Patches for CVE-2014-4002 Cross-site scripting vulnerability

(RHBZ #1113035)
2014-06-27 15:18:01 -06:00 · 2014-06-27 15:18:01 -06:00 · 388543ca99
commit 388543ca99
parent aeb50db9e0
3 changed files with 175 additions and 1 deletions
--- a/cacti-0.8.8b-validate-drp-action.patch
+++ b/cacti-0.8.8b-validate-drp-action.patch
@ -0,0 +1,141 @@
+------------------------------------------------------------------------
+r7452 | cigamit | 2014-06-15 17:34:39 -0600 (Sun, 15 Jun 2014) | 1 line
+
+-bug#0002453: CVE-2014-4002 Cross-Site Scripting Vulnerability
+------------------------------------------------------------------------
+Index: branches/0.8.8/host_templates.php
+===================================================================
+--- branches/0.8.8/host_templates.php	(revision 7451)
+++ branches/0.8.8/host_templates.php	(revision 7452)
+@@ -117,6 +117,10 @@
+ function form_actions() {
+ 	global $colors, $host_actions;
+ 
+	/* ================= input validation ================= */
+	input_validate_input_number(get_request_var_post('drp_action'));
+	/* ==================================================== */
+
+ 	/* if we are to save this form, instead of display it */
+ 	if (isset($_POST["selected_items"])) {
+ 		$selected_items = unserialize(stripslashes($_POST["selected_items"]));
+Index: branches/0.8.8/cdef.php
+===================================================================
+--- branches/0.8.8/cdef.php	(revision 7451)
+++ branches/0.8.8/cdef.php	(revision 7452)
+@@ -158,6 +158,10 @@
+ function form_actions() {
+ 	global $colors, $cdef_actions;
+ 
+	/* ================= input validation ================= */
+	input_validate_input_number(get_request_var_post('drp_action'));
+	/* ==================================================== */
+	
+ 	/* if we are to save this form, instead of display it */
+ 	if (isset($_POST["selected_items"])) {
+ 		$selected_items = unserialize(stripslashes($_POST["selected_items"]));
+Index: branches/0.8.8/data_queries.php
+===================================================================
+--- branches/0.8.8/data_queries.php	(revision 7451)
+++ branches/0.8.8/data_queries.php	(revision 7452)
+@@ -195,6 +195,10 @@
+ function form_actions() {
+ 	global $colors, $dq_actions;
+ 
+	/* ================= input validation ================= */
+	input_validate_input_number(get_request_var_post('drp_action'));
+	/* ==================================================== */
+
+ 	/* if we are to save this form, instead of display it */
+ 	if (isset($_POST["selected_items"])) {
+ 		$selected_items = unserialize(stripslashes($_POST["selected_items"]));
+Index: branches/0.8.8/data_sources.php
+===================================================================
+--- branches/0.8.8/data_sources.php	(revision 7451)
+++ branches/0.8.8/data_sources.php	(revision 7452)
+@@ -307,6 +307,10 @@
+ function form_actions() {
+ 	global $colors, $ds_actions;
+ 
+	/* ================= input validation ================= */
+	input_validate_input_number(get_request_var_post('drp_action'));
+	/* ==================================================== */
+
+ 	/* if we are to save this form, instead of display it */
+ 	if (isset($_POST["selected_items"])) {
+ 		$selected_items = unserialize(stripslashes($_POST["selected_items"]));
+Index: branches/0.8.8/host.php
+===================================================================
+--- branches/0.8.8/host.php	(revision 7451)
+++ branches/0.8.8/host.php	(revision 7452)
+@@ -175,6 +175,10 @@
+ function form_actions() {
+ 	global $colors, $device_actions, $fields_host_edit;
+ 
+	/* ================= input validation ================= */
+	input_validate_input_number(get_request_var_post('drp_action'));
+	/* ==================================================== */
+
+ 	/* if we are to save this form, instead of display it */
+ 	if (isset($_POST["selected_items"])) {
+ 		$selected_items = unserialize(stripslashes($_POST["selected_items"]));
+Index: branches/0.8.8/data_input.php
+===================================================================
+--- branches/0.8.8/data_input.php	(revision 7451)
+++ branches/0.8.8/data_input.php	(revision 7452)
+@@ -153,6 +153,10 @@
+ function form_actions() {
+ 	global $colors, $di_actions;
+ 
+	/* ================= input validation ================= */
+	input_validate_input_number(get_request_var_post('drp_action'));
+	/* ==================================================== */
+
+ 	/* if we are to save this form, instead of display it */
+ 	if (isset($_POST["selected_items"])) {
+ 		$selected_items = unserialize(stripslashes($_POST["selected_items"]));
+Index: branches/0.8.8/graph_templates.php
+===================================================================
+--- branches/0.8.8/graph_templates.php	(revision 7451)
+++ branches/0.8.8/graph_templates.php	(revision 7452)
+@@ -164,6 +164,10 @@
+ function form_actions() {
+ 	global $colors, $graph_actions;
+ 
+	/* ================= input validation ================= */
+	input_validate_input_number(get_request_var_post('drp_action'));
+	/* ==================================================== */
+
+ 	/* if we are to save this form, instead of display it */
+ 	if (isset($_POST["selected_items"])) {
+ 		$selected_items = unserialize(stripslashes($_POST["selected_items"]));
+Index: branches/0.8.8/graphs.php
+===================================================================
+--- branches/0.8.8/graphs.php	(revision 7451)
+++ branches/0.8.8/graphs.php	(revision 7452)
+@@ -267,6 +267,11 @@
+ 
+ function form_actions() {
+ 	global $colors, $graph_actions;
+
+	/* ================= input validation ================= */
+	input_validate_input_number(get_request_var_post('drp_action'));
+	/* ==================================================== */
+
+ 	/* if we are to save this form, instead of display it */
+ 	if (isset($_POST["selected_items"])) {
+ 		$selected_items = unserialize(stripslashes($_POST["selected_items"]));
+Index: branches/0.8.8/data_templates.php
+===================================================================
+--- branches/0.8.8/data_templates.php	(revision 7451)
+++ branches/0.8.8/data_templates.php	(revision 7452)
+@@ -254,6 +254,10 @@
+ function form_actions() {
+ 	global $colors, $ds_actions;
+ 
+	/* ================= input validation ================= */
+	input_validate_input_number(get_request_var_post('drp_action'));
+	/* ==================================================== */
+
+ 	/* if we are to save this form, instead of display it */
+ 	if (isset($_POST["selected_items"])) {
+ 		$selected_items = unserialize(stripslashes($_POST["selected_items"]));
--- a/cacti-0.8.8b-validate-graph-templates-inputs.patch
+++ b/cacti-0.8.8b-validate-graph-templates-inputs.patch
@ -0,0 +1,21 @@
+------------------------------------------------------------------------
+r7451 | cigamit | 2014-06-15 15:54:20 -0600 (Sun, 15 Jun 2014) | 1 line
+
+Add some validation
+------------------------------------------------------------------------
+Index: branches/0.8.8/graph_templates_inputs.php
+===================================================================
+--- branches/0.8.8/graph_templates_inputs.php	(revision 7450)
+++ branches/0.8.8/graph_templates_inputs.php	(revision 7451)
+@@ -52,6 +52,11 @@
+ 		$graph_input_values = array();
+ 		$selected_graph_items = array();
+ 
+		/* ================= input validation ================= */
+		input_validate_input_number(get_request_var_post("graph_template_input_id"));
+		input_validate_input_number(get_request_var_post("graph_template_id"));
+		/* ==================================================== */
+		
+ 		$save["id"] = $_POST["graph_template_input_id"];
+ 		$save["hash"] = get_hash_graph_template($_POST["graph_template_input_id"], "graph_template_input");
+ 		$save["graph_template_id"] = $_POST["graph_template_id"];
--- a/cacti.spec
+++ b/cacti.spec
@ -1,6 +1,6 @@
 Name: cacti
 Version: 0.8.8b
-Release: 6%{?dist}
+Release: 7%{?dist}
 Summary: An rrd based graphing tool

