Wed Jan 8 20:51:28 2014 UTC ()
Update the "cacti" package to version 0.8.8b. Changes since 0.8.8a:
- bug: Fixed issue with custom data source information being lost when
       saved from edit
- bug: Repopulate the poller cache on new installations
- bug: Fix issue with poller not escaping the script query path correctly
- bug: Allow snmpv3 priv proto none
- bug: Fix issue where host activate may flush the entire poller item
       cache
-security: SQL injection and shell escaping issues

Also add the fix for the security vulnerability reported in SA54531
taken from the SVN repository.


(tron)
diff -r1.20 -r1.21 pkgsrc/net/cacti/Makefile
diff -r1.3 -r1.4 pkgsrc/net/cacti/PLIST
diff -r1.3 -r1.4 pkgsrc/net/cacti/distinfo
diff -r0 -r1.1 pkgsrc/net/cacti/patches/patch-host.php
diff -r0 -r1.1 pkgsrc/net/cacti/patches/patch-lib_api_device.php
diff -r1.1.1.1 -r1.2 pkgsrc/net/cacti/patches/patch-install_index.php
cvs diff -r1.20 -r1.21 pkgsrc/net/cacti/Makefile (expand / switch to unified diff)

--- pkgsrc/net/cacti/Makefile 2013/10/10 14:42:26 1.20
+++ pkgsrc/net/cacti/Makefile 2014/01/08 20:51:28 1.21
@@ -1,18 +1,16 @@ @@ -1,18 +1,16 @@
1# $NetBSD: Makefile,v 1.20 2013/10/10 14:42:26 ryoon Exp $ 1# $NetBSD: Makefile,v 1.21 2014/01/08 20:51:28 tron Exp $
2# 
3 2
4DISTNAME= cacti-0.8.8a 3DISTNAME= cacti-0.8.8b
5PKGREVISION= 8 
6CATEGORIES= net 4CATEGORIES= net
7MASTER_SITES= http://www.cacti.net/downloads/ 5MASTER_SITES= http://www.cacti.net/downloads/
8 6
9MAINTAINER= pkgsrc-users@NetBSD.org 7MAINTAINER= pkgsrc-users@NetBSD.org
10HOMEPAGE= http://www.cacti.net/ 8HOMEPAGE= http://www.cacti.net/
11COMMENT= Frontend to rrdtool for monitoring systems and services 9COMMENT= Frontend to rrdtool for monitoring systems and services
12LICENSE= gnu-gpl-v2 10LICENSE= gnu-gpl-v2
13 11
14USE_LANGUAGES= # none 12USE_LANGUAGES= # none
15USE_TOOLS+= pax 13USE_TOOLS+= pax
16NO_BUILD= yes 14NO_BUILD= yes
17 15
18DEPENDS+= ${PHP_PKG_PREFIX}-mysql-[0-9]*:../../databases/php-mysql 16DEPENDS+= ${PHP_PKG_PREFIX}-mysql-[0-9]*:../../databases/php-mysql
cvs diff -r1.3 -r1.4 pkgsrc/net/cacti/PLIST (expand / switch to unified diff)

