[cacti] Patch for CVE-2013-5588 and CVE-2013-5589
Ken Dreyer
ktdreyer at fedoraproject.org
Tue Aug 27 22:38:43 UTC 2013
commit fa1f26bd89ed4de4d1717abccef3e6fef64c46d3
Author: Ken Dreyer <ktdreyer at ktdreyer.com>
Date: Mon Aug 26 14:47:12 2013 -0600
Patch for CVE-2013-5588 and CVE-2013-5589
See RHBZ #1000860
cacti-0.8.8b-sanitize-variables.patch | 155 +++++++++++++++++++++++++++++++++
cacti.spec | 10 ++-
2 files changed, 164 insertions(+), 1 deletions(-)
---
diff --git a/cacti-0.8.8b-sanitize-variables.patch b/cacti-0.8.8b-sanitize-variables.patch
new file mode 100644
index 0000000..37ded2e
--- /dev/null
+++ b/cacti-0.8.8b-sanitize-variables.patch
@@ -0,0 +1,155 @@
+------------------------------------------------------------------------
+r7420 | cigamit | 2013-08-17 21:41:24 -0600 (Sat, 17 Aug 2013) | 1 line
+
+Bug #0002383 : Sanitize the step and id variables
+------------------------------------------------------------------------
+Index: branches/0.8.8/host.php
+===================================================================
+--- branches/0.8.8/host.php (revision 7419)
++++ branches/0.8.8/host.php (revision 7420)
+@@ -149,6 +149,9 @@
+ if ($_POST["snmp_version"] == 3 && ($_POST["snmp_password"] != $_POST["snmp_password_confirm"])) {
+ raise_message(4);
+ }else{
++ input_validate_input_number(get_request_var_post("id"));
++ input_validate_input_number(get_request_var_post("host_template_id"));
++
+ $host_id = api_device_save($_POST["id"], $_POST["host_template_id"], $_POST["description"],
+ trim($_POST["hostname"]), $_POST["snmp_community"], $_POST["snmp_version"],
+ $_POST["snmp_username"], $_POST["snmp_password"],
+Index: branches/0.8.8/lib/api_device.php
+===================================================================
+--- branches/0.8.8/lib/api_device.php (revision 7419)
++++ branches/0.8.8/lib/api_device.php (revision 7420)
+@@ -107,7 +107,7 @@
+ $_host_template_id = db_fetch_cell("select host_template_id from host where id=$id");
+ }
+
+- $save["id"] = $id;
++ $save["id"] = form_input_validate($id, "id", "^[0-9]+$", false, 3);
+ $save["host_template_id"] = form_input_validate($host_template_id, "host_template_id", "^[0-9]+$", false, 3);
+ $save["description"] = form_input_validate($description, "description", "", false, 3);
+ $save["hostname"] = form_input_validate(trim($hostname), "hostname", "", false, 3);
+Index: branches/0.8.8/install/index.php
+===================================================================
+--- branches/0.8.8/install/index.php (revision 7419)
++++ branches/0.8.8/install/index.php (revision 7420)
+@@ -310,27 +310,28 @@
+ }
+
+ /* pre-processing that needs to be done for each step */
+-if (empty($_REQUEST["step"])) {
+- $_REQUEST["step"] = 1;
+-}else{
+- if ($_REQUEST["step"] == "1") {
+- $_REQUEST["step"] = "2";
+- }elseif (($_REQUEST["step"] == "2") && ($_REQUEST["install_type"] == "1")) {
+- $_REQUEST["step"] = "3";
+- }elseif (($_REQUEST["step"] == "2") && ($_REQUEST["install_type"] == "3")) {
+- $_REQUEST["step"] = "8";
+- }elseif (($_REQUEST["step"] == "8") && ($old_version_index <= array_search("0.8.5a", $cacti_versions))) {
+- $_REQUEST["step"] = "9";
+- }elseif ($_REQUEST["step"] == "8") {
+- $_REQUEST["step"] = "3";
+- }elseif ($_REQUEST["step"] == "9") {
+- $_REQUEST["step"] = "3";
+- }elseif ($_REQUEST["step"] == "3") {
+- $_REQUEST["step"] = "4";
++if (isset($_REQUEST["step"]) && $_REQUEST["step"] > 0) {
++ $step = intval($_REQUEST["step"]);
++ if ($step == "1") {
++ $step = "2";
++ } elseif (($step == "2") && ($_REQUEST["install_type"] == "1")) {
++ $step = "3";
++ } elseif (($step == "2") && ($_REQUEST["install_type"] == "3")) {
++ $step = "8";
++ } elseif (($step == "8") && ($old_version_index <= array_search("0.8.5a", $cacti_versions))) {
++ $step = "9";
++ } elseif ($step == "8") {
++ $step = "3";
++ } elseif ($step == "9") {
++ $step = "3";