 # Use systemd unit files on Fedora 21+ and RHEL 7.
@ -52,6 +52,11 @@ Patch5: cacti-0.8.8b-html-injection.patch
 # https://bugzilla.redhat.com/1082122
 Patch6: cacti-0.8.8b-remote-command-execution.patch

+# Upstream patches for XSS
+# https://bugzilla.redhat.com/1113035
+Patch7: cacti-0.8.8b-validate-graph-templates-inputs.patch
+Patch8: cacti-0.8.8b-validate-drp-action.patch
+
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)

 Requires: php, php-mysql, mysql, httpd, rrdtool, net-snmp, php-snmp
@ -96,6 +101,9 @@ used to creating traffic graphs with MRTG.
 %patch5 -p2
 # patch6: Remote command execution, https://bugzilla.redhat.com/1082122
 %patch6 -p2
+# patch7 and 8: XSS, https://bugzilla.redhat.com/1113035
+%patch7 -p2
+%patch8 -p2
 cp %{SOURCE4} %{SOURCE5} %{SOURCE6} include/js/jquery/themes/default/
 rm -rf include/treeview

@ -192,6 +200,10 @@ rm -rf %{buildroot}
 %attr(0644,root,root) %{_localstatedir}/lib/%{name}/lib

 %changelog
+* Fri Jun 27 2014 Ken Dreyer <ktdreyer@ktdreyer.com> - 0.8.8b-7
+- Patches for CVE-2014-4002 Cross-site scripting vulnerability
+  (RHBZ #1113035)
+
 * Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.8.8b-6
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild