[gentoo-commits] repo/gentoo:master commit in: net-analyzer/cacti/, net-analyzer/cacti/files/
commit: 8d752c75f06d85b2eeceb3770f27484ca7bd2df1 Author: John Helmert III gentoo org> AuthorDate: Sun Oct 17 20:07:19 2021 + Commit: John Helmert III gentoo org> CommitDate: Sun Oct 17 20:36:42 2021 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8d752c75 net-analyzer/cacti: drop 1.2.16-r1 Bug: https://bugs.gentoo.org/765022 Signed-off-by: John Helmert III gentoo.org> net-analyzer/cacti/Manifest| 1 - net-analyzer/cacti/cacti-1.2.16-r1.ebuild | 54 .../cacti/files/cacti-1.2.16-CVE-2020-35701.patch | 29 -- .../cacti/files/cacti-1.2.16-XSS-issue-4019.patch | 360 - 4 files changed, 444 deletions(-) diff --git a/net-analyzer/cacti/Manifest b/net-analyzer/cacti/Manifest index 8d2399500a5..b8685c4f777 100644 --- a/net-analyzer/cacti/Manifest +++ b/net-analyzer/cacti/Manifest @@ -1,2 +1 @@ -DIST cacti-1.2.16.tar.gz 29197220 BLAKE2B 19939d0ff79c895b481aeb7ffec8331d8b9c10a6b7e0dbda6532e06ef0322f21cf02f4bf53a9522e1f672dd04b343f5550e2f34f08b3af2050e1f72465cffc43 SHA512 fe22acf4dea8ab6ec79825d66a84ad4c43fdce2815e7327536d182bc04400ed7b1d268209bbbca8b307c4779ee5bf7369a617ec1f052d8805757c2ca9b30cc35 DIST cacti-1.2.17.tar.gz 38344112 BLAKE2B e555fc99560d10e94181c38b50e6f839532fb3dc66ff688b36a7efd10c15304e7636c9b4b483763fcea751317bcb283bb2bd8f813d5759c98aed6bbf02fd256a SHA512 94ae75b2494a91c536906c7bbeaa948d16c7ad96ed3a62c1eb21175f92c01787c6849960bbc791e04b3df46edbfd3cd787eb825bb423ce0814c0904edb2c915d diff --git a/net-analyzer/cacti/cacti-1.2.16-r1.ebuild b/net-analyzer/cacti/cacti-1.2.16-r1.ebuild deleted file mode 100644 index 78185ebd73d..000 --- a/net-analyzer/cacti/cacti-1.2.16-r1.ebuild +++ /dev/null @@ -1,54 +0,0 @@ -# Copyright 1999-2021 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=7 - -inherit edos2unix webapp - -# Support for _p* in version. -MY_P=${P/_p*/} - -DESCRIPTION="Cacti is a complete frontend to rrdtool" -HOMEPAGE="https://www.cacti.net/; -SRC_URI="https://www.cacti.net/downloads/${MY_P}.tar.gz; - -LICENSE="GPL-2" -KEYWORDS="~alpha amd64 ~arm ~hppa ~ppc ~ppc64 sparc x86" -IUSE="snmp doc" - -need_httpd - -RDEPEND=" - dev-lang/php[cli,mysql,pdo,session,sockets,xml] - dev-php/adodb - net-analyzer/rrdtool[graph] - virtual/cron - snmp? ( >=net-analyzer/net-snmp-5.2.0 ) -" - -PATCHES=( - "${FILESDIR}/${P}-CVE-2020-35701.patch" - "${FILESDIR}/${P}-XSS-issue-4019.patch" -) - -src_compile() { :; } - -src_install() { - dodoc CHANGELOG - dodoc -r docs - mv docs .. || die - - webapp_src_preinst - - edos2unix `find -type f -name '*.php'` - - dodir ${MY_HTDOCSDIR} - cp -r . "${ED}"${MY_HTDOCSDIR} - - webapp_serverowned ${MY_HTDOCSDIR}/rra - webapp_serverowned ${MY_HTDOCSDIR}/log - webapp_configfile ${MY_HTDOCSDIR}/include/config.php - webapp_postinst_txt en "${FILESDIR}"/postinstall-en.txt - - webapp_src_install -} diff --git a/net-analyzer/cacti/files/cacti-1.2.16-CVE-2020-35701.patch b/net-analyzer/cacti/files/cacti-1.2.16-CVE-2020-35701.patch deleted file mode 100644 index f55b7b0a40d..000 --- a/net-analyzer/cacti/files/cacti-1.2.16-CVE-2020-35701.patch +++ /dev/null @@ -1,29 +0,0 @@ -https://bugs.gentoo.org/765019 -https://github.com/Cacti/cacti/commit/565e0604a53f4988dc5b544d01f4a631eaa80d82 - -From 565e0604a53f4988dc5b544d01f4a631eaa80d82 Mon Sep 17 00:00:00 2001 -From: TheWitness -Date: Thu, 24 Dec 2020 10:39:50 -0500 -Subject: [PATCH] Fixing Issue #4022 - -SQL Injection in data_debug.php a/data_debug.php -+++ b/data_debug.php -@@ -35,6 +35,8 @@ - - set_default_action(); - -+validate_request_vars(); -+ - switch (get_request_var('action')) { - case 'actions': - form_actions(); -@@ -123,8 +125,6 @@ - - break; - default: -- validate_request_vars(); -- - $refresh = array( - 'seconds' => get_request_var('refresh'), - 'page'=> 'data_debug.php?header=false', diff --git a/net-analyzer/cacti/files/cacti-1.2.16-XSS-issue-4019.patch b/net-analyzer/cacti/files/cacti-1.2.16-XSS-issue-4019.patch deleted file mode 100644 index 1f09e572c86..000 --- a/net-analyzer/cacti/files/cacti-1.2.16-XSS-issue-4019.patch +++ /dev/null @@ -1,360 +0,0 @@ -https://github.com/Cacti/cacti/issues/4019 - -From ef10fe1c340ed932dc18b6a566b21f9dd15933c2 Mon Sep 17 00:00:00 2001 -From: TheWitness -Date: Wed, 23 Dec 2020 16:33:27 -0500 -Subject: [PATCH] Fixing Issue #4019 - -* In a recent audit of core Cacti code, there were a few stored XSS issues that can be exposed -* Also removed a few spurious title_trims, that should no longer be a problem. a/automation_devices.php -+++ b/automation_devices.php -@@ -485,7 +485,7 @@ function draw_filter() { -$name) { --
[gentoo-commits] repo/gentoo:master commit in: net-analyzer/cacti/, net-analyzer/cacti/files/
commit: aa240655c683eb070932a40e3b0773be307603bf Author: Jeroen Roovers gentoo org> AuthorDate: Tue Feb 2 05:10:43 2016 + Commit: Jeroen Roovers gentoo org> CommitDate: Tue Feb 2 05:10:43 2016 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=aa240655 net-analyzer/cacti: Add upstream patch for CVE-2015-8369 (bug #568400). Package-Manager: portage-2.2.27 net-analyzer/cacti/cacti-0.8.8f-r1.ebuild | 62 +++ .../cacti/files/cacti-0.8.8f-CVE-2015-8369.patch | 204 + 2 files changed, 266 insertions(+) diff --git a/net-analyzer/cacti/cacti-0.8.8f-r1.ebuild b/net-analyzer/cacti/cacti-0.8.8f-r1.ebuild new file mode 100644 index 000..782f241 --- /dev/null +++ b/net-analyzer/cacti/cacti-0.8.8f-r1.ebuild @@ -0,0 +1,62 @@ +# Copyright 1999-2016 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Id$ + +EAPI=5 + +inherit eutils webapp + +# Support for _p* in version. +MY_P=${P/_p*/} + +DESCRIPTION="Cacti is a complete frontend to rrdtool" +HOMEPAGE="http://www.cacti.net/; +SRC_URI="http://www.cacti.net/downloads/${MY_P}.tar.gz; + +LICENSE="GPL-2" +KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ppc ~ppc64 ~sparc ~x86" +IUSE="snmp doc" + +need_httpd + +RDEPEND=" + dev-lang/php[cli,mysql,session,sockets,xml] + dev-php/adodb + net-analyzer/rrdtool[graph] + virtual/cron + virtual/mysql + snmp? ( >=net-analyzer/net-snmp-5.2.0 ) +" + +src_prepare() { + epatch "${FILESDIR}"/${P}-CVE-2015-8369.patch + + sed -i -e \ + 