diff --git a/cacti-0.8.8b-sanitize-variables.patch b/cacti-0.8.8b-sanitize-variables.patch new file mode 100644 index 0000000..37ded2e --- /dev/null +++ b/cacti-0.8.8b-sanitize-variables.patch @@ -0,0 +1,155 @@ +------------------------------------------------------------------------ +r7420 | cigamit | 2013-08-17 21:41:24 -0600 (Sat, 17 Aug 2013) | 1 line + +Bug #0002383 : Sanitize the step and id variables +------------------------------------------------------------------------ +Index: branches/0.8.8/host.php +=================================================================== +--- branches/0.8.8/host.php (revision 7419) ++++ branches/0.8.8/host.php (revision 7420) +@@ -149,6 +149,9 @@ + if ($_POST["snmp_version"] == 3 && ($_POST["snmp_password"] != $_POST["snmp_password_confirm"])) { + raise_message(4); + }else{ ++ input_validate_input_number(get_request_var_post("id")); ++ input_validate_input_number(get_request_var_post("host_template_id")); ++ + $host_id = api_device_save($_POST["id"], $_POST["host_template_id"], $_POST["description"], + trim($_POST["hostname"]), $_POST["snmp_community"], $_POST["snmp_version"], + $_POST["snmp_username"], $_POST["snmp_password"], +Index: branches/0.8.8/lib/api_device.php +=================================================================== +--- branches/0.8.8/lib/api_device.php (revision 7419) ++++ branches/0.8.8/lib/api_device.php (revision 7420) +@@ -107,7 +107,7 @@ + $_host_template_id = db_fetch_cell("select host_template_id from host where id=$id"); + } + +- $save["id"] = $id; ++ $save["id"] = form_input_validate($id, "id", "^[0-9]+$", false, 3); + $save["host_template_id"] = form_input_validate($host_template_id, "host_template_id", "^[0-9]+$", false, 3); + $save["description"] = form_input_validate($description, "description", "", false, 3); + $save["hostname"] = form_input_validate(trim($hostname), "hostname", "", false, 3); +Index: branches/0.8.8/install/index.php +=================================================================== +--- branches/0.8.8/install/index.php (revision 7419) ++++ branches/0.8.8/install/index.php (revision 7420) +@@ -310,27 +310,28 @@ + } + + /* pre-processing that needs to be done for each step */ +-if (empty($_REQUEST["step"])) { +- $_REQUEST["step"] = 1; +-}else{ +- if ($_REQUEST["step"] == "1") { +- $_REQUEST["step"] = "2"; +- }elseif (($_REQUEST["step"] == "2") && ($_REQUEST["install_type"] == "1")) { +- $_REQUEST["step"] = "3"; +- }elseif (($_REQUEST["step"] == "2") && ($_REQUEST["install_type"] == "3")) { +- $_REQUEST["step"] = "8"; +- }elseif (($_REQUEST["step"] == "8") && ($old_version_index <= array_search("0.8.5a", $cacti_versions))) { +- $_REQUEST["step"] = "9"; +- }elseif ($_REQUEST["step"] == "8") { +- $_REQUEST["step"] = "3"; +- }elseif ($_REQUEST["step"] == "9") { +- $_REQUEST["step"] = "3"; +- }elseif ($_REQUEST["step"] == "3") { +- $_REQUEST["step"] = "4"; ++if (isset($_REQUEST["step"]) && $_REQUEST["step"] > 0) { ++ $step = intval($_REQUEST["step"]); ++ if ($step == "1") { ++ $step = "2"; ++ } elseif (($step == "2") && ($_REQUEST["install_type"] == "1")) { ++ $step = "3"; ++ } elseif (($step == "2") && ($_REQUEST["install_type"] == "3")) { ++ $step = "8"; ++ } elseif (($step == "8") && ($old_version_index <= array_search("0.8.5a", $cacti_versions))) { ++ $step = "9"; ++ } elseif ($step == "8") { ++ $step = "3"; ++ } elseif ($step == "9") { ++ $step = "3"; ++ } elseif ($step == "3") { ++ $step = "4"; + } ++} else { ++ $step = 1; + } + +-if ($_REQUEST["step"] == "4") { ++if ($step == "4") { + include_once("../lib/data_query.php"); + include_once("../lib/utility.php"); + +@@ -366,7 +367,7 @@ + + header ("Location: ../index.php"); + exit; +-}elseif (($_REQUEST["step"] == "8") && ($_REQUEST["install_type"] == "3")) { ++}elseif (($step == "8") && ($_REQUEST["install_type"] == "3")) { + /* if the version is not found, die */ + if (!is_int($old_version_index)) { + print "

Error

+@@ -505,7 +506,7 @@ + + + +- ++ + +

Thanks for taking the time to download and install cacti, the complete graphing + solution for your network. Before you can start making cool graphs, there are a few +@@ -530,7 +531,7 @@ + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details.

+ +- ++ + +

Please select the type of installation

+ +@@ -551,7 +552,7 @@ + print "Server Operating System Type: " . $config["cacti_server_os"] . "
"; ?> +

+ +- ++ + +

Make sure all of these values are correct before continuing.

+ + +- ++ + +

Upgrade results:

+ +@@ -659,7 +660,7 @@ + print $upgrade_results; + ?> + +- ++ + +

Important Upgrade Notice

+ +@@ -673,7 +674,7 @@ + + + +-

finishnext.gif" alt="FinishNext">

++

finishnext.gif" alt="FinishNext">

+ + + +@@ -681,7 +682,7 @@ + + + +-"> ++ + + + diff --git a/cacti.spec b/cacti.spec index 359b247..35c4bab 100644 --- a/cacti.spec +++ b/cacti.spec @@ -1,6 +1,6 @@ Name: cacti Version: 0.8.8b -Release: 1%{?dist} +Release: 2%{?dist} Summary: An rrd based graphing tool Group: Applications/System @@ -26,6 +26,10 @@ Patch0: cacti-0.8.8a-legal.patch # Thanks to Paul Gevers and Jan Zalesak (Debian) Patch1: cacti-0.8.8a-replace_treeview_by_jquery.jstree.patch +# Upstream patch for XSS and SQL injection +# https://bugzilla.redhat.com/1000860 +Patch2: cacti-0.8.8b-sanitize-variables.patch + BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) Requires: php, php-mysql, mysql, httpd, rrdtool, net-snmp, php-snmp @@ -52,6 +56,7 @@ used to creating traffic graphs with MRTG. %setup -q %patch0 -p1 %patch1 -p1 -b .notreeview +%patch2 -p2 -b .sanitize cp %{SOURCE4} %{SOURCE5} %{SOURCE6} include/js/jquery/themes/default/ rm -rf include/treeview @@ -142,6 +147,9 @@ fi %attr(0644,root,root) %{_localstatedir}/lib/%{name}/lib %changelog +* Mon Aug 26 2013 Ken Dreyer - 0.8.8b-2 +- Patch for CVE-2013-5588 and CVE-2013-5589 (BZ #1000860) + * Wed Aug 07 2013 Ken Dreyer - 0.8.8b-1 - New upstream release (BZ #993042)