Patches for bug#243592

CVE-2007-3112.patch

@@ -0,0 +1,29 @@
+--- branches/BRANCH_0_8_6/cacti/graph_image.php	2007/03/04 20:17:57	3898
++++ branches/BRANCH_0_8_6/cacti/graph_image.php	2007/06/04 06:41:13	3956
+@@ -49,22 +49,22 @@
+ $graph_data_array = array();
+ 
+ /* override: graph start time (unix time) */
+-if (!empty($_GET["graph_start"])) {
++if (!empty($_GET["graph_start"]) && $_GET["graph_start"] < 1600000000) {
+ 	$graph_data_array["graph_start"] = $_GET["graph_start"];
+ }
+ 
+ /* override: graph end time (unix time) */
+-if (!empty($_GET["graph_end"])) {
++if (!empty($_GET["graph_end"]) && $_GET["graph_end"] < 1600000000) {
+ 	$graph_data_array["graph_end"] = $_GET["graph_end"];
+ }
+ 
+ /* override: graph height (in pixels) */
+-if (!empty($_GET["graph_height"])) {
++if (!empty($_GET["graph_height"]) && $_GET["graph_height"] < 3000) {
+ 	$graph_data_array["graph_height"] = $_GET["graph_height"];
+ }
+ 
+ /* override: graph width (in pixels) */
+-if (!empty($_GET["graph_width"])) {
++if (!empty($_GET["graph_width"]) && $_GET["graph_width"] < 3000) {
+ 	$graph_data_array["graph_width"] = $_GET["graph_width"];
+ }
+ 

cacti.spec

@@ -1,6 +1,6 @@
 Name: cacti
 Version: 0.8.6j
-Release: 6%{?dist}
+Release: 7%{?dist}
 Summary: An rrd based graphing tool
 
 Group: Applications/System
@@ -12,6 +12,7 @@ Source2: cacti.logrotate
 Source3: cacti.README.Fedora
 
 Patch1: cacti-0.8.6h-dbcfg.patch
+Patch2: CVE-2007-3112.patch
 
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
@@ -32,6 +33,7 @@ used to creating traffic graphs with MRTG.
 %prep
 %setup -q
 %patch1 -p0
+%patch2 -p3
 
 echo "#*/5 * * * *	cacti	%{_bindir}/php %{_datadir}/%{name}/poller.php > /dev/null 2>&1" >cacti.cron
 
@@ -103,6 +105,9 @@ fi
 %attr(0644,root,root) %{_localstatedir}/lib/%{name}/lib
 
 %changelog
+* Fri Sep 14 2007 Mike McGrath <mmcgrath@redhat.com> - 0.8.6j-7
+- Fix for CVE-2007-3112 bz#243592
+
 * Sat Sep 08 2007 Mike McGrath <mmcgrath@redhat.com> - 0.8.6j-6
 - rebuild