From 388543ca99f5a2b264f47e7e540b72b779f674e6 Mon Sep 17 00:00:00 2001 From: Ken Dreyer Date: Fri, 27 Jun 2014 15:18:01 -0600 Subject: [PATCH] Patches for CVE-2014-4002 Cross-site scripting vulnerability (RHBZ #1113035) --- cacti-0.8.8b-validate-drp-action.patch | 141 ++++++++++++++++++ ...8.8b-validate-graph-templates-inputs.patch | 21 +++ cacti.spec | 14 +- 3 files changed, 175 insertions(+), 1 deletion(-) create mode 100644 cacti-0.8.8b-validate-drp-action.patch create mode 100644 cacti-0.8.8b-validate-graph-templates-inputs.patch diff --git a/cacti-0.8.8b-validate-drp-action.patch b/cacti-0.8.8b-validate-drp-action.patch new file mode 100644 index 0000000..5de4d84 --- /dev/null +++ b/cacti-0.8.8b-validate-drp-action.patch @@ -0,0 +1,141 @@ +------------------------------------------------------------------------ +r7452 | cigamit | 2014-06-15 17:34:39 -0600 (Sun, 15 Jun 2014) | 1 line + +-bug#0002453: CVE-2014-4002 Cross-Site Scripting Vulnerability +------------------------------------------------------------------------ +Index: branches/0.8.8/host_templates.php +=================================================================== +--- branches/0.8.8/host_templates.php (revision 7451) ++++ branches/0.8.8/host_templates.php (revision 7452) +@@ -117,6 +117,10 @@ + function form_actions() { + global $colors, $host_actions; + ++ /* ================= input validation ================= */ ++ input_validate_input_number(get_request_var_post('drp_action')); ++ /* ==================================================== */ ++ + /* if we are to save this form, instead of display it */ + if (isset($_POST["selected_items"])) { + $selected_items = unserialize(stripslashes($_POST["selected_items"])); +Index: branches/0.8.8/cdef.php +=================================================================== +--- branches/0.8.8/cdef.php (revision 7451) ++++ branches/0.8.8/cdef.php (revision 7452) +@@ -158,6 +158,10 @@ + function form_actions() { + global $colors, $cdef_actions; + ++ /* ================= input validation ================= */ ++ input_validate_input_number(get_request_var_post('drp_action')); ++ /* ==================================================== */ ++ + /* if we are to save this form, instead of display it */ + if (isset($_POST["selected_items"])) { + $selected_items = unserialize(stripslashes($_POST["selected_items"])); +Index: branches/0.8.8/data_queries.php +=================================================================== +--- branches/0.8.8/data_queries.php (revision 7451) ++++ branches/0.8.8/data_queries.php (revision 7452) +@@ -195,6 +195,10 @@ + function form_actions() { + global $colors, $dq_actions; + ++ /* ================= input validation ================= */ ++ input_validate_input_number(get_request_var_post('drp_action')); ++ /* ==================================================== */ ++ + /* if we are to save this form, instead of display it */ + if (isset($_POST["selected_items"])) { + $selected_items = unserialize(stripslashes($_POST["selected_items"])); +Index: branches/0.8.8/data_sources.php +=================================================================== +--- branches/0.8.8/data_sources.php (revision 7451) ++++ branches/0.8.8/data_sources.php (revision 7452) +@@ -307,6 +307,10 @@ + function form_actions() { + global $colors, $ds_actions; + ++ /* ================= input validation ================= */ ++ input_validate_input_number(get_request_var_post('drp_action')); ++ /* ==================================================== */ ++ + /* if we are to save this form, instead of display it */ + if (isset($_POST["selected_items"])) { + $selected_items = unserialize(stripslashes($_POST["selected_items"])); +Index: branches/0.8.8/host.php +=================================================================== +--- branches/0.8.8/host.php (revision 7451) ++++ branches/0.8.8/host.php (revision 7452) +@@ -175,6 +175,10 @@ + function form_actions() { + global $colors, $device_actions, $fields_host_edit; + ++ /* ================= input validation ================= */ ++ input_validate_input_number(get_request_var_post('drp_action')); ++ /* ==================================================== */ ++ + /* if we are to save this form, instead of display it */ + if (isset($_POST["selected_items"])) { + $selected_items = unserialize(stripslashes($_POST["selected_items"])); +Index: branches/0.8.8/data_input.php +=================================================================== +--- branches/0.8.8/data_input.php (revision 7451) ++++ branches/0.8.8/data_input.php (revision 7452) +@@ -153,6 +153,10 @@ + function form_actions() { + global $colors, $di_actions; + ++ /* ================= input validation ================= */ ++ input_validate_input_number(get_request_var_post('drp_action')); ++ /* ==================================================== */ ++ + /* if we are to save this form, instead of display it */ + if (isset($_POST["selected_items"])) { + $selected_items = unserialize(stripslashes($_POST["selected_items"])); +Index: branches/0.8.8/graph_templates.php +=================================================================== +--- branches/0.8.8/graph_templates.php (revision 7451) ++++ branches/0.8.8/graph_templates.php (revision 7452) +@@ -164,6 +164,10 @@ + function form_actions() { + global $colors, $graph_actions; + ++ /* ================= input validation ================= */ ++ input_validate_input_number(get_request_var_post('drp_action')); ++ /* ==================================================== */ ++ + /* if we are to save this form, instead of display it */ + if (isset($_POST["selected_items"])) { + $selected_items = unserialize(stripslashes($_POST["selected_items"])); +Index: branches/0.8.8/graphs.php +=================================================================== +--- branches/0.8.8/graphs.php (revision 7451) ++++ branches/0.8.8/graphs.php (revision 7452) +@@ -267,6 +267,11 @@ + + function form_actions() { + global $colors, $graph_actions; ++ ++ /* ================= input validation ================= */ ++ input_validate_input_number(get_request_var_post('drp_action')); ++ /* ==================================================== */ ++ + /* if we are to save this form, instead of display it */ + if (isset($_POST["selected_items"])) { + $selected_items = unserialize(stripslashes($_POST["selected_items"])); +Index: branches/0.8.8/data_templates.php +=================================================================== +--- branches/0.8.8/data_templates.php (revision 7451) ++++ branches/0.8.8/data_templates.php (revision 7452) +@@ -254,6 +254,10 @@ + function form_actions() { + global $colors, $ds_actions; + ++ /* ================= input validation ================= */ ++ input_validate_input_number(get_request_var_post('drp_action')); ++ /* ==================================================== */ ++ + /* if we are to save this form, instead of display it */ + if (isset($_POST["selected_items"])) { + $selected_items = unserialize(stripslashes($_POST["selected_items"])); diff --git a/cacti-0.8.8b-validate-graph-templates-inputs.patch b/cacti-0.8.8b-validate-graph-templates-inputs.patch new file mode 100644 index 0000000..93afb41 --- /dev/null +++ b/cacti-0.8.8b-validate-graph-templates-inputs.patch @@ -0,0 +1,21 @@ +------------------------------------------------------------------------ +r7451 | cigamit | 2014-06-15 15:54:20 -0600 (Sun, 15 Jun 2014) | 1 line + +Add some validation +------------------------------------------------------------------------ +Index: branches/0.8.8/graph_templates_inputs.php +=================================================================== +--- branches/0.8.8/graph_templates_inputs.php (revision 7450) ++++ branches/0.8.8/graph_templates_inputs.php (revision 7451) +@@ -52,6 +52,11 @@ + $graph_input_values = array(); + $selected_graph_items = array(); + ++ /* ================= input validation ================= */ ++ input_validate_input_number(get_request_var_post("graph_template_input_id")); ++ input_validate_input_number(get_request_var_post("graph_template_id")); ++ /* ==================================================== */ ++ + $save["id"] = $_POST["graph_template_input_id"]; + $save["hash"] = get_hash_graph_template($_POST["graph_template_input_id"], "graph_template_input"); + $save["graph_template_id"] = $_POST["graph_template_id"]; diff --git a/cacti.spec b/cacti.spec index 44347f3..c7c7322 100644 --- a/cacti.spec +++ b/cacti.spec @@ -1,6 +1,6 @@ Name: cacti Version: 0.8.8b -Release: 6%{?dist} +Release: 7%{?dist} Summary: An rrd based graphing tool # Use systemd unit files on Fedora 21+ and RHEL 7. @@ -52,6 +52,11 @@ Patch5: cacti-0.8.8b-html-injection.patch # https://bugzilla.redhat.com/1082122 Patch6: cacti-0.8.8b-remote-command-execution.patch +# Upstream patches for XSS +# https://bugzilla.redhat.com/1113035 +Patch7: cacti-0.8.8b-validate-graph-templates-inputs.patch +Patch8: cacti-0.8.8b-validate-drp-action.patch + BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) Requires: php, php-mysql, mysql, httpd, rrdtool, net-snmp, php-snmp @@ -96,6 +101,9 @@ used to creating traffic graphs with MRTG. %patch5 -p2 # patch6: Remote command execution, https://bugzilla.redhat.com/1082122 %patch6 -p2 +# patch7 and 8: XSS, https://bugzilla.redhat.com/1113035 +%patch7 -p2 +%patch8 -p2 cp %{SOURCE4} %{SOURCE5} %{SOURCE6} include/js/jquery/themes/default/ rm -rf include/treeview @@ -192,6 +200,10 @@ rm -rf %{buildroot} %attr(0644,root,root) %{_localstatedir}/lib/%{name}/lib %changelog +* Fri Jun 27 2014 Ken Dreyer - 0.8.8b-7 +- Patches for CVE-2014-4002 Cross-site scripting vulnerability + (RHBZ #1113035) + * Sat Jun 07 2014 Fedora Release Engineering - 0.8.8b-6 - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild