Commit 6265e118 authored by Natanael Copa's avatar Natanael Copa

main/cacti: security upgrade to 0.8.8d (CVE-2015-4342)

fixes #4357
parent af7cd8f0
# Maintainer: Jeff Bilyk <jbilyk@gmail.com>
pkgname=cacti
pkgver=0.8.8b
pkgrel=3
pkgver=0.8.8d
pkgrel=0
pkgdesc="Network monitoring tool based on RRDtool"
url="http://www.cacti.net"
arch="noarch"
......@@ -9,9 +9,6 @@ license="GPL2+"
depends="mysql php php-mysql php-snmp rrdtool net-snmp php-sockets php-xml php-gd"
makedepends=""
source="http://www.cacti.net/downloads/$pkgname-$pkgver.tar.gz
security.patch
CVE-2014-5025,5026.patch
bug-0002455.patch
"
_builddir="$srcdir"/$pkgname-$pkgver
......@@ -34,15 +31,6 @@ package() {
mv "$srcdir"/$pkgname-$pkgver/* "$pkgdir"/usr/share/webapps/cacti/ || return 1
}
md5sums="acb40deae073ca22e5c01a8e3ba389fb cacti-0.8.8b.tar.gz
bd18f265cca1f9713f88296f0be1ef56 security.patch
04770edd7e55021e10ad7d50b0ffa2e9 CVE-2014-5025,5026.patch
aa6d50a78b32e7f3e1a71f93c40c6697 bug-0002455.patch"
sha256sums="ef0e2a813139e0b4c2e066f0fdae1f4ad086bef0aa23446055df6331cb1af98c cacti-0.8.8b.tar.gz
73758bdf3f7846875f1620c35d1d982fa27366b053d8bd87363c618e7747c163 security.patch
fbcb79c1500ca76d88a578aa8c0543ffe3789ab3ee0d79055d378e4d79b43637 CVE-2014-5025,5026.patch
598fe1d4677e0ac080a6ada7ae97ff73b748a20e35eabce13f441010227294c0 bug-0002455.patch"
sha512sums="98b216f3beb8e90dc554a16ca07cc8b3c9e247335786d8b5e76001d7293251a8a6e03bbe2464f7e9f8e0721359e7cd4a40615dd93ac7b1cc0bec507f01fa24c1 cacti-0.8.8b.tar.gz
bed640fb64584b877348cf8163cebe39f6786a2fb8a7e735a81e9a0504b53005feec13e9911566690426f63d120b3744b755c0cbffcb67c44e9fe6dae3ccae80 security.patch
1480f456e3720f344c00a6bba61e7c4200186d6b82b70357d42c7a7c9e67385edefd0633bec6f24d83c95bbecf5f7652e2d8228559d8c7cfc290d59892b4d364 CVE-2014-5025,5026.patch
abde50dca8c80c1ea3cfc16a418abda23212c7badda469ec30345b822cf372c45b14cd397bffc77e8765b1fcc605ebd1ab21fffb53a8fbc37bad175219c84596 bug-0002455.patch"
md5sums="4507d6d189cf0dc881bf00d47537037a cacti-0.8.8d.tar.gz"
sha256sums="1e3fb4aa137c0a9cb682fa66956c1f59dfc730040a215c45b7f9a5f9b9714bec cacti-0.8.8d.tar.gz"
sha512sums="aaf86bd89b5bba03921d05670badf832c7fe4806696fee7a4fa8b0a4914471b22e0f00eb5b63bf232d56e4f33f1af58f01cb5737232ebb99b8331f814264098a cacti-0.8.8d.tar.gz"
This diff is collapsed.
