[cacti/el5: 2/2] patchs for CVEs
Ken Dreyer
ktdreyer at fedoraproject.org
Tue Apr 8 00:02:51 UTC 2014
commit e04c03e57be711a45790256243d53650154babe3
Author: Ken Dreyer <ktdreyer at ktdreyer.com>
Date: Mon Apr 7 18:58:57 2014 -0500
patchs for CVEs
- Patch for CVE-2014-2708 SQL injection issues in graph_xport.php
(RHBZ #1084258)
- Patch for CVE-2014-2709 shell escaping issues in lib/rrd.php
(RHBZ #1084258)
- Patch for CVE-2014-2326 stored XSS attack (RHBZ #1082122)
- Patch for CVE-2014-2327 missing CSRF token (RHBZ #1082122)
- Patch for CVE-2014-2328 use of exec-like function calls without safety
checks allow arbitrary command execution (RHBZ #1082122)
cacti-0.8.8b-html-injection.patch | 19 ++++
cacti-0.8.8b-remote-command-execution.patch | 28 ++++++
cacti-0.8.8b-sql-injection-shell-escaping.patch | 117 +++++++++++++++++++++++
cacti.spec | 39 +++++++-
4 files changed, 199 insertions(+), 4 deletions(-)
---
diff --git a/cacti-0.8.8b-html-injection.patch b/cacti-0.8.8b-html-injection.patch
new file mode 100644
index 0000000..1326dff
--- /dev/null
+++ b/cacti-0.8.8b-html-injection.patch
@@ -0,0 +1,19 @@
+------------------------------------------------------------------------
+r7443 | rony | 2014-03-30 18:43:28 -0500 (Sun, 30 Mar 2014) | 2 lines
+
+bug#0002431: CVE-2014-2326 Unspecified HTML Injection Vulnerability
+
+------------------------------------------------------------------------
+Index: branches/0.8.8/cdef.php
+===================================================================
+--- branches/0.8.8/cdef.php (revision 7442)
++++ branches/0.8.8/cdef.php (revision 7443)
+@@ -431,7 +431,7 @@
+ <a class="linkEditMain" href="<?php print htmlspecialchars("cdef.php?action=item_edit&id=" . $cdef_item["id"] . "&cdef_id=" . $cdef["id"]);?>">Item #<?php print htmlspecialchars($i);?></a>
+ </td>
+ <td>
+- <em><?php $cdef_item_type = $cdef_item["type"]; print $cdef_item_types[$cdef_item_type];?></em>: <strong><?php print get_cdef_item_name($cdef_item["id"]);?></strong>
++ <em><?php $cdef_item_type = $cdef_item["type"]; print $cdef_item_types[$cdef_item_type];?></em>: <strong><?php print htmlspecialchars(get_cdef_item_name($cdef_item["id"]));?></strong>
+ </td>
+ <td>
+ <a href="<?php print htmlspecialchars("cdef.php?action=item_movedown&id=" . $cdef_item["id"] . "&cdef_id=" . $cdef["id"]);?>"><img src="images/move_down.gif" border="0" alt="Move Down"></a>
diff --git a/cacti-0.8.8b-remote-command-execution.patch b/cacti-0.8.8b-remote-command-execution.patch
new file mode 100644
index 0000000..c357a06
--- /dev/null
+++ b/cacti-0.8.8b-remote-command-execution.patch
@@ -0,0 +1,28 @@
+------------------------------------------------------------------------
+r7442 | rony | 2014-03-30 18:41:56 -0500 (Sun, 30 Mar 2014) | 2 lines
+
+bug#0002433: CVE-2014-2328 Unspecified Remote Command Execution Vulnerability
+
+------------------------------------------------------------------------
+Index: branches/0.8.8/lib/graph_export.php
+===================================================================
+--- branches/0.8.8/lib/graph_export.php (revision 7441)
++++ branches/0.8.8/lib/graph_export.php (revision 7442)
+@@ -339,7 +339,7 @@
+ chdir($stExportDir);
+
+ /* set the initial command structure */
+- $stExecute = 'ncftpput -R -V -r 1 -u '.$aFtpExport['username'].' -p '.$aFtpExport['password'];
++ $stExecute = 'ncftpput -R -V -r 1 -u ' . cacti_escapeshellarg($aFtpExport['username']) . ' -p ' . cacti_escapeshellarg($aFtpExport['password']);
+
+ /* if the user requested passive mode, use it */
+ if ($aFtpExport['passive']) {
+@@ -347,7 +347,7 @@
+ }
+
+ /* setup the port, server, remote directory and all files */
+- $stExecute .= ' -P ' . $aFtpExport['port'] . ' ' . $aFtpExport['server'] . ' ' . $aFtpExport['remotedir'] . ".";
++ $stExecute .= ' -P ' . cacti_escapeshellarg($aFtpExport['port']) . ' ' . cacti_escapeshellarg($aFtpExport['server']) . ' ' . cacti_escapeshellarg($aFtpExport['remotedir']) . ".";
+
+ /* run the command */
+ $iExecuteReturns = 0;
diff --git a/cacti-0.8.8b-sql-injection-shell-escaping.patch b/cacti-0.8.8b-sql-injection-shell-escaping.patch
