Hi I attached an NMU, including upstream's patch to fix this DoS. Do you want me to upload this NMU or do you want to take care of this yourself? Enjoy the rest of your holidays :)
Cheers Steffen
diff -u cacti-0.8.6j/debian/patches/00list cacti-0.8.6j/debian/patches/00list --- cacti-0.8.6j/debian/patches/00list +++ cacti-0.8.6j/debian/patches/00list @@ -7,0 +8 @@ +08_security-CVE.dpatch diff -u cacti-0.8.6j/debian/changelog cacti-0.8.6j/debian/changelog --- cacti-0.8.6j/debian/changelog +++ cacti-0.8.6j/debian/changelog @@ -1,3 +1,12 @@ +cacti (0.8.6j-1.1) unstable; urgency=high + + * Non-maintainer upload + * Fix DoS caused by large values passed to the graph_height, + graph_width, graph_start and graph_end parameter parameters + (Closes: #429224) Fixes: CVE-2007-3112, CVE-2007-3113 + + -- Steffen Joeris <[EMAIL PROTECTED]> Fri, 03 Aug 2007 12:02:25 +0000 + cacti (0.8.6j-1) unstable; urgency=low * New upstream release. Any further etch-targeted changes will be only in patch2: unchanged: --- cacti-0.8.6j.orig/debian/patches/08_security-CVE.dpatch +++ cacti-0.8.6j/debian/patches/08_security-CVE.dpatch @@ -0,0 +1,35 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 08_security-CVE.dpatch +## +## DP: Fix DoS for large value input + [EMAIL PROTECTED]@ +--- graph_image.php.orig 2007-08-03 11:50:29.000000000 +0000 ++++ cacti-0.8.6j/graph_image.php 2007-08-03 11:53:01.000000000 +0000 +@@ -51,22 +51,22 @@ + $graph_data_array = array(); + + /* override: graph start time (unix time) */ +-if (!empty($_GET["graph_start"])) { ++if (!empty($_GET["graph_start"])&&$_GET["graph_start"]<1600000000) { + $graph_data_array["graph_start"] = $_GET["graph_start"]; + } + + /* override: graph end time (unix time) */ +-if (!empty($_GET["graph_end"])) { ++if (!empty($_GET["graph_end"]) && $_GET["graph_end"] <1600000000) { + $graph_data_array["graph_end"] = $_GET["graph_end"]; + } + + /* override: graph height (in pixels) */ +-if (!empty($_GET["graph_height"])) { ++if (!empty($_GET["graph_height"])&& $_GET["graph_height"] < 3000) { + $graph_data_array["graph_height"] = $_GET["graph_height"]; + } + + /* override: graph width (in pixels) */ +-if (!empty($_GET["graph_width"])) { ++if (!empty($_GET["graph_width"])&& $_GET["graph_width"] < 3000) { + $graph_data_array["graph_width"] = $_GET["graph_width"]; + } +
signature.asc
Description: This is a digitally signed message part.