--- pkgsrc/net/cacti/PLIST 2012/12/12 10:48:43 1.3
+++ pkgsrc/net/cacti/PLIST 2014/01/08 20:51:28 1.4
@@ -1,14 +1,14 @@ @@ -1,14 +1,14 @@
1@comment $NetBSD: PLIST,v 1.3 2012/12/12 10:48:43 wiz Exp $ 1@comment $NetBSD: PLIST,v 1.4 2014/01/08 20:51:28 tron Exp $
2share/cacti/LICENSE 2share/cacti/LICENSE
3share/cacti/README 3share/cacti/README
4share/cacti/about.php 4share/cacti/about.php
5share/cacti/auth_changepassword.php 5share/cacti/auth_changepassword.php
6share/cacti/auth_login.php 6share/cacti/auth_login.php
7share/cacti/cacti.sql 7share/cacti/cacti.sql
8share/cacti/cdef.php 8share/cacti/cdef.php
9share/cacti/cli/.htaccess 9share/cacti/cli/.htaccess
10share/cacti/cli/add_data_query.php 10share/cacti/cli/add_data_query.php
11share/cacti/cli/add_device.php 11share/cacti/cli/add_device.php
12share/cacti/cli/add_graph_template.php 12share/cacti/cli/add_graph_template.php
13share/cacti/cli/add_graphs.php 13share/cacti/cli/add_graphs.php
14share/cacti/cli/add_perms.php 14share/cacti/cli/add_perms.php
@@ -306,26 +306,27 @@ share/cacti/install/0_8_6g_to_0_8_6h.php @@ -306,26 +306,27 @@ share/cacti/install/0_8_6g_to_0_8_6h.php
306share/cacti/install/0_8_6h_to_0_8_6i.php 306share/cacti/install/0_8_6h_to_0_8_6i.php
307share/cacti/install/0_8_6j_to_0_8_7.php 307share/cacti/install/0_8_6j_to_0_8_7.php
308share/cacti/install/0_8_7_to_0_8_7a.php 308share/cacti/install/0_8_7_to_0_8_7a.php
309share/cacti/install/0_8_7a_to_0_8_7b.php 309share/cacti/install/0_8_7a_to_0_8_7b.php
310share/cacti/install/0_8_7b_to_0_8_7c.php 310share/cacti/install/0_8_7b_to_0_8_7c.php
311share/cacti/install/0_8_7c_to_0_8_7d.php 311share/cacti/install/0_8_7c_to_0_8_7d.php
312share/cacti/install/0_8_7d_to_0_8_7e.php 312share/cacti/install/0_8_7d_to_0_8_7e.php
313share/cacti/install/0_8_7e_to_0_8_7f.php 313share/cacti/install/0_8_7e_to_0_8_7f.php
314share/cacti/install/0_8_7f_to_0_8_7g.php 314share/cacti/install/0_8_7f_to_0_8_7g.php
315share/cacti/install/0_8_7g_to_0_8_7h.php 315share/cacti/install/0_8_7g_to_0_8_7h.php
316share/cacti/install/0_8_7h_to_0_8_7i.php 316share/cacti/install/0_8_7h_to_0_8_7i.php
317share/cacti/install/0_8_7i_to_0_8_8.php 317share/cacti/install/0_8_7i_to_0_8_8.php
318share/cacti/install/0_8_8_to_0_8_8a.php 318share/cacti/install/0_8_8_to_0_8_8a.php
 319share/cacti/install/0_8_8_to_0_8_8b.php
319share/cacti/install/0_8_to_0_8_1.php 320share/cacti/install/0_8_to_0_8_1.php
320share/cacti/install/index.php 321share/cacti/install/index.php
321share/cacti/install/install_finish.gif 322share/cacti/install/install_finish.gif
322share/cacti/install/install_next.gif 323share/cacti/install/install_next.gif
323share/cacti/lib/adodb/adodb-csvlib.inc.php 324share/cacti/lib/adodb/adodb-csvlib.inc.php
324share/cacti/lib/adodb/adodb-datadict.inc.php 325share/cacti/lib/adodb/adodb-datadict.inc.php
325share/cacti/lib/adodb/adodb-error.inc.php 326share/cacti/lib/adodb/adodb-error.inc.php
326share/cacti/lib/adodb/adodb-errorhandler.inc.php 327share/cacti/lib/adodb/adodb-errorhandler.inc.php
327share/cacti/lib/adodb/adodb-errorpear.inc.php 328share/cacti/lib/adodb/adodb-errorpear.inc.php
328share/cacti/lib/adodb/adodb-exceptions.inc.php 329share/cacti/lib/adodb/adodb-exceptions.inc.php
329share/cacti/lib/adodb/adodb-iterator.inc.php 330share/cacti/lib/adodb/adodb-iterator.inc.php
330share/cacti/lib/adodb/adodb-lib.inc.php 331share/cacti/lib/adodb/adodb-lib.inc.php
331share/cacti/lib/adodb/adodb-pear.inc.php 332share/cacti/lib/adodb/adodb-pear.inc.php
cvs diff -r1.3 -r1.4 pkgsrc/net/cacti/distinfo (expand / switch to unified diff)

