Bug#830805: jessie-pu: package cacti/0.8.8b+dfsg-8+deb8u4

Mon, 11 Jul 2016 11:33:48 -0700 

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian....@packages.debian.org
Usertags: pu

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

There are currently three CVE's open against the cacti package in jessie that
have a patch available¹. Non of the issues are severe enough to warrent a
security upload, but I still think it is a good idea to get this fixed in
jessie. Could you please consider the attached debdiff?

Paul

¹ The forth open CVE against cacti is open since 2009 and not likely to get 
fixed.

- -- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (500, 'testing'), (60, 'unstable'), (50, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.6.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEbBAEBCAAGBQJXg+VnAAoJEJxcmesFvXUK1cYH91B+Lolr1dE2yVXXeUWvGdlD
CDUl2sRWspaIcYkeFxFQv7FXlPnyTf8q6CXKUK6ALY/tV5GLWwTAHFuSF5rMEo5x
Dmiqm2yzZ5FIFcr7R6qfjaFK2nnKEix4HOxMK7wnVJq08n0UuHA6D5uRnRKmyJ/x
3Ves4ZNTMtlYOZZIMyyahODkqJFuKbFvnYzt4SnY/dQpwPnyxi1jkH9PjLHHyA8H
4Cxs1+rT58Zn4ZvskB2/JKzo0zAGwI7XA8PI6eacBoj7Gi42fJuAUUhWx/Qh3QwM
8DSpUZlNdJRWAfIS+MWn6S5zl41+GsYSIMBLVHalRBFSNeSH5XHQRmxMjVsHKQ==
=qmJ/
-----END PGP SIGNATURE-----

diff -Nru cacti-0.8.8b+dfsg/debian/changelog cacti-0.8.8b+dfsg/debian/changelog
--- cacti-0.8.8b+dfsg/debian/changelog	2016-02-24 20:47:55.000000000 +0100
+++ cacti-0.8.8b+dfsg/debian/changelog	2016-07-09 20:26:32.000000000 +0200
@@ -1,3 +1,15 @@
+cacti (0.8.8b+dfsg-8+deb8u5) jessie-proposed-updates; urgency=medium
+
+  [ Emilio Pozuelo Monfort ]
+  * debian/patches/CVE-2016-3172-sql-injection.patch:
+    + CVE-2016-3172: Fix sql injection in tree.php (Closes: #818647)
+  * debian/patches/CVE-2016-3659-sql-injection.patch:
+    + CVE-2016-3659: Fix sql injection in graph_view.php (Closes: #820521)
+  * debian/patches/CVE-2016-2313-authentication-bypass.patch:
+    + CVE-2016-2313: Fix authentication bypass (Closes: #814353)
+
+ -- Paul Gevers <elb...@debian.org>  Sat, 09 Jul 2016 20:05:41 +0200
+
 cacti (0.8.8b+dfsg-8+deb8u4) jessie-security; urgency=high
 
