007-08-03 11:50:29.000000000 +0000
++++ cacti-0.8.6j/graph_image.php	2007-08-03 11:53:01.000000000 +0000
+@@ -51,22 +51,22 @@
+ $graph_data_array = array();
+ 
+ /* override: graph start time (unix time) */
+-if (!empty($_GET["graph_start"])) {
++if (!empty($_GET["graph_start"])&&$_GET["graph_start"]<1600000000) {
+ 	$graph_data_array["graph_start"] = $_GET["graph_start"];
+ }
+ 
+ /* override: graph end time (unix time) */
+-if (!empty($_GET["graph_end"])) {
++if (!empty($_GET["graph_end"]) && $_GET["graph_end"] <1600000000) {
+ 	$graph_data_array["graph_end"] = $_GET["graph_end"];
+ }
+ 
+ /* override: graph height (in pixels) */
+-if (!empty($_GET["graph_height"])) {
++if (!empty($_GET["graph_height"])&& $_GET["graph_height"] < 3000) {
+ 	$graph_data_array["graph_height"] = $_GET["graph_height"];
+ }
+ 
+ /* override: graph width (in pixels) */
+-if (!empty($_GET["graph_width"])) {
++if (!empty($_GET["graph_width"])&& $_GET["graph_width"] < 3000) {
+ 	$graph_data_array["graph_width"] = $_GET["graph_width"];
+ }
+

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply via email to