Please backport cacti security fixes

This bug was fixed in the package cacti - 0.8.8b+dfsg-2

---------------
cacti (0.8.8b+dfsg-2) unstable; urgency=low

  * CVE-2013-1435 fix cause a regression in the handling of empty COMMENT
    lines in the rrd legend. Fixed by upstream:
    fix_COMMENT_in_graph_regression_from_CVE-2013-1435.patch (Closes: #719156)
  * Update jquery stylesheet to provide the cacti background color

 -- Paul Gevers <email address hidden> Fri, 09 Aug 2013 22:34:26 +0200

cacti (0.8.8b+dfsg-1) unstable; urgency=low

  * New upstream release
    - Fixes SQL or command line injection via snmp settings or
      graph creation or edition that allows privileged users to execute
      arbitrary SQL commands or command line commands. CVE-2013-1434 and
      CVE-2013-1435
    - poller_cache_rebuild_on_install.patch included
  * Add d/rules get-orig-source target and accompanying script
  * Update japanese translation, thank victory (Closes: #717203)
  * Update vcs-* fields (thanks lintian)
  * Update standards (no changes needed)
  * Update years and my address in d/copyright
  * Allow any php5 SAPI provider to satify cacti dependency, thanks
    Ondřej Surý (php5 maintainer). Thus reverting the solution to bug
    #654843 as the original report was not a bug but a reporter mistake.
    libapache2-mod-fcgid does not provide php5 SAPI.

 -- Paul Gevers <email address hidden> Wed, 07 Aug 2013 20:46:58 +0200

Oops, the bug was against 12.04, not saucy. Reopened. Once I fixed the Debian (old) stable packages, I will look into Ubuntu packages. Just for the record, to abuse these CVE, the user needs cacti administrator rights, so the risk is very high.

I have created a debdiff for this issue. The patch applies cleanly, but as I don't have precise myself anymore I have not build and tested the package (yet). I would appreciate if somebody else would do that and assign the ubuntu-security-sponsors: https://wiki.ubuntu.com/SecurityTeam/SponsorsQueue if successful.

@ comment #2:
"the risk is very high" should of course have been "the risk is not very high"

I get a clean cacti_0.8.7i-2ubuntu1.1_all.deb via 'debuild -b -uc -us' on an up to date precise VM with this debdiff applied, though lintian is mildly displeased with your changelog.Debian addition...

  Now running lintian...
  W: cacti: debian-changelog-line-too-long line 4
  W: cacti: debian-changelog-line-too-long line 6
  N: 1 tag overridden (1 warning)
  Finished running lintian.

Upgraded our server with it and seems not broken, but we don't use any authenticated/admin functions so YMMV.

Ok, so I aligned the comments in the changelog slightly. Take 2 of the debdiff. (I will delete the first one if Launchpad allows).

More releases happened... list of open items (since 12.04):

cacti (0.8.8b+dfsg-8+deb8u1) jessie-security; urgency=high

  * Security update
    - CVE-2015-2665 Cross-site scripting (XSS) vulnerability in Cacti
      before 0.8.8d allows remote attackers to inject arbitrary web script
      or HTML via unspecified vectors.
    - CVE-2015-4342 SQL Injection and Location header injection from cdef
      id
    - CVE-2015-4454 SQL injection vulnerability in the
      get_hash_graph_template function in lib/functions.php in Cacti before
      0.8.8d allows remote attackers to execute arbitrary SQL commands via
      the graph_template_id parameter to graph_templates.php.
    - Unassigned CVE SQL injection VN:JVN#78187936 / TN:JPCERT#98968540

 -- Paul Gevers <email address hidden> Mon, 22 Jun 2015 20:55:59 +0200

cacti (0.8.8b+dfsg-8) unstable; urgency=high

  * CVE-2014-5261
    Unsufficient input sanitation leads to shell command injection
    possibilities
  * CVE-2014-5262
    Incomplete and incorrect input parsing leads to SQL injection attack
    scenarios
  * Fix for CVE-2014-5043 was incomplete, improve patch
  * Change CVE-2014-4002 patch to include upstream updated commits

