[cacti/el5: 2/2] Patches for CVE-2014-4002 Cross-site scripting vulnerability
Ken Dreyer
ktdreyer at fedoraproject.org
Fri Jun 27 21:19:57 UTC 2014
commit 388543ca99f5a2b264f47e7e540b72b779f674e6
Author: Ken Dreyer <ktdreyer at ktdreyer.com>
Date: Fri Jun 27 15:18:01 2014 -0600
Patches for CVE-2014-4002 Cross-site scripting vulnerability
(RHBZ #1113035)
cacti-0.8.8b-validate-drp-action.patch | 141 ++++++++++++++++++++
cacti-0.8.8b-validate-graph-templates-inputs.patch | 21 +++
cacti.spec | 14 ++-
3 files changed, 175 insertions(+), 1 deletions(-)
---
diff --git a/cacti-0.8.8b-validate-drp-action.patch b/cacti-0.8.8b-validate-drp-action.patch
new file mode 100644
index 0000000..5de4d84
--- /dev/null
+++ b/cacti-0.8.8b-validate-drp-action.patch
@@ -0,0 +1,141 @@
+------------------------------------------------------------------------
+r7452 | cigamit | 2014-06-15 17:34:39 -0600 (Sun, 15 Jun 2014) | 1 line
+
+-bug#0002453: CVE-2014-4002 Cross-Site Scripting Vulnerability
+------------------------------------------------------------------------
+Index: branches/0.8.8/host_templates.php
+===================================================================
+--- branches/0.8.8/host_templates.php (revision 7451)
++++ branches/0.8.8/host_templates.php (revision 7452)
+@@ -117,6 +117,10 @@
+ function form_actions() {
+ global $colors, $host_actions;
+
++ /* ================= input validation ================= */
++ input_validate_input_number(get_request_var_post('drp_action'));
++ /* ==================================================== */
++
+ /* if we are to save this form, instead of display it */
+ if (isset($_POST["selected_items"])) {
+ $selected_items = unserialize(stripslashes($_POST["selected_items"]));
+Index: branches/0.8.8/cdef.php
+===================================================================
+--- branches/0.8.8/cdef.php (revision 7451)
++++ branches/0.8.8/cdef.php (revision 7452)
+@@ -158,6 +158,10 @@
+ function form_actions() {
+ global $colors, $cdef_actions;
+
++ /* ================= input validation ================= */
++ input_validate_input_number(get_request_var_post('drp_action'));
++ /* ==================================================== */
++
+ /* if we are to save this form, instead of display it */
+ if (isset($_POST["selected_items"])) {
+ $selected_items = unserialize(stripslashes($_POST["selected_items"]));
+Index: branches/0.8.8/data_queries.php
+===================================================================
+--- branches/0.8.8/data_queries.php (revision 7451)
++++ branches/0.8.8/data_queries.php (revision 7452)
+@@ -195,6 +195,10 @@
+ function form_actions() {
+ global $colors, $dq_actions;
+
++ /* ================= input validation ================= */
++ input_validate_input_number(get_request_var_post('drp_action'));
++ /* ==================================================== */
++
+ /* if we are to save this form, instead of display it */
+ if (isset($_POST["selected_items"])) {
+ $selected_items = unserialize(stripslashes($_POST["selected_items"]));
+Index: branches/0.8.8/data_sources.php
+===================================================================
+--- branches/0.8.8/data_sources.php (revision 7451)
++++ branches/0.8.8/data_sources.php (revision 7452)
+@@ -307,6 +307,10 @@
+ function form_actions() {
+ global $colors, $ds_actions;
+
++ /* ================= input validation ================= */
++ input_validate_input_number(get_request_var_post('drp_action'));
++ /* ==================================================== */
++
+ /* if we are to save this form, instead of display it */
+ if (isset($_POST["selected_items"])) {
+ $selected_items = unserialize(stripslashes($_POST["selected_items"]));
+Index: branches/0.8.8/host.php
+===================================================================
+--- branches/0.8.8/host.php (revision 7451)
++++ branches/0.8.8/host.php (revision 7452)
+@@ -175,6 +175,10 @@
+ function form_actions() {
+ global $colors, $device_actions, $fields_host_edit;
+
++ /* ================= input validation ================= */
++ input_validate_input_number(get_request_var_post('drp_action'));
++ /* ==================================================== */
++
+ /* if we are to save this form, instead of display it */
+ if (isset($_POST["selected_items"])) {
+ $selected_items = unserialize(stripslashes($_POST["selected_items"]));
+Index: branches/0.8.8/data_input.php
+===================================================================
+--- branches/0.8.8/data_input.php (revision 7451)
++++ branches/0.8.8/data_input.php (revision 7452)
+@@ -153,6 +153,10 @@
+ function form_actions() {
+ global $colors, $di_actions;
+
++ /* ================= input validation ================= */
++ input_validate_input_number(get_request_var_post('drp_action'));
++ /* ==================================================== */
++
+ /* if we are to save this form, instead of display it */
