Debian Bug report logs - #582691
Multiple security vulnerabilities in upstream package

version graph

Package: cacti; Maintainer for cacti is Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>; Source for cacti is src:cacti.

Reported by: Rainbow Warrior <rnbwpnt@gmail.com>

Date: Sat, 22 May 2010 20:15:02 UTC

Severity: critical

Tags: security

Found in version cacti/0.8.7b-2.1+lenny2

Fixed in versions cacti/0.8.7e-4, cacti/0.8.7b-2.1+lenny3

Done: Nico Golde <nion@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Sean Finney <seanius@debian.org>:
Bug#582691; Package cacti. (Sat, 22 May 2010 20:15:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Rainbow Warrior <rnbwpnt@gmail.com>:
New Bug report received and forwarded. Copy sent to Sean Finney <seanius@debian.org>. (Sat, 22 May 2010 20:15:05 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Rainbow Warrior <rnbwpnt@gmail.com>
To: submit@bugs.debian.org
Subject: Multiple security vulnerabilities in upstream package
Date: Sat, 22 May 2010 15:12:31 -0500
Package: cacti
Version: 0.8.7b-2.1+lenny2
Tags: security
Severity: critical

The producers of cacti have reported multiple high-threat security
vulnerabilities in this version of cacti.

Relevant release notes for v0.8.7f below:
http://www.cacti.net/release_notes_0_8_7f.php

Important Security Fixes

SQL injection and shell escaping issues reported by Bonsai Information
Security (http://www.bonsai-sec.com)
Cross-site scripting issues reported by VUPEN Security (http://www.vupen.com)
MOPS-2010-023: Cacti Graph Viewer SQL Injection Vulnerability
(http://php-security.org)


MOPS-2010-023 reports that versions of cacti prior to and including
0.8.7e are vulnerable to this attack. The changelog for this version
of cacti is dated prior to the release of MOPS-2010-023 vulnerability,
which suggests that 0.87b-2.1+lenny2 may still be vulnerable. I note
that the last security change was in templates_export.php; the new
threat is in graph.php, so I suspect this hole was not closed in the
last security backport.




Information forwarded to debian-bugs-dist@lists.debian.org, Sean Finney <seanius@debian.org>:
Bug#582691; Package cacti. (Thu, 10 Jun 2010 15:45:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Sean Finney <seanius@debian.org>. (Thu, 10 Jun 2010 15:45:03 GMT) Full text and rfc822 format available.

Message #10 received at 582691@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: 582691@bugs.debian.org
Subject: patch for sql injection
Date: Thu, 10 Jun 2010 17:42:52 +0200
[Message part 1 (text/plain, inline)]
Hi,
attached is a patch for CVE-2010-2092.
Cheers
Nico
[CVE-2010-2092.patch (text/x-diff, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#582691; Package cacti. (Thu, 10 Jun 2010 21:00:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Sean Finney <seanius@debian.org>:
Extra info received and forwarded to list. (Thu, 10 Jun 2010 21:00:07 GMT) Full text and rfc822 format available.

Message #15 received at 582691@bugs.debian.org (full text, mbox):

From: Sean Finney <seanius@debian.org>
To: 582691@bugs.debian.org
Cc: ,control@bugs.debian.org
Subject: [/debian-lenny] Patch for CVE-2010-2092/MOPS-2010-023: SQL Injection Vulnerability
Date: Thu, 10 Jun 2010 20:57:58 +0000
tag 582691 pending
thanks

Date: Fri Jun 11 00:51:24 2010 +0200
Author: Sean Finney <seanius@debian.org>
Commit ID: 91e3ecdf2484c3b078c5abcf795cfbc4fb117cae
Commit URL: http://git.debian.org/?p=users/seanius/cacti.git;a=commitdiff;h=91e3ecdf2484c3b078c5abcf795cfbc4fb117cae
Patch URL: http://git.debian.org/?p=users/seanius/cacti.git;a=commitdiff_plain;h=91e3ecdf2484c3b078c5abcf795cfbc4fb117cae

    Patch for CVE-2010-2092/MOPS-2010-023: SQL Injection Vulnerability

    Note: there are two other vulnerabilities mentioned in this report, but
    they are both believed to already be fixed by previous security uploads.

    "SQL injection and shell escaping issues reported by Bonsai Information
    Security (http://www.bonsai-sec.com)" is believed to be fixed by
    official_sql_injection_template_export.patch, and "Cross-site scripting
    issues reported by VUPEN Security (http://www.vupen.com)" is fixed
    with 08_CVE-2009-4032.patch.