 -- Paul Gevers <email address hidden> Mon, 18 Aug 2014 19:57:43 +0200

cacti (0.8.8b+dfsg-7) unstable; urgency=medium

  * Fix regression caused by fixing CVE-2014-4002 at least plugin autom8
    was unusable (Closes: #755032)
  * Security update
    - CVE-2014-5025 Cross Site Scripting Vulnerability
    - CVE-2014-5026 Cross Site Scripting Vulnerability
    - CVE-2014-5043 Cross Site Scripting Vulnerability

 -- Paul Gevers <email address hidden> Thu, 24 Jul 2014 21:56:48 +0200

cacti (0.8.8b+dfsg-6) unstable; urgency=high

  * Add alternative php5-mysql | php5-mysqlnd (Closes: #744067)
  * Security update (Closes: #742768, #752573)
    - CVE-2014-2327 Cross Site Request Forgery Vulnerability
    - CVE-2014-4002 Cross-Site Scripting Vulnerability

 -- Paul Gevers <email address hidden> Wed, 25 Jun 2014 22:33:53 +0200

cacti (0.8.8b+dfsg-5) unstable; urgency=high

  * Fix postinst for lighttpd setups which fail on update due to
    lighty-enable-mod exiting with non-zero if config is already loaded
    (Closes: 743727)

 -- Paul Gevers <email address hidden> Sun, 06 Apr 2014 19:59:12 +0200

cacti (0.8.8b+dfsg-4) unstable; urgency=high

  * Security update (Closes: 743565)
    - CVE-2014-2326 Cross-site scripting (XSS) vulnerability
    - CVE-2014-2328 Unspecified Remote Command Execution Vulnerability
    - CVE-2014-2708 SQL injection
    - CVE-2014-2709 Unspecified Remote Command Execution Vulnerability
  * Bump standards (no changes needed)
  * Fix VCS-Browser field
  * Fix license paragraph of jstree (Thanks lintian)

 -- Paul Gevers <email address hidden> Sat, 05 Apr 2014 13:03:22 +0200

cacti (0.8.8b+dfsg-3) unstable; urgency=low

  * Fix Cross site scripting (upstream bug 2383)
    CVE-2013-5588
  * Fix SQL injection in host.php (upstream bug 2383)
    CVE-2013-5589
  * Fix upgrade script in cli directory for latest releases
  * Automatically upgrade database during package update (prevents upstream
    bug 2377)
  * The code to enable lighttpd configuration from LP: #113...

Please find attached my debdiffs against Precise, Trusty and Utopic. As Vivid has the same version as Utopic, I am not sure how to handle that case, but the exact same debdiff (minus the distribution in the changelog) as for Utopic can be used.

As the changes in the Debian package from the Trusty package onwards until the current package in Debian jessie-security were nearly all security fixes, I include the diff of the Trusty and Utopic packages against the current package in jessie-security as an aid for reviewing.

I must admit that I can't test the Precise package myself as I can't easily create a system where I could test it properly. I haven't tested the Trusty and Utopic packages, but as the differences between the Debian package and the Ubuntu package can be ignored, I trust that they are correct.

Hi Paul,

Thanks for taking the time to prepare these. For utopic and vivid, I'll just fakesync those, since there's no change between the ubuntu version and the version in jessie. For trusty, I'll review the debdiff and publish if it looks good. For precise, I'll review and attempt to build the package, but I'm leery of publishing an untested update.

For future teference, this wiki page describes how to handle versioning when the same version of a package is in multiple ubuntu releases: https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Update_the_packaging .

Thanks!

