diff --git a/cacti-0.8.8b-html-injection.patch b/cacti-0.8.8b-html-injection.patch new file mode 100644 index 0000000..1326dff --- /dev/null +++ b/cacti-0.8.8b-html-injection.patch @@ -0,0 +1,19 @@ +------------------------------------------------------------------------ +r7443 | rony | 2014-03-30 18:43:28 -0500 (Sun, 30 Mar 2014) | 2 lines + +bug#0002431: CVE-2014-2326 Unspecified HTML Injection Vulnerability + +------------------------------------------------------------------------ +Index: branches/0.8.8/cdef.php +=================================================================== +--- branches/0.8.8/cdef.php (revision 7442) ++++ branches/0.8.8/cdef.php (revision 7443) +@@ -431,7 +431,7 @@ + ">Item # + + +- : ++ : + + + ">Move Down diff --git a/cacti-0.8.8b-remote-command-execution.patch b/cacti-0.8.8b-remote-command-execution.patch new file mode 100644 index 0000000..c357a06 --- /dev/null +++ b/cacti-0.8.8b-remote-command-execution.patch @@ -0,0 +1,28 @@ +------------------------------------------------------------------------ +r7442 | rony | 2014-03-30 18:41:56 -0500 (Sun, 30 Mar 2014) | 2 lines + +bug#0002433: CVE-2014-2328 Unspecified Remote Command Execution Vulnerability + +------------------------------------------------------------------------ +Index: branches/0.8.8/lib/graph_export.php +=================================================================== +--- branches/0.8.8/lib/graph_export.php (revision 7441) ++++ branches/0.8.8/lib/graph_export.php (revision 7442) +@@ -339,7 +339,7 @@ + chdir($stExportDir); + + /* set the initial command structure */ +- $stExecute = 'ncftpput -R -V -r 1 -u '.$aFtpExport['username'].' -p '.$aFtpExport['password']; ++ $stExecute = 'ncftpput -R -V -r 1 -u ' . cacti_escapeshellarg($aFtpExport['username']) . ' -p ' . cacti_escapeshellarg($aFtpExport['password']); + + /* if the user requested passive mode, use it */ + if ($aFtpExport['passive']) { +@@ -347,7 +347,7 @@ + } + + /* setup the port, server, remote directory and all files */ +- $stExecute .= ' -P ' . $aFtpExport['port'] . ' ' . $aFtpExport['server'] . ' ' . $aFtpExport['remotedir'] . "."; ++ $stExecute .= ' -P ' . cacti_escapeshellarg($aFtpExport['port']) . ' ' . cacti_escapeshellarg($aFtpExport['server']) . ' ' . cacti_escapeshellarg($aFtpExport['remotedir']) . "."; + + /* run the command */ + $iExecuteReturns = 0; diff --git a/cacti-0.8.8b-sql-injection-shell-escaping.patch b/cacti-0.8.8b-sql-injection-shell-escaping.patch new file mode 100644 index 0000000..cb72d79 --- /dev/null +++ b/cacti-0.8.8b-sql-injection-shell-escaping.patch @@ -0,0 +1,117 @@ +------------------------------------------------------------------------ +r7439 | rony | 2014-03-30 17:52:10 -0500 (Sun, 30 Mar 2014) | 5 lines + +bug#0002405: SQL injection in graph_xport.php + + - Fixed form input validation problems + - Fixed rrd export and graph shell escape issues + +------------------------------------------------------------------------ +Index: branches/0.8.8/graph_xport.php +=================================================================== +--- branches/0.8.8/graph_xport.php (revision 7438) ++++ branches/0.8.8/graph_xport.php (revision 7439) +@@ -47,43 +47,48 @@ + + $graph_data_array = array(); + ++/* ================= input validation ================= */ ++input_validate_input_number(get_request_var("local_graph_id")); ++input_validate_input_number(get_request_var("rra_id")); ++/* ==================================================== */ ++ + /* override: graph start time (unix time) */ +-if (!empty($_GET["graph_start"]) && $_GET["graph_start"] < 1600000000) { +- $graph_data_array["graph_start"] = $_GET["graph_start"]; ++if (!empty($_GET["graph_start"]) && is_numeric($_GET["graph_start"] && $_GET["graph_start"] < 1600000000)) { ++ $graph_data_array["graph_start"] = get_request_var("graph_start"); + } + + /* override: graph end time (unix time) */ +-if (!empty($_GET["graph_end"]) && $_GET["graph_end"] < 1600000000) { +- $graph_data_array["graph_end"] = $_GET["graph_end"]; ++if (!empty($_GET["graph_end"]) && is_numeric($_GET["graph_end"]) && $_GET["graph_end"] < 1600000000) { ++ $graph_data_array["graph_end"] = get_request_var("graph_end"); + } + + /* override: graph height (in pixels) */ +-if (!empty($_GET["graph_height"]) && $_GET["graph_height"] < 3000) { +- $graph_data_array["graph_height"] = $_GET["graph_height"]; ++if (!empty($_GET["graph_height"]) && is_numeric($_GET["graph_height"]) && $_GET["graph_height"] < 3000) { ++ $graph_data_array["graph_height"] = get_request_var("graph_height"); + } + + /* override: graph width (in pixels) */ +-if (!empty($_GET["graph_width"]) && $_GET["graph_width"] < 3000) { +- $graph_data_array["graph_width"] = $_GET["graph_width"]; ++if (!empty($_GET["graph_width"]) && is_numeric($_GET["graph_width"]) && $_GET["graph_width"] < 3000) { ++ $graph_data_array["graph_width"] = get_request_var("graph_width"); + } + + /* override: skip drawing the legend? */ + if (!empty($_GET["graph_nolegend"])) { +- $graph_data_array["graph_nolegend"] = $_GET["graph_nolegend"]; ++ $graph_data_array["graph_nolegend"] = get_request_var("graph_nolegend"); + } + + /* print RRDTool graph source? */ + if (!empty($_GET["show_source"])) { +- $graph_data_array["print_source"] = $_GET["show_source"]; ++ $graph_data_array["print_source"] = get_request_var("show_source"); + } + +-$graph_info = db_fetch_row("SELECT * FROM graph_templates_graph WHERE local_graph_id='" . $_REQUEST["local_graph_id"] . "'"); ++$graph_info = db_fetch_row("SELECT * FROM graph_templates_graph WHERE local_graph_id='" . get_request_var("local_graph_id") . "'"); + + /* for bandwidth, NThPercentile */ + $xport_meta = array(); + + /* Get graph export */ +-$xport_array = @rrdtool_function_xport($_GET["local_graph_id"], $_GET["rra_id"], $graph_data_array, $xport_meta); ++$xport_array = @rrdtool_function_xport($_GET["local_graph_id"], get_request_var("rra_id"), $graph_data_array, $xport_meta); + + /* Make graph title the suggested file name */ + if (is_array($xport_array["meta"])) { +Index: branches/0.8.8/lib/rrd.php +=================================================================== +--- branches/0.8.8/lib/rrd.php (revision 7438) ++++ branches/0.8.8/lib/rrd.php (revision 7439) +@@ -865,13 +865,13 @@ + /* basic graph options */ + $graph_opts .= + "--imgformat=" . $image_types{$graph["image_format_id"]} . RRD_NL . +- "--start=$graph_start" . RRD_NL . +- "--end=$graph_end" . RRD_NL . ++ "--start=" . cacti_escapeshellarg($graph_start) . RRD_NL . ++ "--end=" . cacti_escapeshellarg($graph_end) . RRD_NL . + "--title=" . cacti_escapeshellarg($graph["title_cache"]) . RRD_NL . + "$rigid" . +- "--base=" . $graph["base_value"] . RRD_NL . +- "--height=$graph_height" . RRD_NL . +- "--width=$graph_width" . RRD_NL . ++ "--base=" . cacti_escapeshellarg($graph["base_value"]) . RRD_NL . ++ "--height=" . cacti_escapeshellarg($graph_height) . RRD_NL . ++ "--width=" . cacti_escapeshellarg($graph_width) . RRD_NL . + "$scale" . + "$unit_value" . + "$unit_exponent_value" . +@@ -1606,8 +1606,8 @@ + + /* basic export options */ + $xport_opts = +- "--start=$xport_start" . RRD_NL . +- "--end=$xport_end" . RRD_NL . ++ "--start=" . cacti_escapeshellarg($xport_start) . RRD_NL . ++ "--end=" . cacti_escapeshellarg($xport_end) . RRD_NL . + "--maxrows=10000" . RRD_NL; + + $xport_defs = ""; +@@ -1997,7 +1997,7 @@ + $stacked_columns["col" . $j] = ($graph_item_types{$xport_item["graph_type_id"]} == "STACK") ? 1 : 0; + $j++; + +- $txt_xport_items .= "XPORT:" . $data_source_name . ":" . str_replace(":", "", cacti_escapeshellarg($legend_name)) ; ++ $txt_xport_items .= "XPORT:" . cacti_escapeshellarg($data_source_name) . ":" . str_replace(":", "", cacti_escapeshellarg($legend_name)) ; + }else{ + $need_rrd_nl = FALSE; + } diff --git a/cacti.spec b/cacti.spec index 5ca9847..f4438e8 100644 --- a/cacti.spec +++ b/cacti.spec @@ -1,6 +1,6 @@ Name: cacti Version: 0.8.8b -Release: 4%{?dist} +Release: 5%{?dist} Summary: An rrd based graphing tool # Use systemd unit files on Fedora 21+ and RHEL 7. @@ -40,6 +40,18 @@ Patch2: cacti-0.8.8b-sanitize-variables.patch # https://bugzilla.redhat.com/1004550 Patch3: cacti-0.8.8b-rra-comments.patch +# Upstream patch for SQL injection and shell escaping +# https://bugzilla.redhat.com/1084258 +Patch4: cacti-0.8.8b-sql-injection-shell-escaping.patch + +# Upstream patch for HTML injection +# https://bugzilla.redhat.com/1082122 +Patch5: cacti-0.8.8b-html-injection.patch + +# Upstream patch for remote command execution +# https://bugzilla.redhat.com/1082122 +Patch6: cacti-0.8.8b-remote-command-execution.patch + BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) Requires: php, php-mysql, mysql, httpd, rrdtool, net-snmp, php-snmp @@ -72,9 +84,18 @@ used to creating traffic graphs with MRTG. %prep %setup -q %patch0 -p1 -%patch1 -p1 -b .notreeview -%patch2 -p2 -b .sanitize -%patch3 -p2 -b .comments +# patch1: Remove treeview +%patch1 -p1 +# patch2: XSS and SQL injection, https://bugzilla.redhat.com/1000860 +%patch2 -p2 +# patch3: Fix graph comments, https://bugzilla.redhat.com/1004550 +%patch3 -p2 +# patch4: SQL injection and shell escaping, https://bugzilla.redhat.com/1084258 +%patch4 -p2 +# patch5: HTML injection, https://bugzilla.redhat.com/1082122 +%patch5 -p2 +# patch6: Remote command execution, https://bugzilla.redhat.com/1082122 +%patch6 -p2 cp %{SOURCE4} %{SOURCE5} %{SOURCE6} include/js/jquery/themes/default/ rm -rf include/treeview @@ -171,6 +192,16 @@ rm -rf %{buildroot} %attr(0644,root,root) %{_localstatedir}/lib/%{name}/lib %changelog +* Mon Apr 07 2014 Ken Dreyer - 0.8.8b-5 +- Patch for CVE-2014-2708 SQL injection issues in graph_xport.php + (RHBZ #1084258) +- Patch for CVE-2014-2709 shell escaping issues in lib/rrd.php + (RHBZ #1084258) +- Patch for CVE-2014-2326 stored XSS attack (RHBZ #1082122) +- Patch for CVE-2014-2327 missing CSRF token (RHBZ #1082122) +- Patch for CVE-2014-2328 use of exec-like function calls without safety + checks allow arbitrary command execution (RHBZ #1082122) + * Fri Feb 07 2014 Ken Dreyer - 0.8.8b-4 - Move cron to a separate file and require crontabs (RHBZ #947047). Thanks Jóhann B. Guðmundsson.