[gentoo-commits] repo/gentoo:master commit in: net-analyzer/cacti/files/, net-analyzer/cacti/
commit: 7f85f1179fe8b92cc9c1eed6e363f8fde4b7bde7
Author: Sam James gentoo org>
AuthorDate: Mon Jan 11 22:17:59 2021 +
Commit: Sam James gentoo org>
CommitDate: Mon Jan 11 22:17:59 2021 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7f85f117
net-analyzer/cacti: patch CVE-2020-35701
Bug: https://bugs.gentoo.org/765019
Package-Manager: Portage-3.0.12, Repoman-3.0.2
Signed-off-by: Sam James gentoo.org>
net-analyzer/cacti/cacti-1.2.16-r1.ebuild | 54
.../cacti/files/cacti-1.2.16-CVE-2020-35701.patch | 29 ++
.../cacti/files/cacti-1.2.16-XSS-issue-4019.patch | 360 +
3 files changed, 443 insertions(+)
diff --git a/net-analyzer/cacti/cacti-1.2.16-r1.ebuild
b/net-analyzer/cacti/cacti-1.2.16-r1.ebuild
new file mode 100644
index 000..d210806302f
--- /dev/null
+++ b/net-analyzer/cacti/cacti-1.2.16-r1.ebuild
@@ -0,0 +1,54 @@
+# Copyright 1999-2021 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+inherit edos2unix webapp
+
+# Support for _p* in version.
+MY_P=${P/_p*/}
+
+DESCRIPTION="Cacti is a complete frontend to rrdtool"
+HOMEPAGE="https://www.cacti.net/;
+SRC_URI="https://www.cacti.net/downloads/${MY_P}.tar.gz;
+
+LICENSE="GPL-2"
+KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ppc ~ppc64 ~sparc ~x86"
+IUSE="snmp doc"
+
+need_httpd
+
+RDEPEND="
+ dev-lang/php[cli,mysql,pdo,session,sockets,xml]
+ dev-php/adodb
+ net-analyzer/rrdtool[graph]
+ virtual/cron
+ snmp? ( >=net-analyzer/net-snmp-5.2.0 )
+"
+
+PATCHES=(
+ "${FILESDIR}/${P}-CVE-2020-35701.patch"
+ "${FILESDIR}/${P}-XSS-issue-4019.patch"
+)
+
+src_compile() { :; }
+
+src_install() {
+ dodoc CHANGELOG
+ dodoc -r docs
+ mv docs .. || die
+
+ webapp_src_preinst
+
+ edos2unix `find -type f -name '*.php'`
+
+ dodir ${MY_HTDOCSDIR}
+ cp -r . "${ED}"${MY_HTDOCSDIR}
+
+ webapp_serverowned ${MY_HTDOCSDIR}/rra
+ webapp_serverowned ${MY_HTDOCSDIR}/log
+ webapp_configfile ${MY_HTDOCSDIR}/include/config.php
+ webapp_postinst_txt en "${FILESDIR}"/postinstall-en.txt
+
+ webapp_src_install
+}
diff --git a/net-analyzer/cacti/files/cacti-1.2.16-CVE-2020-35701.patch
b/net-analyzer/cacti/files/cacti-1.2.16-CVE-2020-35701.patch
new file mode 100644
index 000..f55b7b0a40d
--- /dev/null
+++ b/net-analyzer/cacti/files/cacti-1.2.16-CVE-2020-35701.patch
@@ -0,0 +1,29 @@
+https://bugs.gentoo.org/765019
+https://github.com/Cacti/cacti/commit/565e0604a53f4988dc5b544d01f4a631eaa80d82
+
+From 565e0604a53f4988dc5b544d01f4a631eaa80d82 Mon Sep 17 00:00:00 2001
+From: TheWitness
+Date: Thu, 24 Dec 2020 10:39:50 -0500
+Subject: [PATCH] Fixing Issue #4022
+
+SQL Injection in data_debug.php
+--- a/data_debug.php
b/data_debug.php
+@@ -35,6 +35,8 @@
+
+ set_default_action();
+
++validate_request_vars();
++
+ switch (get_request_var('action')) {
+ case 'actions':
+ form_actions();
+@@ -123,8 +125,6 @@
+
+ break;
+ default:
+- validate_request_vars();
+-
+ $refresh = array(
+ 'seconds' => get_request_var('refresh'),
+ 'page'=> 'data_debug.php?header=false',
diff --git a/net-analyzer/cacti/files/cacti-1.2.16-XSS-issue-4019.patch
b/net-analyzer/cacti/files/cacti-1.2.16-XSS-issue-4019.patch
new file mode 100644
index 000..1f09e572c86
--- /dev/null
+++ b/net-analyzer/cacti/files/cacti-1.2.16-XSS-issue-4019.patch
@@ -0,0 +1,360 @@
+https://github.com/Cacti/cacti/issues/4019
+
+From ef10fe1c340ed932dc18b6a566b21f9dd15933c2 Mon Sep 17 00:00:00 2001
+From: TheWitness
+Date: Wed, 23 Dec 2020 16:33:27 -0500
+Subject: [PATCH] Fixing Issue #4019
+
+* In a recent audit of core Cacti code, there were a few stored XSS issues
that can be exposed
+* Also removed a few spurious title_trims, that should no longer be a problem.