++ } elseif ($step == "3") {
++ $step = "4";
+ }
++} else {
++ $step = 1;
+ }
+
+-if ($_REQUEST["step"] == "4") {
++if ($step == "4") {
+ include_once("../lib/data_query.php");
+ include_once("../lib/utility.php");
+
+@@ -366,7 +367,7 @@
+
+ header ("Location: ../index.php");
+ exit;
+-}elseif (($_REQUEST["step"] == "8") && ($_REQUEST["install_type"] == "3")) {
++}elseif (($step == "8") && ($_REQUEST["install_type"] == "3")) {
+ /* if the version is not found, die */
+ if (!is_int($old_version_index)) {
+ print " <p style='font-family: Verdana, Arial; font-size: 16px; font-weight: bold; color: red;'>Error</p>
+@@ -505,7 +506,7 @@
+ </tr>
+ <tr>
+ <td width="100%" style="font-size: 12px;">
+- <?php if ($_REQUEST["step"] == "1") { ?>
++ <?php if ($step == "1") { ?>
+
+ <p>Thanks for taking the time to download and install cacti, the complete graphing
+ solution for your network. Before you can start making cool graphs, there are a few
+@@ -530,7 +531,7 @@
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.</p>
+
+- <?php }elseif ($_REQUEST["step"] == "2") { ?>
++ <?php }elseif ($step == "2") { ?>
+
+ <p>Please select the type of installation</p>
+
+@@ -551,7 +552,7 @@
+ print "Server Operating System Type: " . $config["cacti_server_os"] . "<br>"; ?>
+ </p>
+
+- <?php }elseif ($_REQUEST["step"] == "3") { ?>
++ <?php }elseif ($step == "3") { ?>
+
+ <p>Make sure all of these values are correct before continuing.</p>
+ <?php
+@@ -609,7 +610,7 @@
+ is an upgrade. You can change any of the settings on this screen at a later
+ time by going to "Cacti Settings" from within Cacti.</p>
+
+- <?php }elseif ($_REQUEST["step"] == "8") { ?>
++ <?php }elseif ($step == "8") { ?>
+
+ <p>Upgrade results:</p>
+
+@@ -659,7 +660,7 @@
+ print $upgrade_results;
+ ?>
+
+- <?php }elseif ($_REQUEST["step"] == "9") { ?>
++ <?php }elseif ($step == "9") { ?>
+
+ <p style='font-size: 16px; font-weight: bold; color: red;'>Important Upgrade Notice</p>
+
+@@ -673,7 +674,7 @@
+
+ <?php }?>
+
+- <p align="right"><input type="image" src="install_<?php if ($_REQUEST["step"] == "3") {?>finish<?php }else{?>next<?php }?>.gif" alt="<?php if ($_REQUEST["step"] == "3"){?>Finish<?php }else{?>Next<?php }?>"></p>
++ <p align="right"><input type="image" src="install_<?php if ($step == "3") {?>finish<?php }else{?>next<?php }?>.gif" alt="<?php if ($step == "3"){?>Finish<?php }else{?>Next<?php }?>"></p>
+ </td>
+ </tr>
+ </table>
+@@ -681,7 +682,7 @@
+ </tr>
+ </table>
+
+-<input type="hidden" name="step" value="<?php print $_REQUEST["step"];?>">
++<input type="hidden" name="step" value="<?php print $step;?>">
+
+ </form>
+
diff --git a/cacti.spec b/cacti.spec
index 359b247..35c4bab 100644
--- a/cacti.spec
+++ b/cacti.spec
@@ -1,6 +1,6 @@
Name: cacti
Version: 0.8.8b
-Release: 1%{?dist}
+Release: 2%{?dist}
Summary: An rrd based graphing tool
Group: Applications/System
@@ -26,6 +26,10 @@ Patch0: cacti-0.8.8a-legal.patch
# Thanks to Paul Gevers and Jan Zalesak (Debian)
Patch1: cacti-0.8.8a-replace_treeview_by_jquery.jstree.patch
+# Upstream patch for XSS and SQL injection
+# https://bugzilla.redhat.com/1000860
+Patch2: cacti-0.8.8b-sanitize-variables.patch
+
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
Requires: php, php-mysql, mysql, httpd, rrdtool, net-snmp, php-snmp
@@ -52,6 +56,7 @@ used to creating traffic graphs with MRTG.
%setup -q
%patch0 -p1
%patch1 -p1 -b .notreeview
+%patch2 -p2 -b .sanitize
cp %{SOURCE4} %{SOURCE5} %{SOURCE6} include/js/jquery/themes/default/
rm -rf include/treeview
@@ -142,6 +147,9 @@ fi
%attr(0644,root,root) %{_localstatedir}/lib/%{name}/lib
%changelog
+* Mon Aug 26 2013 Ken Dreyer <ktdreyer at ktdreyer.org> - 0.8.8b-2
+- Patch for CVE-2013-5588 and CVE-2013-5589 (BZ #1000860)
+
* Wed Aug 07 2013 Ken Dreyer <ktdreyer at ktdreyer.org> - 0.8.8b-1
- New upstream release (BZ #993042)
More information about the scm-commits
mailing list