new file mode 100644
index 0000000..cb72d79
--- /dev/null
+++ b/cacti-0.8.8b-sql-injection-shell-escaping.patch
@@ -0,0 +1,117 @@
+------------------------------------------------------------------------
+r7439 | rony | 2014-03-30 17:52:10 -0500 (Sun, 30 Mar 2014) | 5 lines
+
+bug#0002405: SQL injection in graph_xport.php
+
+ - Fixed form input validation problems
+ - Fixed rrd export and graph shell escape issues
+
+------------------------------------------------------------------------
+Index: branches/0.8.8/graph_xport.php
+===================================================================
+--- branches/0.8.8/graph_xport.php (revision 7438)
++++ branches/0.8.8/graph_xport.php (revision 7439)
+@@ -47,43 +47,48 @@
+
+ $graph_data_array = array();
+
++/* ================= input validation ================= */
++input_validate_input_number(get_request_var("local_graph_id"));
++input_validate_input_number(get_request_var("rra_id"));
++/* ==================================================== */
++
+ /* override: graph start time (unix time) */
+-if (!empty($_GET["graph_start"]) && $_GET["graph_start"] < 1600000000) {
+- $graph_data_array["graph_start"] = $_GET["graph_start"];
++if (!empty($_GET["graph_start"]) && is_numeric($_GET["graph_start"] && $_GET["graph_start"] < 1600000000)) {
++ $graph_data_array["graph_start"] = get_request_var("graph_start");
+ }
+
+ /* override: graph end time (unix time) */
+-if (!empty($_GET["graph_end"]) && $_GET["graph_end"] < 1600000000) {
+- $graph_data_array["graph_end"] = $_GET["graph_end"];
++if (!empty($_GET["graph_end"]) && is_numeric($_GET["graph_end"]) && $_GET["graph_end"] < 1600000000) {
++ $graph_data_array["graph_end"] = get_request_var("graph_end");
+ }
+
+ /* override: graph height (in pixels) */
+-if (!empty($_GET["graph_height"]) && $_GET["graph_height"] < 3000) {
+- $graph_data_array["graph_height"] = $_GET["graph_height"];
++if (!empty($_GET["graph_height"]) && is_numeric($_GET["graph_height"]) && $_GET["graph_height"] < 3000) {
++ $graph_data_array["graph_height"] = get_request_var("graph_height");
+ }
+
+ /* override: graph width (in pixels) */
+-if (!empty($_GET["graph_width"]) && $_GET["graph_width"] < 3000) {
+- $graph_data_array["graph_width"] = $_GET["graph_width"];
++if (!empty($_GET["graph_width"]) && is_numeric($_GET["graph_width"]) && $_GET["graph_width"] < 3000) {
++ $graph_data_array["graph_width"] = get_request_var("graph_width");
+ }
+
+ /* override: skip drawing the legend? */
+ if (!empty($_GET["graph_nolegend"])) {
+- $graph_data_array["graph_nolegend"] = $_GET["graph_nolegend"];
++ $graph_data_array["graph_nolegend"] = get_request_var("graph_nolegend");
+ }
+
+ /* print RRDTool graph source? */
+ if (!empty($_GET["show_source"])) {
+- $graph_data_array["print_source"] = $_GET["show_source"];
++ $graph_data_array["print_source"] = get_request_var("show_source");
+ }
+
+-$graph_info = db_fetch_row("SELECT * FROM graph_templates_graph WHERE local_graph_id='" . $_REQUEST["local_graph_id"] . "'");
++$graph_info = db_fetch_row("SELECT * FROM graph_templates_graph WHERE local_graph_id='" . get_request_var("local_graph_id") . "'");
+
+ /* for bandwidth, NThPercentile */
+ $xport_meta = array();
+
+ /* Get graph export */
+-$xport_array = @rrdtool_function_xport($_GET["local_graph_id"], $_GET["rra_id"], $graph_data_array, $xport_meta);
++$xport_array = @rrdtool_function_xport($_GET["local_graph_id"], get_request_var("rra_id"), $graph_data_array, $xport_meta);
+
+ /* Make graph title the suggested file name */
+ if (is_array($xport_array["meta"])) {
+Index: branches/0.8.8/lib/rrd.php
+===================================================================
+--- branches/0.8.8/lib/rrd.php (revision 7438)
++++ branches/0.8.8/lib/rrd.php (revision 7439)
+@@ -865,13 +865,13 @@
+ /* basic graph options */
+ $graph_opts .=
+ "--imgformat=" . $image_types{$graph["image_format_id"]} . RRD_NL .
+- "--start=$graph_start" . RRD_NL .
+- "--end=$graph_end" . RRD_NL .
++ "--start=" . cacti_escapeshellarg($graph_start) . RRD_NL .
++ "--end=" . cacti_escapeshellarg($graph_end) . RRD_NL .