+--- a/automation_devices.php
b/automation_devices.php
+@@ -485,7 +485,7 @@ function draw_filter() {
+$name) {
+- print
"' . $name . "";
++ print
"' . html_escape($name) . "";
+ }
+ }
+ ?>
+@@ -515,7 +515,7 @@ function draw_filter() {
+ ' . $st . "";
++ print
"' . html_escape($st) . "";
+ }
+ }
+ ?>
+@@ -530,7 +530,7 @@ function draw_filter() {
+
[gentoo-commits] repo/gentoo:master commit in: net-analyzer/cacti/files/, net-analyzer/cacti/
commit: 7fefd7c1a6e1decba4820c82ba047ac6be472113
Author: Jeroen Roovers gentoo org>
AuthorDate: Sat Jul 16 19:49:52 2016 +
Commit: Jeroen Roovers gentoo org>
CommitDate: Sat Jul 16 19:49:52 2016 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7fefd7c1
net-analyzer/cacti: Old.
Package-Manager: portage-2.3.0
net-analyzer/cacti/Manifest| 1 -
net-analyzer/cacti/cacti-0.8.8f-r1.ebuild | 62 ---
.../cacti/files/cacti-0.8.8f-CVE-2015-8369.patch | 204 -
3 files changed, 267 deletions(-)
diff --git a/net-analyzer/cacti/Manifest b/net-analyzer/cacti/Manifest
index 025dd4d..e6e7dfc 100644
--- a/net-analyzer/cacti/Manifest
+++ b/net-analyzer/cacti/Manifest
@@ -1,2 +1 @@
-DIST cacti-0.8.8f.tar.gz 2594409 SHA256
2ea92407c11bf13302558a5bc9e1f3a57bd14a1d9ded48c505ec495762f76738 SHA512
b712a9f8b7bee632cb4982fed72793ac2f4d70aa042784bbd2fd3923a27901f457393aa95bbd63960187e85fe462c35e88fa3cd93e8537a3a68f94bdbf5d7f2b
WHIRLPOOL
58c883780fed833df2501b204a21fc8605e76a7b5ac26ebd13f0bf22f45dda6363be35ada8af2a65f4e7db506d103b6739d73699676c1622e7051eb8a89ad555
DIST cacti-0.8.8h.tar.gz 2585226 SHA256
0673bd9513dad381c8bbb9133c721a32bc6422dc91c5a81de16e3cd32e4d0600 SHA512
11bb0682a7220af5581f42579cf9c38d94aae202425ce15b824849684b1a6778d6f14e6a62ec94c608b7ba06562a825be7fd6d812d0800daa5eb56e640ac1c5f
WHIRLPOOL
250ee38d969c9a7d9a71b15a25e48c2b9b22412c6c2394798d178172d9a1be056b009b328594559524adbd47ad05032992b13cb5a632af1a23f947fb55342402
diff --git a/net-analyzer/cacti/cacti-0.8.8f-r1.ebuild
b/net-analyzer/cacti/cacti-0.8.8f-r1.ebuild
deleted file mode 100644
index 4e978fa..000
--- a/net-analyzer/cacti/cacti-0.8.8f-r1.ebuild
+++ /dev/null
@@ -1,62 +0,0 @@
-# Copyright 1999-2016 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Id$
-
-EAPI=5
-
-inherit eutils webapp
-
-# Support for _p* in version.
