cacti SNMP verbose query PHP error

Thanks for your work on this. Unfortunately this was already fixed in Ubuntu 12.04.

In Debian the fix landed in 0.8.7b-2.1+lenny5 and Ubuntu precise is already at 0.8.7i-2ubuntu1.

Thanks again!

Cacti (0.8.7e) over Ubuntu 10.04 LTS doesn't work correctly (snmp and other functions) with the recent "apt-get update/upgrade".

The patch.debdiff is not perfect for 10.04 LTS

# patch -p0 <patch.debdiff
patching file snmp.php
Hunk #1 FAILED at 1.
Hunk #4 succeeded at 67 with fuzz 1 (offset -4 lines).
Hunk #5 succeeded at 77 (offset -4 lines).
Hunk #6 succeeded at 161 (offset -12 lines).
Hunk #7 succeeded at 171 with fuzz 1 (offset -16 lines).
Hunk #8 succeeded at 181 (offset -16 lines).
Hunk #9 succeeded at 237 (offset -20 lines).
Hunk #10 succeeded at 248 with fuzz 1 (offset -20 lines).
Hunk #11 succeeded at 279 (offset -20 lines).
Hunk #12 succeeded at 292 (offset -20 lines).
Hunk #13 succeeded at 317 (offset -24 lines).
Hunk #14 succeeded at 332 (offset -24 lines).
Hunk #15 succeeded at 386 (offset -28 lines).
Hunk #16 succeeded at 398 (offset -28 lines).
Hunk #17 FAILED at 489.
Hunk #18 succeeded at 490 (offset -30 lines).
Hunk #19 succeeded at 525 (offset -30 lines).
2 out of 19 hunks FAILED -- saving rejects to file snmp.php.rej

The error in /var/log/apache2/error.log is fixed in the "i" version

Cacti 0.8.7i Change Log

     bug: Resolved "Fatal error: Cannot use string offset as an array"
  in lib/data_query.php

Can you release an update for fix it?

Thanks

PS: Here another errors/warning with the 0.8.7e in Ubuntu 10.04LTS:

 PHP Deprecated: Function eregi_replace() is deprecated in /usr/share/cacti/site/lib/variables.php on line 123
 Function session_unregister() is deprecated in /usr/share/cacti/site/lib/functions.php on line 359
 Function ereg() is deprecated in /usr/share/cacti/site/lib/html_utility.php on line 50,

HI all,
I also have the same problem of Sim on my ubuntu 10.04LTS.

I have tried to apply the patch but it doesn't work.
Please fix it.

Thanks in advance.

Hi Vaibhav

Just a cherrypick sru might work here I believe with refreshing the patch if required for 10.04

Daniel: Your thoughts?

Regards

Could somebody please check if the attached commit fixes the issue? If affirmative, I will create a debdiff for this issue.

I have reproduced the problem with the cacti package from lucid in my precise test environment. My above patch did NOT work. However with a small change sizeof -> empty the patch works.

If somebody else can verify the patch, that would be great.

I haven't looked at the patch, though there are a few more information that are needed before considering an SRU here:
 - Please add a [rational], [test case] and [regression potential] section to the bug description (https://wiki.ubuntu.com/StableReleaseUpdates)
 - What version was this bug fixed in? Apparently most people seem affected by this on 10.04, but any intermediary supported release should also be fixed to prevent regressions on upgrade from 10.04.

Marking the bug Incomplete for now, please change it back to New when these information are added.

Hello!

I'm not able to test the fix because I've update manually all my Cacti (from 10.04 LTS repository) to current version 0.8.8a

Regards

Looking at the code, it would seem lucid, natty and oneiric are affected.

Could someone please create debdiffs for those releases, and test them?

Marking the bug as incomplete for now.

The story continues. I had a look at my patch again and saw a real big flaw: !sizeof should be replaced by empty, not by !empty. The bug goes away for other reasons than the intended one. I found out now by being even more careful that indeed the source of the regression is CVE-2010-1645.patch (at least in the lucid one). Disclaimer: I haven't checked what exactly happened without that patch, but the ADDITIONAL source that causes this bug is in that patch.