   * CVE-2015-8377: Fix SQL Injection vulnerability in graphs_new.php
diff -Nru cacti-0.8.8b+dfsg/debian/patches/CVE-2016-2313-authentication-bypass.patch cacti-0.8.8b+dfsg/debian/patches/CVE-2016-2313-authentication-bypass.patch
--- cacti-0.8.8b+dfsg/debian/patches/CVE-2016-2313-authentication-bypass.patch	1970-01-01 01:00:00.000000000 +0100
+++ cacti-0.8.8b+dfsg/debian/patches/CVE-2016-2313-authentication-bypass.patch	2016-07-09 20:04:07.000000000 +0200
@@ -0,0 +1,23 @@
+Backport fix for CVE-2016-2313.
+
+This is http://svn.cacti.net/viewvc?view=rev&revision=7770
+and https://github.com/Cacti/cacti/commit/6e5f3be49b3f52e30c88ec75a576f89bb72c4e52
+
+Bug: http://bugs.cacti.net/view.php?id=2656
+
+--- a/auth_login.php
++++ b/auth_login.php
+@@ -86,6 +86,13 @@
+ 		/* Locate user in database */
+ 		$user = db_fetch_row("SELECT * FROM user_auth WHERE username = " . $cnn_id->qstr($username) . " AND realm = 2");
+ 
++		if (!$user && read_config_option('user_template') == '0') {
++			cacti_log("ERROR: User '" . $username . "' authenticated by Web Server, but a Template User is not defined in Cacti.  Exiting.", false, 'AUTH');
++			$username = htmlspecialchars($username);
++			auth_display_custom_error_message("$username authenticated by Web Server, but a Template User is not defined in Cacti.");
++			exit;			
++		}
++
+ 		break;
+ 	case "3":
+ 		/* LDAP Auth */
diff -Nru cacti-0.8.8b+dfsg/debian/patches/CVE-2016-3172-sql-injection.patch cacti-0.8.8b+dfsg/debian/patches/CVE-2016-3172-sql-injection.patch
--- cacti-0.8.8b+dfsg/debian/patches/CVE-2016-3172-sql-injection.patch	1970-01-01 01:00:00.000000000 +0100
+++ cacti-0.8.8b+dfsg/debian/patches/CVE-2016-3172-sql-injection.patch	2016-07-09 20:04:07.000000000 +0200
@@ -0,0 +1,10 @@
+--- a/tree.php	2016/05/08 15:10:45	7804
++++ a/tree.php	2016/05/08 15:35:30	7805
+@@ -153,6 +153,7 @@
+ 	/* ================= input validation ================= */
+ 	input_validate_input_number(get_request_var("id"));
+ 	input_validate_input_number(get_request_var("tree_id"));
++	input_validate_input_number(get_request_var("parent_id"));
+ 	/* ==================================================== */
+ 
+ 	if (!empty($_GET["id"])) {
diff -Nru cacti-0.8.8b+dfsg/debian/patches/CVE-2016-3659-sql-injection.patch cacti-0.8.8b+dfsg/debian/patches/CVE-2016-3659-sql-injection.patch
--- cacti-0.8.8b+dfsg/debian/patches/CVE-2016-3659-sql-injection.patch	1970-01-01 01:00:00.000000000 +0100
+++ cacti-0.8.8b+dfsg/debian/patches/CVE-2016-3659-sql-injection.patch	2016-07-09 20:04:07.000000000 +0200
@@ -0,0 +1,13 @@
+--- a/lib/functions.php	2016/03/06 23:29:28	7800
++++ a/lib/functions.php	2016/05/08 14:41:02	7801
+@@ -2138,8 +2138,8 @@
+    @arg $string - the original raw search string
+    @returns - the sanitized search string */
+ function sanitize_search_string($string) {
+-	static $drop_char_match =   array('^', '$', '<', '>', '`', '\'', '"', '|', ',', '?', '+', '[', ']', '{', '}', '#', ';', '!', '=', '*');
+-	static $drop_char_replace = array(' ', ' ', ' ', ' ',  '',   '', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ');
++	static $drop_char_match   = array('(',')','^', '$', '<', '>', '`', '\'', '"', '|', ',', '?', '+', '[', ']', '{', '}', '#', ';', '!', '=', '*');
++	static $drop_char_replace = array('','',' ', ' ', ' ', ' ', '', '', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ');
+ 
+ 	/* Replace line endings by a space */
+ 	$string = preg_replace('/[\n\r]/is', ' ', $string);
diff -Nru cacti-0.8.8b+dfsg/debian/patches/series cacti-0.8.8b+dfsg/debian/patches/series
--- cacti-0.8.8b+dfsg/debian/patches/series	2016-02-24 20:47:56.000000000 +0100
+++ cacti-0.8.8b+dfsg/debian/patches/series	2016-07-09 20:04:07.000000000 +0200
@@ -28,3 +28,6 @@
 CVE-2015-8369_sql_injection_in_graph.php.patch
 CVE-2015-8377-sql-injection-in-graph-php-host_new_graphs_save.patch
 CVE-2015-8604-sql-injection-in-graphs_new.patch
+CVE-2016-3172-sql-injection.patch
+CVE-2016-3659-sql-injection.patch
+CVE-2016-2313-authentication-bypass.patch

Reply via email to