-MY_P=${P/_p*/}
-
-DESCRIPTION="Cacti is a complete frontend to rrdtool"
-HOMEPAGE="http://www.cacti.net/;
-SRC_URI="http://www.cacti.net/downloads/${MY_P}.tar.gz;
-
-LICENSE="GPL-2"
-KEYWORDS="alpha amd64 ~arm hppa ~ppc ~ppc64 sparc x86"
-IUSE="snmp doc"
-
-need_httpd
-
-RDEPEND="
- dev-lang/php[cli,mysql,session,sockets,xml]
- dev-php/adodb
- net-analyzer/rrdtool[graph]
- virtual/cron
- virtual/mysql
- snmp? ( >=net-analyzer/net-snmp-5.2.0 )
-"
-
-src_prepare() {
- epatch "${FILESDIR}"/${P}-CVE-2015-8369.patch
-
- sed -i -e \
- 's:$config\["library_path"\] .
"/adodb/adodb.inc.php":"adodb/adodb.inc.php":' \
- "${S}"/include/global.php || die
-
- rm -rf lib/adodb || die # don't use bundled adodb
-}
-
-src_compile() { :; }
-
-src_install() {
- webapp_src_preinst
-
- rm LICENSE README || die
- dodoc docs/{CHANGELOG,CONTRIB,README,txt/manual.txt}
- use doc && dohtml -r docs/html/
- rm -rf docs
-
- edos2unix `find -type f -name '*.php'`
-
- dodir ${MY_HTDOCSDIR}
- cp -r . "${D}"${MY_HTDOCSDIR}
-
- webapp_serverowned ${MY_HTDOCSDIR}/rra
- webapp_serverowned ${MY_HTDOCSDIR}/log/cacti.log
- webapp_configfile ${MY_HTDOCSDIR}/include/config.php
- webapp_postinst_txt en "${FILESDIR}"/postinstall-en.txt
-
- webapp_src_install
-}
diff --git a/net-analyzer/cacti/files/cacti-0.8.8f-CVE-2015-8369.patch
b/net-analyzer/cacti/files/cacti-0.8.8f-CVE-2015-8369.patch
deleted file mode 100644
index 2019a61..000
--- a/net-analyzer/cacti/files/cacti-0.8.8f-CVE-2015-8369.patch
+++ /dev/null
@@ -1,204 +0,0 @@
a/graph.php
-+++ b/graph.php
-@@ -32,43 +32,43 @@
-
- api_plugin_hook_function('graph');
-
--include_once("./lib/html_tree.php");
--include_once("./include/top_graph_header.php");
--
- /* = input validation = */
--input_validate_input_regex(get_request_var("rra_id"), "^([0-9]+|all)$");
--input_validate_input_number(get_request_var("local_graph_id"));
--input_validate_input_number(get_request_var("graph_end"));
--input_validate_input_number(get_request_var("graph_start"));
-+input_validate_input_regex(get_request_var_request("rra_id"),
"^([0-9]+|all)$");
-+input_validate_input_number(get_request_var_request("local_graph_id"));
-+input_validate_input_number(get_request_var_request("graph_end"));
-+input_validate_input_number(get_request_var_request("graph_start"));
- input_validate_input_regex(get_request_var_request("view_type"),
"^([a-zA-Z0-9]+)$");
- /* */
-
--if (!isset($_GET['rra_id'])) {
-- $_GET['rra_id'] = 'all';
-+include_once("./lib/html_tree.php");
-+include_once("./include/top_graph_header.php");
-+
-+if (!isset($_REQUEST['rra_id'])) {
-+ $_REQUEST['rra_id'] = 'all';
- }
-
--if ($_GET["rra_id"] == "all") {
-+if ($_REQUEST["rra_id"] == "all") {
- $sql_where = " where id is not null";
- }else{
-- $sql_where = "