Tonight I hope I will create a proper debdiff (still pretty simple) for this bug. I will check again if I can figure out if my statement about natty and oneiric is still valid.

Removing the sponsors team until there are SRU debdiffs to review.

Please find attached the debdiff for lucid-proposed.

I confirm as stated earlier that both natty and oneiric don't suffer from this bug for two reasons. One, the regression was really introduced in patch CVE-2010-1645.patch which was only in lucid, and second, because the important part of the solution is already incorporated in the 0.8.7.g version of cacti. Therefor I mark the natty and oneiric tasks as invalid.

Assigning the sponsors again.

Given the amount of effort you've put into the bug I decided to upload the fix to lucid-proposed. Thanks for all your work on this!

@ Brian Murray
Thanks for the upload. If you don't mind, I would appreciate a comment on my PerPackageUploaderApplication wiki page: https://wiki.ubuntu.com/Elbrus/PerPackageUploaderApplication

In Upstream cacti this bug only existed several days. closing as Fix released.

Hello Ákos, or anyone else affected,

Accepted into precise-proposed. The package will build now and be available in a few hours in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please change the bug tag from verification-needed to verification-done. If it does not, change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

@Scott, I hope and believe you mean lucid-proposed, right [1]?

Hopefully I have the time on Wednesday to test in my testing environment, if nobody beats me to it.

[1] https://launchpad.net/ubuntu/+source/cacti/0.8.7e-2ubuntu0.3/+build/3690197

[TESTCASE]

 * With cacti installed and configured, go to the /cacti/host.php page (via the "devices" link on every cacti page) and select a device (e.g. localhost)

kubuntu@kubuntu:~$ dpkg --list cacti
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Description
+++-=========================-=========================-==================================================================
ii cacti 0.8.7e-2ubuntu0.2 Frontend to rrdtool for monitoring systems and services

 * Make sure that in the SNMP Options section the SNMP Version is set to "Not In Use"

Check

 * In the "Associated Data Queries" part, select "SNMP - Interface Statistics" in the "Add data query" drop down selection box and press "Add".

Check

 * The next screen is blank.

Indeed

 * In the apache error.log you will find:
   PHP Fatal error: Cannot use string offset as an array in /usr/share/cacti/site/lib/data_query.php on line 183, referer: http://localhost/cacti/host.php?action=edit&id=1

[Thu Aug 02 18:05:10 2012] [error] [client 127.0.0.1] PHP Fatal error: Cannot use string offset as an array in /usr/share/cacti/site/lib/data_query.php on line 183, referer: http://localhost/cacti/host.php?action=edit&id=1

 * After the patch the result will be return to the host.php file, but it will show the added "SNMP - Interface Statistics" with "Success [0 Items, 0 Rows]"

Indeed

kubuntu@kubuntu:~$ dpkg --list cacti
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Description
+++-=========================-=========================-==================================================================
ii cacti 0.8.7e-2ubuntu0.3 Frontend to rrdtool for monitoring systems and services

kubuntu@kubuntu:~$ sudo grep "PHP Fatal error:" /var/log/apache2/error.log
[Thu Aug 02 18:05:10 2012] [error] [client 127.0.0.1] PHP Fatal error: Cannot use string offset as an array in /usr/share/cacti/site/lib/data_query.php on line 183, referer: http://localhost/cacti/host.php?action=edit&id=1

The verification of this Stable Release Update has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.

This bug was fixed in the package cacti - 0.8.7e-2ubuntu0.3

---------------
cacti (0.8.7e-2ubuntu0.3) lucid-proposed; urgency=low

  * Fix regression in the CVE-2010-1645 update on error handling:
    "PHP Fatal error: Cannot use string offset as an array in
     /usr/share/cacti/site/lib/data_query.php on line 183" (LP: #914746)
    - debian/patches/LP914746_regression_lucid_string_offset_in_data_query.patch
 -- Paul Gevers <email address hidden> Wed, 18 Jul 2012 13:55:19 -0700