--- pkgsrc/net/cacti/distinfo 2012/12/12 10:48:43 1.3
+++ pkgsrc/net/cacti/distinfo 2014/01/08 20:51:28 1.4
@@ -1,9 +1,11 @@ @@ -1,9 +1,11 @@
1$NetBSD: distinfo,v 1.3 2012/12/12 10:48:43 wiz Exp $ 1$NetBSD: distinfo,v 1.4 2014/01/08 20:51:28 tron Exp $
2 2
3SHA1 (cacti-0.8.8a.tar.gz) = e66f5fde96b28b273a9e62f79f8a7bb8827812c2 3SHA1 (cacti-0.8.8b.tar.gz) = 84979416ae08d586064328d6451a3108b74a3b06
4RMD160 (cacti-0.8.8a.tar.gz) = 1462a71af844810a3451c24fd733b3f2351b75df 4RMD160 (cacti-0.8.8b.tar.gz) = a2c88961565c6b5d593b4f2603514139800c9145
5Size (cacti-0.8.8a.tar.gz) = 2273280 bytes 5Size (cacti-0.8.8b.tar.gz) = 2272130 bytes
6SHA1 (patch-cacti.sql) = 37e18026c4136630d939ab5a7a4d6336bf166282 6SHA1 (patch-cacti.sql) = 37e18026c4136630d939ab5a7a4d6336bf166282
 7SHA1 (patch-host.php) = 679fd76c81a719d949e023cecc4cc0c47ac6acf4
7SHA1 (patch-include_global.php) = fb0d2f15596b051c60ed6032ecb9038315b7c663 8SHA1 (patch-include_global.php) = fb0d2f15596b051c60ed6032ecb9038315b7c663
8SHA1 (patch-include_global__settings.php) = 54ffd0c3fc9d927595b1568a874c45a4a6033f7b 9SHA1 (patch-include_global__settings.php) = 54ffd0c3fc9d927595b1568a874c45a4a6033f7b
9SHA1 (patch-install_index.php) = 84b25c39a4ce1bc6144cffcdb9e32bf257cfcae6 10SHA1 (patch-install_index.php) = e5ee36159968e1ca160aba953e02b9e80a2eb5d9
 11SHA1 (patch-lib_api_device.php) = 0a2d495a0245c8957bfd5214a5e79dbb31f135c4
File Added: pkgsrc/net/cacti/patches/Attic/patch-host.php
$NetBSD: patch-host.php,v 1.1 2014/01/08 20:51:28 tron Exp $

Fix vulnerability reported in SA54531. Patch taken from here:

http://svn.cacti.net/viewvc?view=rev&revision=7420

--- host.php.orig	2013-08-07 03:31:19.000000000 +0100
+++ host.php	2014-01-08 20:26:33.000000000 +0000
@@ -149,6 +149,9 @@
 		if ($_POST["snmp_version"] == 3 && ($_POST["snmp_password"] != $_POST["snmp_password_confirm"])) {
 			raise_message(4);
 		}else{
+			input_validate_input_number(get_request_var_post("id"));
+			input_validate_input_number(get_request_var_post("host_template_id"));
+
 			$host_id = api_device_save($_POST["id"], $_POST["host_template_id"], $_POST["description"],
 				trim($_POST["hostname"]), $_POST["snmp_community"], $_POST["snmp_version"],
 				$_POST["snmp_username"], $_POST["snmp_password"],
File Added: pkgsrc/net/cacti/patches/Attic/patch-lib_api_device.php
$NetBSD: patch-lib_api_device.php,v 1.1 2014/01/08 20:51:28 tron Exp $