Index: 0.8.8/lib/rrd.php
===================================================================
--- 0.8.8/lib/rrd.php (revision 7453)
+++ 0.8.8/lib/rrd.php (revision 7454)
@@ -2060,7 +2060,7 @@
$size = 8;
}
- return "--font " . strtoupper($type) . ":" . $size . ":" . $font . RRD_NL;
+ return "--font " . strtoupper($type) . ":" . floatval($size) . ":" . $font . RRD_NL;
}
function rrd_substitute_host_query_data($txt_graph_item, $graph, $graph_item) {
Index: 0.8.8/graph_settings.php
===================================================================
--- 0.8.8/graph_settings.php (revision 7453)
+++ 0.8.8/graph_settings.php (revision 7454)
@@ -54,6 +54,10 @@
while (list($tab_short_name, $tab_fields) = each($settings_graphs)) {
while (list($field_name, $field_array) = each($tab_fields)) {
+ /* Check every field with a numeric default value and reset it to default if the inputted value is not numeric */
+ if (isset($field_array["default"]) && is_numeric($field_array["default"]) && !is_numeric(get_request_var_post($field_name))) {
+ $_POST[$field_name] = $field_array["default"];
+ }
if ($field_array["method"] == "checkbox") {
if (isset($_POST[$field_name])) {
db_execute("REPLACE INTO settings_graphs (user_id,name,value) VALUES (" . $_SESSION["sess_user_id"] . ",'$field_name', 'on')");
diff -ruBbd cacti-0.8.8b/cdef.php cacti-0.8.8b.patched/cdef.php
--- cacti-0.8.8b/cdef.php 2013-08-06 22:31:19.000000000 -0400
+++ cacti-0.8.8b.patched/cdef.php 2014-04-04 21:39:04.000000000 -0400
@@ -431,7 +431,7 @@
<a class="linkEditMain" href="<?php print htmlspecialchars("cdef.php?action=item_edit&id=" . $cdef_item["id"] . "&cdef_id=" . $cdef["id"]);?>">Item #<?php print htmlspecialchars($i);?></a>
</td>
<td>
- <em><?php $cdef_item_type = $cdef_item["type"]; print $cdef_item_types[$cdef_item_type];?></em>: <strong><?php print get_cdef_item_name($cdef_item["id"]);?></strong>
+ <em><?php $cdef_item_type = $cdef_item["type"]; print $cdef_item_types[$cdef_item_type];?></em>: <strong><?php print htmlspecialchars(get_cdef_item_name($cdef_item["id"]));?></strong>
</td>
<td>
<a href="<?php print htmlspecialchars("cdef.php?action=item_movedown&id=" . $cdef_item["id"] . "&cdef_id=" . $cdef["id"]);?>"><img src="images/move_down.gif" border="0" alt="Move Down"></a>
diff -ruBbd cacti-0.8.8b/graph_xport.php cacti-0.8.8b.patched/graph_xport.php
--- cacti-0.8.8b/graph_xport.php 2013-08-06 22:31:19.000000000 -0400
+++ cacti-0.8.8b.patched/graph_xport.php 2014-04-04 21:39:04.000000000 -0400
@@ -47,43 +47,48 @@
$graph_data_array = array();
+/* ================= input validation ================= */
+input_validate_input_number(get_request_var("local_graph_id"));
+input_validate_input_number(get_request_var("rra_id"));
+/* ==================================================== */
+
/* override: graph start time (unix time) */
-if (!empty($_GET["graph_start"]) && $_GET["graph_start"] < 1600000000) {
- $graph_data_array["graph_start"] = $_GET["graph_start"];
+if (!empty($_GET["graph_start"]) && is_numeric($_GET["graph_start"] && $_GET["graph_start"] < 1600000000)) {
+ $graph_data_array["graph_start"] = get_request_var("graph_start");
}
/* override: graph end time (unix time) */
-if (!empty($_GET["graph_end"]) && $_GET["graph_end"] < 1600000000) {
- $graph_data_array["graph_end"] = $_GET["graph_end"];
+if (!empty($_GET["graph_end"]) && is_numeric($_GET["graph_end"]) && $_GET["graph_end"] < 1600000000) {
+ $graph_data_array["graph_end"] = get_request_var("graph_end");
}
/* override: graph height (in pixels) */
-if (!empty($_GET["graph_height"]) && $_GET["graph_height"] < 3000) {
- $graph_data_array["graph_height"] = $_GET["graph_height"];
+if (!empty($_GET["graph_height"]) && is_numeric($_GET["graph_height"]) && $_GET["graph_height"] < 3000) {
+ $graph_data_array["graph_height"] = get_request_var("graph_height");
}
/* override: graph width (in pixels) */
-if (!empty($_GET["graph_width"]) && $_GET["graph_width"] < 3000) {
- $graph_data_array["graph_width"] = $_GET["graph_width"];