's:$config\["library_path"\] . "/adodb/adodb.inc.php":"adodb/adodb.inc.php":' \ + "${S}"/include/global.php || die + + rm -rf lib/adodb || die # don't use bundled adodb +} + +src_compile() { :; } + +src_install() { + webapp_src_preinst + + rm LICENSE README || die + dodoc docs/{CHANGELOG,CONTRIB,README,txt/manual.txt} + use doc && dohtml -r docs/html/ + rm -rf docs + + edos2unix `find -type f -name '*.php'` + + dodir ${MY_HTDOCSDIR} + cp -r . "${D}"${MY_HTDOCSDIR} + + webapp_serverowned ${MY_HTDOCSDIR}/rra + webapp_serverowned ${MY_HTDOCSDIR}/log/cacti.log + webapp_configfile ${MY_HTDOCSDIR}/include/config.php + webapp_postinst_txt en "${FILESDIR}"/postinstall-en.txt + + webapp_src_install +} diff --git a/net-analyzer/cacti/files/cacti-0.8.8f-CVE-2015-8369.patch b/net-analyzer/cacti/files/cacti-0.8.8f-CVE-2015-8369.patch new file mode 100644 index 000..2019a61 --- /dev/null +++ b/net-analyzer/cacti/files/cacti-0.8.8f-CVE-2015-8369.patch @@ -0,0 +1,204 @@ +--- a/graph.php b/graph.php +@@ -32,43 +32,43 @@ + + api_plugin_hook_function('graph'); + +-include_once("./lib/html_tree.php"); +-include_once("./include/top_graph_header.php"); +- + /* = input validation = */ +-input_validate_input_regex(get_request_var("rra_id"), "^([0-9]+|all)$"); +-input_validate_input_number(get_request_var("local_graph_id")); +-input_validate_input_number(get_request_var("graph_end")); +-input_validate_input_number(get_request_var("graph_start")); ++input_validate_input_regex(get_request_var_request("rra_id"), "^([0-9]+|all)$"); ++input_validate_input_number(get_request_var_request("local_graph_id")); ++input_validate_input_number(get_request_var_request("graph_end")); ++input_validate_input_number(get_request_var_request("graph_start")); + input_validate_input_regex(get_request_var_request("view_type"), "^([a-zA-Z0-9]+)$"); + /* */ + +-if (!isset($_GET['rra_id'])) { +- $_GET['rra_id'] = 'all'; ++include_once("./lib/html_tree.php"); ++include_once("./include/top_graph_header.php"); ++ ++if (!isset($_REQUEST['rra_id'])) { ++ $_REQUEST['rra_id'] = 'all'; + } + +-if ($_GET["rra_id"] == "all") { ++if ($_REQUEST["rra_id"] == "all") { + $sql_where = " where id is not null"; + }else{ +- $sql_where = " where id=" . $_GET["rra_id"]; ++ $sql_where = " where id=" . $_REQUEST["rra_id"]; + } + + /* make sure the graph requested exists (sanity) */ +-if (!(db_fetch_cell("select local_graph_id from graph_templates_graph where local_graph_id=" . $_GET["local_graph_id"]))) { ++if (!(db_fetch_cell("select local_graph_id from graph_templates_graph where local_graph_id=" . $_REQUEST["local_graph_id"]))) { + print "GRAPH DOES NOT EXIST"; exit; + } + + /* take graph permissions into account here, if the user does not have permission + give an "access denied" message */ + if (read_config_option("auth_method") != 0) { +- $access_denied = !(is_graph_allowed($_GET["local_graph_id"])); ++ $access_denied = !(is_graph_allowed($_REQUEST["local_graph_id"])); + + if ($access_denied == true) { + print "ACCESS DENIED"; exit; + } + } + +-$graph_title = get_graph_title($_GET["local_graph_id"]); ++$graph_title =