    Closes: #582691
      




Added tag(s) pending. Request was from Sean Finney <seanius@debian.org> to control@bugs.debian.org. (Thu, 10 Jun 2010 21:00:08 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Sean Finney <seanius@debian.org>:
Bug#582691; Package cacti. (Thu, 10 Jun 2010 22:33:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to sean finney <seanius@debian.org>:
Extra info received and forwarded to list. Copy sent to Sean Finney <seanius@debian.org>. (Thu, 10 Jun 2010 22:33:03 GMT) Full text and rfc822 format available.

Message #22 received at 582691@bugs.debian.org (full text, mbox):

From: sean finney <seanius@debian.org>
To: 582691@bugs.debian.org
Subject: Re: Bug#582691: patch for sql injection
Date: Fri, 11 Jun 2010 00:32:12 +0200
[Message part 1 (text/plain, inline)]
just for the record, i haven't yet uploaded a new unstable version yet,
mostly because i was waiting for upstream to roll out a fix for the 0.8.7f
release, which apparently contained a number of regressions.  If I don't
see any movement on that by the end of the weekend i'll go ahead and
look at applying the patch against unstable/0.8.7e.


	sean

On Thu, Jun 10, 2010 at 05:42:52PM +0200, Nico Golde wrote:
> Hi,
> attached is a patch for CVE-2010-2092.
> Cheers
> Nico

> --- graph.php	2009-06-28 18:07:11.000000000 +0200
> +++ graph.php.new	2010-06-10 17:41:07.000000000 +0200
> @@ -33,7 +33,7 @@
>  include_once("./include/top_graph_header.php");
>  
>  /* ================= input validation ================= */
> -input_validate_input_regex(get_request_var_request("rra_id"), "^([0-9]+|all)$");
> +input_validate_input_regex(get_request_var("rra_id"), "^([0-9]+|all)$");
>  input_validate_input_number(get_request_var("local_graph_id"));
>  input_validate_input_regex(get_request_var_request("view_type"), "^([a-zA-Z0-9]+)$");
>  /* ==================================================== */


-- 
[signature.asc (application/pgp-signature, inline)]

Reply sent to Sean Finney <seanius@debian.org>:
You have taken responsibility. (Fri, 11 Jun 2010 19:21:03 GMT) Full text and rfc822 format available.

Notification sent to Rainbow Warrior <rnbwpnt@gmail.com>:
Bug acknowledged by developer. (Fri, 11 Jun 2010 19:21:03 GMT) Full text and rfc822 format available.

Message #27 received at 582691-close@bugs.debian.org (full text, mbox):

From: Sean Finney <seanius@debian.org>
To: 582691-close@bugs.debian.org
Subject: Bug#582691: fixed in cacti 0.8.7e-4
Date: Fri, 11 Jun 2010 19:17:10 +0000
Source: cacti
Source-Version: 0.8.7e-4

We believe that the bug you reported is fixed in the latest version of
cacti, which is due to be installed in the Debian FTP archive:

cacti_0.8.7e-4.diff.gz
  to main/c/cacti/cacti_0.8.7e-4.diff.gz
cacti_0.8.7e-4.dsc
  to main/c/cacti/cacti_0.8.7e-4.dsc
cacti_0.8.7e-4_all.deb
  to main/c/cacti/cacti_0.8.7e-4_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 582691@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sean Finney <seanius@debian.org> (supplier of updated cacti package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 11 Jun 2010 21:08:02 +0000
Source: cacti
Binary: cacti
Architecture: source all
Version: 0.8.7e-4
Distribution: unstable
Urgency: high
Maintainer: Sean Finney <seanius@debian.org>
Changed-By: Sean Finney <seanius@debian.org>
Description: 
 cacti      - Frontend to rrdtool for monitoring systems and services
Closes: 582691
Changes: 
 cacti (0.8.7e-4) unstable; urgency=high
 .
   * Forward-port fix for CVE-2010-2092 from stable package (Closes: #582691)
Checksums-Sha1: 
 d51a68aaa1ee6ac526cc88806ecc4bdfa14c4ed6 1113 cacti_0.8.7e-4.dsc
 915eed8bad812f208d95a47f5d044a2d8616b0ba 43472 cacti_0.8.7e-4.diff.gz
 572e882682e309ea05ff5617ac9e7cfc4bb8c96b 2091656 cacti_0.8.7e-4_all.deb
Checksums-Sha256: 
 d03a807ff6eabe213e283ca9f2a3132ba26af66da53e5e2b3beb3aafbf91205f 1113 cacti_0.8.7e-4.dsc
 c5efd579412d3787a19513b51c57fa00fedb548972860cf40cae0f16705579a5 43472 cacti_0.8.7e-4.diff.gz
 a1e9b8de37dd5ef20db3d5d4061c7c390e822027066264ac3fa52669ceb6e3bd 2091656 cacti_0.8.7e-4_all.deb
Files: 
 6140a88d6096208feef52d959077e7a0 1113 web extra cacti_0.8.7e-4.dsc
 2a908a11c79ce3b2b9877ee29cc45744 43472 web extra cacti_0.8.7e-4.diff.gz
 ce9a9e2384748221090a78deaaa4a57e 2091656 web extra cacti_0.8.7e-4_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkwSppUACgkQynjLPm522B0A4gCdGJ2oICpnbeKXCed+zoYdMNPp
MxwAn2c5cu9g/51z0xTckkk5MkqBPwyy
=+JfS
-----END PGP SIGNATURE-----





Reply sent to Nico Golde <nion@debian.org>:
You have taken responsibility. (Tue, 15 Jun 2010 07:57:14 GMT) Full text and rfc822 format available.

Notification sent to Rainbow Warrior <rnbwpnt@gmail.com>:
Bug acknowledged by developer. (Tue, 15 Jun 2010 07:57:14 GMT) Full text and rfc822 format available.

Message #32 received at 582691-close@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: 582691-close@bugs.debian.org
Subject: Bug#582691: fixed in cacti 0.8.7b-2.1+lenny3
Date: Tue, 15 Jun 2010 07:52:35 +0000
Source: cacti
Source-Version: 0.8.7b-2.1+lenny3

We believe that the bug you reported is fixed in the latest version of
cacti, which is due to be installed in the Debian FTP archive:

cacti_0.8.7b-2.1+lenny3.diff.gz
  to main/c/cacti/cacti_0.8.7b-2.1+lenny3.diff.gz
cacti_0.8.7b-2.1+lenny3.dsc
  to main/c/cacti/cacti_0.8.7b-2.1+lenny3.dsc
cacti_0.8.7b-2.1+lenny3_all.deb
  to main/c/cacti/cacti_0.8.7b-2.1+lenny3_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 582691@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Nico Golde <nion@debian.org> (supplier of updated cacti package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 10 Jun 2010 17:08:56 +0000
Source: cacti
Binary: cacti
Architecture: source all
Version: 0.8.7b-2.1+lenny3
Distribution: stable-security
Urgency: high
Maintainer: Sean Finney <seanius@debian.org>
Changed-By: Nico Golde <nion@debian.org>
Description: 
 cacti      - Frontend to rrdtool for monitoring systems and services
Closes: 582691
Changes: 
 cacti (0.8.7b-2.1+lenny3) stable-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Fix unauthenticated sql injection vulnerability due to validating
     $_REQUEST rather than $_GET (CVE-2010-2092; Closes: #582691).
Checksums-Sha1: 
 9add7e19557fdb900ebfb6daaa994763ee71114b 1117 cacti_0.8.7b-2.1+lenny3.dsc
 9d13a7495ef7d9fc32f8a8b10e78b78183b28e80 37818 cacti_0.8.7b-2.1+lenny3.diff.gz
 217770206c8719e936adfd1610dfb0e51b4bf84b 1855976 cacti_0.8.7b-2.1+lenny3_all.deb
Checksums-Sha256: 
 3d8ae0e9ca2cf502356e00eab71d8e3e145f755c8ede66380b7fc364beaa0870 1117 cacti_0.8.7b-2.1+lenny3.dsc
 6f93489b7e735db93a968c57e3aa96815c2834323d0ab1bdc8c331c1bdda0a07 37818 cacti_0.8.7b-2.1+lenny3.diff.gz
 6fd583f1b841077f8f4c8a54ff7ae0882e256d646546b26e326ff39050b73e2d 1855976 cacti_0.8.7b-2.1+lenny3_all.deb
Files: 
 bd9650c8f8a8cd1ab9bcf9385516948f 1117 web extra cacti_0.8.7b-2.1+lenny3.dsc
 5a336fe8cf710c833521544c121827d2 37818 web extra cacti_0.8.7b-2.1+lenny3.diff.gz
 a7f99b878d484cb6efaab85357b53b66 1855976 web extra cacti_0.8.7b-2.1+lenny3_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkwRHGwACgkQHYflSXNkfP8RogCbBu52UNMDQvHNnGf09Qe536F9
5kUAn114v2IVWqfzVeu9Hz/SWMZ3T2V7
=eDM+
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 14 Jul 2010 07:39:15 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 21:31:23 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.