+ if (isset($_POST["selected_items"])) {
+ $selected_items = unserialize(stripslashes($_POST["selected_items"]));
+Index: branches/0.8.8/graph_templates.php
+===================================================================
+--- branches/0.8.8/graph_templates.php (revision 7451)
++++ branches/0.8.8/graph_templates.php (revision 7452)
+@@ -164,6 +164,10 @@
+ function form_actions() {
+ global $colors, $graph_actions;
+
++ /* ================= input validation ================= */
++ input_validate_input_number(get_request_var_post('drp_action'));
++ /* ==================================================== */
++
+ /* if we are to save this form, instead of display it */
+ if (isset($_POST["selected_items"])) {
+ $selected_items = unserialize(stripslashes($_POST["selected_items"]));
+Index: branches/0.8.8/graphs.php
+===================================================================
+--- branches/0.8.8/graphs.php (revision 7451)
++++ branches/0.8.8/graphs.php (revision 7452)
+@@ -267,6 +267,11 @@
+
+ function form_actions() {
+ global $colors, $graph_actions;
++
++ /* ================= input validation ================= */
++ input_validate_input_number(get_request_var_post('drp_action'));
++ /* ==================================================== */
++
+ /* if we are to save this form, instead of display it */
+ if (isset($_POST["selected_items"])) {
+ $selected_items = unserialize(stripslashes($_POST["selected_items"]));
+Index: branches/0.8.8/data_templates.php
+===================================================================
+--- branches/0.8.8/data_templates.php (revision 7451)
++++ branches/0.8.8/data_templates.php (revision 7452)
+@@ -254,6 +254,10 @@
+ function form_actions() {
+ global $colors, $ds_actions;
+
++ /* ================= input validation ================= */
++ input_validate_input_number(get_request_var_post('drp_action'));
++ /* ==================================================== */
++
+ /* if we are to save this form, instead of display it */
+ if (isset($_POST["selected_items"])) {
+ $selected_items = unserialize(stripslashes($_POST["selected_items"]));
diff --git a/cacti-0.8.8b-validate-graph-templates-inputs.patch b/cacti-0.8.8b-validate-graph-templates-inputs.patch
new file mode 100644
index 0000000..93afb41
--- /dev/null
+++ b/cacti-0.8.8b-validate-graph-templates-inputs.patch
@@ -0,0 +1,21 @@
+------------------------------------------------------------------------
+r7451 | cigamit | 2014-06-15 15:54:20 -0600 (Sun, 15 Jun 2014) | 1 line
+
+Add some validation
+------------------------------------------------------------------------
+Index: branches/0.8.8/graph_templates_inputs.php
+===================================================================
+--- branches/0.8.8/graph_templates_inputs.php (revision 7450)
++++ branches/0.8.8/graph_templates_inputs.php (revision 7451)
+@@ -52,6 +52,11 @@
+ $graph_input_values = array();
+ $selected_graph_items = array();
+
++ /* ================= input validation ================= */
++ input_validate_input_number(get_request_var_post("graph_template_input_id"));
++ input_validate_input_number(get_request_var_post("graph_template_id"));
++ /* ==================================================== */
++
+ $save["id"] = $_POST["graph_template_input_id"];
+ $save["hash"] = get_hash_graph_template($_POST["graph_template_input_id"], "graph_template_input");
+ $save["graph_template_id"] = $_POST["graph_template_id"];
diff --git a/cacti.spec b/cacti.spec
index 44347f3..c7c7322 100644
--- a/cacti.spec
+++ b/cacti.spec
@@ -1,6 +1,6 @@
Name: cacti
Version: 0.8.8b
-Release: 6%{?dist}
+Release: 7%{?dist}
Summary: An rrd based graphing tool
# Use systemd unit files on Fedora 21+ and RHEL 7.
@@ -52,6 +52,11 @@ Patch5: cacti-0.8.8b-html-injection.patch
# https://bugzilla.redhat.com/1082122
Patch6: cacti-0.8.8b-remote-command-execution.patch
+# Upstream patches for XSS
+# https://bugzilla.redhat.com/1113035
+Patch7: cacti-0.8.8b-validate-graph-templates-inputs.patch
+Patch8: cacti-0.8.8b-validate-drp-action.patch
+
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
Requires: php, php-mysql, mysql, httpd, rrdtool, net-snmp, php-snmp
@@ -96,6 +101,9 @@ used to creating traffic graphs with MRTG.
%patch5 -p2
# patch6: Remote command execution, https://bugzilla.redhat.com/1082122
%patch6 -p2
+# patch7 and 8: XSS, https://bugzilla.redhat.com/1113035
+%patch7 -p2
+%patch8 -p2
cp %{SOURCE4} %{SOURCE5} %{SOURCE6} include/js/jquery/themes/default/
rm -rf include/treeview
@@ -192,6 +200,10 @@ rm -rf %{buildroot}
%attr(0644,root,root) %{_localstatedir}/lib/%{name}/lib
%changelog
+* Fri Jun 27 2014 Ken Dreyer <ktdreyer at ktdreyer.com> - 0.8.8b-7
+- Patches for CVE-2014-4002 Cross-site scripting vulnerability
+ (RHBZ #1113035)
+
* Sat Jun 07 2014 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 0.8.8b-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
More information about the scm-commits
mailing list