+if (!empty($_GET["graph_width"]) && is_numeric($_GET["graph_width"]) && $_GET["graph_width"] < 3000) {
+ $graph_data_array["graph_width"] = get_request_var("graph_width");
}
/* override: skip drawing the legend? */
if (!empty($_GET["graph_nolegend"])) {
- $graph_data_array["graph_nolegend"] = $_GET["graph_nolegend"];
+ $graph_data_array["graph_nolegend"] = get_request_var("graph_nolegend");
}
/* print RRDTool graph source? */
if (!empty($_GET["show_source"])) {
- $graph_data_array["print_source"] = $_GET["show_source"];
+ $graph_data_array["print_source"] = get_request_var("show_source");
}
-$graph_info = db_fetch_row("SELECT * FROM graph_templates_graph WHERE local_graph_id='" . $_REQUEST["local_graph_id"] . "'");
+$graph_info = db_fetch_row("SELECT * FROM graph_templates_graph WHERE local_graph_id='" . get_request_var("local_graph_id") . "'");
/* for bandwidth, NThPercentile */
$xport_meta = array();
/* Get graph export */
-$xport_array = @rrdtool_function_xport($_GET["local_graph_id"], $_GET["rra_id"], $graph_data_array, $xport_meta);
+$xport_array = @rrdtool_function_xport($_GET["local_graph_id"], get_request_var("rra_id"), $graph_data_array, $xport_meta);
/* Make graph title the suggested file name */
if (is_array($xport_array["meta"])) {
diff -ruBbd cacti-0.8.8b/lib/graph_export.php cacti-0.8.8b.patched/lib/graph_export.php
--- cacti-0.8.8b/lib/graph_export.php 2013-08-06 22:31:19.000000000 -0400
+++ cacti-0.8.8b.patched/lib/graph_export.php 2014-04-04 21:39:05.000000000 -0400
@@ -339,7 +339,7 @@
chdir($stExportDir);
/* set the initial command structure */
- $stExecute = 'ncftpput -R -V -r 1 -u '.$aFtpExport['username'].' -p '.$aFtpExport['password'];
+ $stExecute = 'ncftpput -R -V -r 1 -u ' . cacti_escapeshellarg($aFtpExport['username']) . ' -p ' . cacti_escapeshellarg($aFtpExport['password']);
/* if the user requested passive mode, use it */
if ($aFtpExport['passive']) {
@@ -347,7 +347,7 @@
}
/* setup the port, server, remote directory and all files */
- $stExecute .= ' -P ' . $aFtpExport['port'] . ' ' . $aFtpExport['server'] . ' ' . $aFtpExport['remotedir'] . ".";
+ $stExecute .= ' -P ' . cacti_escapeshellarg($aFtpExport['port']) . ' ' . cacti_escapeshellarg($aFtpExport['server']) . ' ' . cacti_escapeshellarg($aFtpExport['remotedir']) . ".";
/* run the command */
$iExecuteReturns = 0;
diff -ruBbd cacti-0.8.8b/lib/rrd.php cacti-0.8.8b.patched/lib/rrd.php
--- cacti-0.8.8b/lib/rrd.php 2013-08-06 22:31:18.000000000 -0400
+++ cacti-0.8.8b.patched/lib/rrd.php 2014-04-04 21:39:04.000000000 -0400
@@ -865,13 +865,13 @@
/* basic graph options */
$graph_opts .=
"--imgformat=" . $image_types{$graph["image_format_id"]} . RRD_NL .
- "--start=$graph_start" . RRD_NL .
- "--end=$graph_end" . RRD_NL .
+ "--start=" . cacti_escapeshellarg($graph_start) . RRD_NL .
+ "--end=" . cacti_escapeshellarg($graph_end) . RRD_NL .
"--title=" . cacti_escapeshellarg($graph["title_cache"]) . RRD_NL .
"$rigid" .
- "--base=" . $graph["base_value"] . RRD_NL .
- "--height=$graph_height" . RRD_NL .
- "--width=$graph_width" . RRD_NL .
+ "--base=" . cacti_escapeshellarg($graph["base_value"]) . RRD_NL .
+ "--height=" . cacti_escapeshellarg($graph_height) . RRD_NL .
+ "--width=" . cacti_escapeshellarg($graph_width) . RRD_NL .
"$scale" .
"$unit_value" .
"$unit_exponent_value" .
@@ -1606,8 +1606,8 @@
/* basic export options */
$xport_opts =
- "--start=$xport_start" . RRD_NL .
- "--end=$xport_end" . RRD_NL .
+ "--start=" . cacti_escapeshellarg($xport_start) . RRD_NL .
+ "--end=" . cacti_escapeshellarg($xport_end) . RRD_NL .
"--maxrows=10000" . RRD_NL;
$xport_defs = "";
@@ -1997,7 +1997,7 @@
$stacked_columns["col" . $j] = ($graph_item_types{$xport_item["graph_type_id"]} == "STACK") ? 1 : 0;
$j++;
- $txt_xport_items .= "XPORT:" . $data_source_name . ":" . str_replace(":", "", cacti_escapeshellarg($legend_name)) ;
+ $txt_xport_items .= "XPORT:" . cacti_escapeshellarg($data_source_name) . ":" . str_replace(":", "", cacti_escapeshellarg($legend_name)) ;
}else{
$need_rrd_nl = FALSE;
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment