diff -u cacti-0.8.6i/debian/changelog cacti-0.8.6i/debian/changelog --- cacti-0.8.6i/debian/changelog +++ cacti-0.8.6i/debian/changelog @@ -1,3 +1,27 @@ +cacti (0.8.6i-3ubuntu0.1) feisty-security; urgency=low + + * SECURITY UPDATE: (LP: #164072) + + CVE-2007-6035: SQL injection vulnerability in Cacti before 0.8.7a allows + remote attackers to execute arbitrary SQL commands via unspecified + vectors. + + CVE-2007-3112: Cacti 0.8.6i, and possibly other versions, allows remote + authenticated users to cause a denial of service (CPU consumption) via a large + value of the (1) graph_start or (2) graph_end parameter. + + CVE-2007-3113: Cacti 0.8.6i, and possibly other versions, allows remote + authenticated users to cause a denial of service (CPU consumption) via a large + value of the (1) graph_height or (2) graph_width parameter. + * debian/patches/10_CVE-2007-6035.dpatch: applied patch by upstream + (Link: http://www.cacti.net/downloads/patches/0.8.6j/sec_sql_injection-0.8.6j.patch) + * debian/patches/10_CVE-2007-3112+CVE-2007-3113.dpatch: + - Applied patch by upstream + - Link: http://svn.cacti.net/cgi-bin/viewvc.cgi/cacti/branches/0.8.7/graph_image.php?r1=3898&r2=3956&view=patch + * References: + CVE-2007-6035 + CVE-2007-3112 + CVE-2007-3113 + + -- Stephan Hermann Tue, 20 Nov 2007 15:57:18 +0100 + cacti (0.8.6i-3) unstable; urgency=high * include the list of official patches from upstream which (among other diff -u cacti-0.8.6i/debian/patches/00list cacti-0.8.6i/debian/patches/00list --- cacti-0.8.6i/debian/patches/00list +++ cacti-0.8.6i/debian/patches/00list @@ -8,0 +9,2 @@ +10_CVE-2007-6035.dpatch +10_CVE-2007-3112+CVE-2007-3113.dpatch only in patch2: unchanged: --- cacti-0.8.6i.orig/debian/patches/10_CVE-2007-6035.dpatch +++ cacti-0.8.6i/debian/patches/10_CVE-2007-6035.dpatch @@ -0,0 +1,23 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 10_CVE-2007-6035.dpatch by Stephan Hermann +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: No description. + +@DPATCH@ +diff -urNad cacti-0.8.6i~/include/top_graph_header.php cacti-0.8.6i/include/top_graph_header.php +--- cacti-0.8.6i~/include/top_graph_header.php 2006-10-09 05:06:01.000000000 +0200 ++++ cacti-0.8.6i/include/top_graph_header.php 2007-11-20 15:56:44.642621852 +0100 +@@ -27,6 +27,12 @@ + $using_guest_account = false; + $show_console_tab = true; + ++/* ================= input validation ================= */ ++input_validate_input_number(get_request_var_request("local_graph_id")); ++/* ==================================================== */ ++ ++ ++ + if (read_config_option("global_auth") == "on") { + /* at this point this user is good to go... so get some setting about this + user and put them into variables to save excess SQL in the future */ only in patch2: unchanged: --- cacti-0.8.6i.orig/debian/patches/10_CVE-2007-3112+CVE-2007-3113.dpatch +++ cacti-0.8.6i/debian/patches/10_CVE-2007-3112+CVE-2007-3113.dpatch @@ -0,0 +1,37 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 10_CVE-2007-3112+CVE-2007-3113.dpatch by Stephan Hermann +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: No description. + +@DPATCH@ +diff -urNad cacti-0.8.6i~/graph_image.php cacti-0.8.6i/graph_image.php +--- cacti-0.8.6i~/graph_image.php 2006-10-09 05:06:01.000000000 +0200 ++++ cacti-0.8.6i/graph_image.php 2007-12-06 10:25:51.147083072 +0100 +@@ -51,22 +51,22 @@ + $graph_data_array = array(); + + /* override: graph start time (unix time) */ +-if (!empty($_GET["graph_start"])) { ++if (!empty($_GET["graph_start"]) && $_GET["graph_start"] < 1600000000) { + $graph_data_array["graph_start"] = $_GET["graph_start"]; + } + + /* override: graph end time (unix time) */ +-if (!empty($_GET["graph_end"])) { ++if (!empty($_GET["graph_end"]) && $_GET["graph_end"] < 1600000000) { + $graph_data_array["graph_end"] = $_GET["graph_end"]; + } + + /* override: graph height (in pixels) */ +-if (!empty($_GET["graph_height"])) { ++if (!empty($_GET["graph_height"]) && $_GET["graph_height"] < 3000) { + $graph_data_array["graph_height"] = $_GET["graph_height"]; + } + + /* override: graph width (in pixels) */ +-if (!empty($_GET["graph_width"])) { ++if (!empty($_GET["graph_width"]) && $_GET["graph_width"] < 3000) { + $graph_data_array["graph_width"] = $_GET["graph_width"]; + } +