Fix vulnerability reported in SA54531. Patch taken from here:

http://svn.cacti.net/viewvc?view=rev&revision=7420

--- lib/api_device.php.orig	2013-08-07 03:31:18.000000000 +0100
+++ lib/api_device.php	2014-01-08 20:26:33.000000000 +0000
@@ -107,7 +107,7 @@
 		$_host_template_id = db_fetch_cell("select host_template_id from host where id=$id");
 	}
 
-	$save["id"] = $id;
+	$save["id"]                   = form_input_validate($id, "id", "^[0-9]+$", false, 3);
 	$save["host_template_id"]     = form_input_validate($host_template_id, "host_template_id", "^[0-9]+$", false, 3);
 	$save["description"]          = form_input_validate($description, "description", "", false, 3);
 	$save["hostname"]             = form_input_validate(trim($hostname), "hostname", "", false, 3);
cvs diff -r1.1.1.1 -r1.2 pkgsrc/net/cacti/patches/Attic/patch-install_index.php (expand / switch to unified diff)

--- pkgsrc/net/cacti/patches/Attic/patch-install_index.php 2011/11/22 22:23:13 1.1.1.1
+++ pkgsrc/net/cacti/patches/Attic/patch-install_index.php 2014/01/08 20:51:28 1.2
@@ -1,35 +1,155 @@ @@ -1,35 +1,155 @@
1$NetBSD: patch-install_index.php,v 1.1.1.1 2011/11/22 22:23:13 tez Exp $ 1$NetBSD: patch-install_index.php,v 1.2 2014/01/08 20:51:28 tron Exp $
2 2
3find utilites in PREFIX first 3- Find utilites in PREFIX first.
4fixup hard coded user and path (documentaion only) 4- Fix-up hard coded user and path (documentaion only).
5make log directory configurable by package variable 5- Make log directory configurable by package variable
 6- Fix vulnerability reported in SA54531. Patch taken from here:
6 7
7--- install/index.php.orig 2011-09-26 20:41:03.000000000 +0000 8 http://svn.cacti.net/viewvc?view=rev&revision=7420
8+++ install/index.php 9
9@@ -95,7 +95,7 @@ function find_best_path($binary_name) { 10--- install/index.php.orig 2013-08-07 03:31:19.000000000 +0100
 11+++ install/index.php 2014-01-08 20:26:33.000000000 +0000
 12@@ -96,7 +96,7 @@
10 if ($config["cacti_server_os"] == "win32") { 13 if ($config["cacti_server_os"] == "win32") {
11 $search_paths = array("c:/usr/bin", "c:/cacti", "c:/rrdtool", "c:/spine", "c:/php", "c:/progra~1/php", "c:/net-snmp/bin", "c:/progra~1/net-snmp/bin", "d:/usr/bin", "d:/net-snmp/bin", "d:/progra~1/net-snmp/bin", "d:/cacti", "d:/rrdtool", "d:/spine", "d:/php", "d:/progra~1/php"); 14 $search_paths = array("c:/usr/bin", "c:/cacti", "c:/rrdtool", "c:/spine", "c:/php", "c:/progra~1/php", "c:/net-snmp/bin", "c:/progra~1/net-snmp/bin", "d:/usr/bin", "d:/net-snmp/bin", "d:/progra~1/net-snmp/bin", "d:/cacti", "d:/rrdtool", "d:/spine", "d:/php", "d:/progra~1/php");
12 }else{ 15 }else{
13- $search_paths = array("/bin", "/sbin", "/usr/bin", "/usr/sbin", "/usr/local/bin", "/usr/local/sbin"); 16- $search_paths = array("/bin", "/sbin", "/usr/bin", "/usr/sbin", "/usr/local/bin", "/usr/local/sbin");
14+ $search_paths = array("@PREFIX@/bin", "@PREFIX@/sbin", "/bin", "/sbin", "/usr/bin", "/usr/sbin", "/usr/local/bin", "/usr/local/sbin"); 17+ $search_paths = array("@PREFIX@/bin", "@PREFIX@/sbin", "/bin", "/sbin", "/usr/bin", "/usr/sbin", "/usr/local/bin", "/usr/local/sbin");
15 } 18 }
16  19
17 for ($i=0; $i<count($search_paths); $i++) { 20 for ($i=0; $i<count($search_paths); $i++) {
18@@ -266,7 +266,7 @@ $input["path_cactilog"]["description"] = 21@@ -267,7 +267,7 @@
19 if (config_value_exists("path_cactilog")) { 22 if (config_value_exists("path_cactilog")) {
20 $input["path_cactilog"]["default"] = read_config_option("path_cactilog"); 23 $input["path_cactilog"]["default"] = read_config_option("path_cactilog");
21 } else { 24 } else {
22- $input["path_cactilog"]["default"] = $config["base_path"] . "/log/cacti.log"; 25- $input["path_cactilog"]["default"] = $config["base_path"] . "/log/cacti.log";
23+ $input["path_cactilog"]["default"] = "@CACTI_LOGDIR@" . "/cacti.log"; 26+ $input["path_cactilog"]["default"] = "@CACTI_LOGDIR@" . "/cacti.log";
24 } 27 }
25  28
26 /* SNMP Version */ 29 /* SNMP Version */
27@@ -652,7 +652,7 @@ if ($_REQUEST["step"] == "4") { 30@@ -310,27 +310,28 @@
 31 }
 32
 33 /* pre-processing that needs to be done for each step */
 34-if (empty($_REQUEST["step"])) {
 35- $_REQUEST["step"] = 1;
 36-}else{
 37- if ($_REQUEST["step"] == "1") {
 38- $_REQUEST["step"] = "2";
 39- }elseif (($_REQUEST["step"] == "2") && ($_REQUEST["install_type"] == "1")) {
 40- $_REQUEST["step"] = "3";
 41- }elseif (($_REQUEST["step"] == "2") && ($_REQUEST["install_type"] == "3")) {
 42- $_REQUEST["step"] = "8";
 43- }elseif (($_REQUEST["step"] == "8") && ($old_version_index <= array_search("0.8.5a", $cacti_versions))) {
 44- $_REQUEST["step"] = "9";
 45- }elseif ($_REQUEST["step"] == "8") {
 46- $_REQUEST["step"] = "3";
 47- }elseif ($_REQUEST["step"] == "9") {
 48- $_REQUEST["step"] = "3";
 49- }elseif ($_REQUEST["step"] == "3") {
 50- $_REQUEST["step"] = "4";
 51+if (isset($_REQUEST["step"]) && $_REQUEST["step"] > 0) {
 52+ $step = intval($_REQUEST["step"]);
 53+ if ($step == "1") {
 54+ $step = "2";
 55+ } elseif (($step == "2") && ($_REQUEST["install_type"] == "1")) {
 56+ $step = "3";
 57+ } elseif (($step == "2") && ($_REQUEST["install_type"] == "3")) {
 58+ $step = "8";
 59+ } elseif (($step == "8") && ($old_version_index <= array_search("0.8.5a", $cacti_versions))) {
 60+ $step = "9";
 61+ } elseif ($step == "8") {
 62+ $step = "3";
 63+ } elseif ($step == "9") {
 64+ $step = "3";
 65+ } elseif ($step == "3") {
 66+ $step = "4";
 67 }
 68+} else {
 69+ $step = 1;
 70 }
 71
 72-if ($_REQUEST["step"] == "4") {
 73+if ($step == "4") {
 74 include_once("../lib/data_query.php");
 75 include_once("../lib/utility.php");
 76
 77@@ -366,7 +367,7 @@
 78
 79 header ("Location: ../index.php");
 80 exit;
 81-}elseif (($_REQUEST["step"] == "8") && ($_REQUEST["install_type"] == "3")) {
 82+}elseif (($step == "8") && ($_REQUEST["install_type"] == "3")) {
 83 /* if the version is not found, die */
 84 if (!is_int($old_version_index)) {
 85 print " <p style='font-family: Verdana, Arial; font-size: 16px; font-weight: bold; color: red;'>Error</p>
 86@@ -505,7 +506,7 @@
 87 </tr>
 88 <tr>
 89 <td width="100%" style="font-size: 12px;">
 90- <?php if ($_REQUEST["step"] == "1") { ?>
 91+ <?php if ($step == "1") { ?>
 92
 93 <p>Thanks for taking the time to download and install cacti, the complete graphing
 94 solution for your network. Before you can start making cool graphs, there are a few
 95@@ -530,7 +531,7 @@
 96 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 97 GNU General Public License for more details.</p>
 98
 99- <?php }elseif ($_REQUEST["step"] == "2") { ?>
 100+ <?php }elseif ($step == "2") { ?>
 101
 102 <p>Please select the type of installation</p>
 103
 104@@ -551,7 +552,7 @@
 105 print "Server Operating System Type: " . $config["cacti_server_os"] . "<br>"; ?>
 106 </p>
 107
 108- <?php }elseif ($_REQUEST["step"] == "3") { ?>
 109+ <?php }elseif ($step == "3") { ?>
 110
 111 <p>Make sure all of these values are correct before continuing.</p>
 112 <?php
 113@@ -609,7 +610,7 @@
 114 is an upgrade. You can change any of the settings on this screen at a later
 115 time by going to "Cacti Settings" from within Cacti.</p>
 116
 117- <?php }elseif ($_REQUEST["step"] == "8") { ?>
 118+ <?php }elseif ($step == "8") { ?>
 119
 120 <p>Upgrade results:</p>
 121
 122@@ -659,7 +660,7 @@
 123 print $upgrade_results;
 124 ?>
 125
 126- <?php }elseif ($_REQUEST["step"] == "9") { ?>
 127+ <?php }elseif ($step == "9") { ?>
 128
 129 <p style='font-size: 16px; font-weight: bold; color: red;'>Important Upgrade Notice</p>
 130
 131@@ -667,13 +668,13 @@
28  132
29 <p>See the sample crontab entry below with the change made in red. Your crontab line will look slightly different based upon your setup.</p> 133 <p>See the sample crontab entry below with the change made in red. Your crontab line will look slightly different based upon your setup.</p>
30  134
31- <p><tt>*/5 * * * * cactiuser php /var/www/html/cacti/<span style='font-weight: bold; color: red;'>poller.php</span> &gt; /dev/null 2&gt;&amp;1</tt></p> 135- <p><tt>*/5 * * * * cactiuser php /var/www/html/cacti/<span style='font-weight: bold; color: red;'>poller.php</span> &gt; /dev/null 2&gt;&amp;1</tt></p>
32+ <p><tt>*/5 * * * * @CACTI_USER@ php @CACTIDIR@<span style='font-weight: bold; color: red;'>poller.php</span> &gt; /dev/null 2&gt;&amp;1</tt></p> 136+ <p><tt>*/5 * * * * @CACTI_USER@ php @CACTIDIR@<span style='font-weight: bold; color: red;'>poller.php</span> &gt; /dev/null 2&gt;&amp;1</tt></p>
33  137
34 <p>Once you have made this change, please click Next to continue.</p> 138 <p>Once you have made this change, please click Next to continue.</p>
35  139
 140 <?php }?>
 141
 142- <p align="right"><input type="image" src="install_<?php if ($_REQUEST["step"] == "3") {?>finish<?php }else{?>next<?php }?>.gif" alt="<?php if ($_REQUEST["step"] == "3"){?>Finish<?php }else{?>Next<?php }?>"></p>
 143+ <p align="right"><input type="image" src="install_<?php if ($step == "3") {?>finish<?php }else{?>next<?php }?>.gif" alt="<?php if ($step == "3"){?>Finish<?php }else{?>Next<?php }?>"></p>
 144 </td>
 145 </tr>
 146 </table>
 147@@ -681,7 +682,7 @@
 148 </tr>
 149 </table>
 150
 151-<input type="hidden" name="step" value="<?php print $_REQUEST["step"];?>">
 152+<input type="hidden" name="step" value="<?php print $step;?>">
 153
 154 </form>
 155