This bug was fixed in the package cacti - 0.8.8b+dfsg-5ubuntu0.1

---------------
cacti (0.8.8b+dfsg-5ubuntu0.1) trusty-security; urgency=medium

  * Security update (LP: #1210822):
    - CVE-2015-2665 Cross-site scripting (XSS) vulnerability in Cacti
      before 0.8.8d allows remote attackers to inject arbitrary web script
      or HTML via unspecified vectors.
    - CVE-2015-4342 SQL Injection and Location header injection from cdef
      id
    - CVE-2015-4454 SQL injection vulnerability in the
      get_hash_graph_template function in lib/functions.php in Cacti before
      0.8.8d allows remote attackers to execute arbitrary SQL commands via
      the graph_template_id parameter to graph_templates.php.
    - Unassigned CVE SQL injection VN:JVN#78187936 / TN:JPCERT#98968540
    - CVE-2014-5261 Unsufficient input sanitation leads to shell command
      injection possibilities
    - CVE-2014-5262 Incomplete and incorrect input parsing leads to SQL
      injection attack scenarios
    - CVE-2014-5025 Cross Site Scripting Vulnerability
    - CVE-2014-5026 Cross Site Scripting Vulnerability
    - CVE-2014-5043 Cross Site Scripting Vulnerability
    - CVE-2014-2327 Cross Site Request Forgery Vulnerability
    - CVE-2014-4002 Cross-Site Scripting Vulnerability

 -- Paul Gevers <email address hidden> Sat, 27 Jun 2015 14:25:12 +0200

This bug was fixed in the package cacti - 0.8.8b+dfsg-8+deb8u1build0.14.10.1

---------------
cacti (0.8.8b+dfsg-8+deb8u1build0.14.10.1) utopic-security; urgency=medium

  * fake sync from Debian (LP: #1210822)

cacti (0.8.8b+dfsg-8+deb8u1) jessie-security; urgency=high

  * Security update
    - CVE-2015-2665 Cross-site scripting (XSS) vulnerability in Cacti
      before 0.8.8d allows remote attackers to inject arbitrary web script
      or HTML via unspecified vectors.
    - CVE-2015-4342 SQL Injection and Location header injection from cdef
      id
    - CVE-2015-4454 SQL injection vulnerability in the
      get_hash_graph_template function in lib/functions.php in Cacti before
      0.8.8d allows remote attackers to execute arbitrary SQL commands via
      the graph_template_id parameter to graph_templates.php.
    - Unassigned CVE SQL injection VN:JVN#78187936 / TN:JPCERT#98968540

 -- Steve Beattie <email address hidden> Tue, 30 Jun 2015 10:23:46 -0700

This bug was fixed in the package cacti - 0.8.8b+dfsg-8+deb8u1build0.15.04.1

---------------
cacti (0.8.8b+dfsg-8+deb8u1build0.15.04.1) vivid-security; urgency=medium

  * fake sync from Debian (LP: #1210822)

cacti (0.8.8b+dfsg-8+deb8u1) jessie-security; urgency=high

  * Security update
    - CVE-2015-2665 Cross-site scripting (XSS) vulnerability in Cacti
      before 0.8.8d allows remote attackers to inject arbitrary web script
      or HTML via unspecified vectors.
    - CVE-2015-4342 SQL Injection and Location header injection from cdef
      id
    - CVE-2015-4454 SQL injection vulnerability in the
      get_hash_graph_template function in lib/functions.php in Cacti before
      0.8.8d allows remote attackers to execute arbitrary SQL commands via
      the graph_template_id parameter to graph_templates.php.
    - Unassigned CVE SQL injection VN:JVN#78187936 / TN:JPCERT#98968540

 -- Steve Beattie <email address hidden> Tue, 30 Jun 2015 11:47:36 -0700

If setting up the test environment for 12.04 is tedious, please hold the testing for this patch. There is an update coming up due to bug #1474013.

As per last comment, I'm removing ubuntu-security-sponsors from this bug for now, since there is nothing to sponsor.

Please re-subscribe ubuntu-security-sponsors once you have attached a working and tested debdiff for precise.

Thanks!

The Precise Pangolin has reached end of life, so this bug will not be fixed for that release