+ "--title=" . cacti_escapeshellarg($graph["title_cache"]) . RRD_NL .
+ "$rigid" .
+- "--base=" . $graph["base_value"] . RRD_NL .
+- "--height=$graph_height" . RRD_NL .
+- "--width=$graph_width" . RRD_NL .
++ "--base=" . cacti_escapeshellarg($graph["base_value"]) . RRD_NL .
++ "--height=" . cacti_escapeshellarg($graph_height) . RRD_NL .
++ "--width=" . cacti_escapeshellarg($graph_width) . RRD_NL .
+ "$scale" .
+ "$unit_value" .
+ "$unit_exponent_value" .
+@@ -1606,8 +1606,8 @@
+
+ /* basic export options */
+ $xport_opts =
+- "--start=$xport_start" . RRD_NL .
+- "--end=$xport_end" . RRD_NL .
++ "--start=" . cacti_escapeshellarg($xport_start) . RRD_NL .
++ "--end=" . cacti_escapeshellarg($xport_end) . RRD_NL .
+ "--maxrows=10000" . RRD_NL;
+
+ $xport_defs = "";
+@@ -1997,7 +1997,7 @@
+ $stacked_columns["col" . $j] = ($graph_item_types{$xport_item["graph_type_id"]} == "STACK") ? 1 : 0;
+ $j++;
+
+- $txt_xport_items .= "XPORT:" . $data_source_name . ":" . str_replace(":", "", cacti_escapeshellarg($legend_name)) ;
++ $txt_xport_items .= "XPORT:" . cacti_escapeshellarg($data_source_name) . ":" . str_replace(":", "", cacti_escapeshellarg($legend_name)) ;
+ }else{
+ $need_rrd_nl = FALSE;
+ }
diff --git a/cacti.spec b/cacti.spec
index 5ca9847..f4438e8 100644
--- a/cacti.spec
+++ b/cacti.spec
@@ -1,6 +1,6 @@
Name: cacti
Version: 0.8.8b
-Release: 4%{?dist}
+Release: 5%{?dist}
Summary: An rrd based graphing tool
# Use systemd unit files on Fedora 21+ and RHEL 7.
@@ -40,6 +40,18 @@ Patch2: cacti-0.8.8b-sanitize-variables.patch
# https://bugzilla.redhat.com/1004550
Patch3: cacti-0.8.8b-rra-comments.patch
+# Upstream patch for SQL injection and shell escaping
+# https://bugzilla.redhat.com/1084258
+Patch4: cacti-0.8.8b-sql-injection-shell-escaping.patch
+
+# Upstream patch for HTML injection
+# https://bugzilla.redhat.com/1082122
+Patch5: cacti-0.8.8b-html-injection.patch
+
+# Upstream patch for remote command execution
+# https://bugzilla.redhat.com/1082122
+Patch6: cacti-0.8.8b-remote-command-execution.patch
+
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
Requires: php, php-mysql, mysql, httpd, rrdtool, net-snmp, php-snmp
@@ -72,9 +84,18 @@ used to creating traffic graphs with MRTG.
%prep
%setup -q
%patch0 -p1
-%patch1 -p1 -b .notreeview
-%patch2 -p2 -b .sanitize
-%patch3 -p2 -b .comments
+# patch1: Remove treeview
+%patch1 -p1
+# patch2: XSS and SQL injection, https://bugzilla.redhat.com/1000860
+%patch2 -p2
+# patch3: Fix graph comments, https://bugzilla.redhat.com/1004550
+%patch3 -p2
+# patch4: SQL injection and shell escaping, https://bugzilla.redhat.com/1084258
+%patch4 -p2
+# patch5: HTML injection, https://bugzilla.redhat.com/1082122
+%patch5 -p2
+# patch6: Remote command execution, https://bugzilla.redhat.com/1082122
+%patch6 -p2
cp %{SOURCE4} %{SOURCE5} %{SOURCE6} include/js/jquery/themes/default/
rm -rf include/treeview
@@ -171,6 +192,16 @@ rm -rf %{buildroot}
%attr(0644,root,root) %{_localstatedir}/lib/%{name}/lib
%changelog
+* Mon Apr 07 2014 Ken Dreyer <ktdreyer at ktdreyer.com> - 0.8.8b-5
+- Patch for CVE-2014-2708 SQL injection issues in graph_xport.php
+ (RHBZ #1084258)
+- Patch for CVE-2014-2709 shell escaping issues in lib/rrd.php
+ (RHBZ #1084258)
+- Patch for CVE-2014-2326 stored XSS attack (RHBZ #1082122)
+- Patch for CVE-2014-2327 missing CSRF token (RHBZ #1082122)
+- Patch for CVE-2014-2328 use of exec-like function calls without safety
+ checks allow arbitrary command execution (RHBZ #1082122)
+
* Fri Feb 07 2014 Ken Dreyer <ktdreyer at ktdreyer.com> - 0.8.8b-4
- Move cron to a separate file and require crontabs (RHBZ #947047). Thanks
Jóhann B. Guðmundsson.
More information about the scm-commits
mailing list