Fixes for: CVE-2014-2326 Unspecified HTML Injection Vulnerability CVE-2014-2328 Unspecified Remote Command Execution Vulnerability CVE-2014-2708 Unspecified SQL Injection Vulnerability CVE-2014-2709 Unspecified Remote Command Execution Vulnerability

(adam)

 @@ -1,24 +1,24 @@
-# $NetBSD: Makefile,v 1.23 2014/05/05 00:48:13 ryoon Exp $
+# $NetBSD: Makefile,v 1.24 2014/08/23 12:50:25 adam Exp $
-DISTNAME=		cacti-0.8.8b
+DISTNAME=	cacti-0.8.8b
-PKGREVISION=		2
+PKGREVISION=	3
-CATEGORIES=		net
+CATEGORIES=	net
-MASTER_SITES=		http://www.cacti.net/downloads/
+MASTER_SITES=	http://www.cacti.net/downloads/
-MAINTAINER=		pkgsrc-users@NetBSD.org
+MAINTAINER=	pkgsrc-users@NetBSD.org
-HOMEPAGE=		http://www.cacti.net/
+HOMEPAGE=	http://www.cacti.net/
-COMMENT=		Frontend to rrdtool for monitoring systems and services
+COMMENT=	Frontend to rrdtool for monitoring systems and services
-LICENSE=		gnu-gpl-v2
+LICENSE=	gnu-gpl-v2
 USE_LANGUAGES=		# none
 USE_TOOLS+=		pax
 NO_BUILD=		yes
 DEPENDS+=		${PHP_PKG_PREFIX}-mysql-[0-9]*:../../databases/php-mysql
 DEPENDS+=		${PHP_PKG_PREFIX}-snmp-[0-9]*:../../net/php-snmp
 DEPENDS+=		${PHP_PKG_PREFIX}-sockets-[0-9]*:../../net/php-sockets
 DEPENDS+=		${APACHE_PKG_PREFIX}-${PHP_PKG_PREFIX}-[0-9]*:../../www/ap-php
 .include "../../mk/bsd.prefs.mk"
 .include "../../lang/php/phpversion.mk"
 .include "../../mk/apache.mk"
 @@ -29,38 +29,38 @@ PKG_GECOS.${CACTI_USER}=	Cacti user
 PKG_HOME.${CACTI_USER}=	${CACTIDIR}
 PKG_SHELL.${CACTI_USER}=	${SH}
 PKG_USERS_VARS+=	CACTI_USER
 PKG_GROUPS_VARS+=	CACTI_GROUP
 BUILD_DEFS+=		PKG_SYSCONFBASE
 PKG_SYSCONFSUBDIR?=	httpd
 EGDIR=			${PREFIX}/share/examples/cacti
 CONF_FILES+=		${EGDIR}/httpd-cacti.conf ${PKG_SYSCONFDIR}/httpd-cacti.conf
 CACTIDIR=		${PREFIX}/share/cacti
 CACTI_LOGDIR?=		${CACTIDIR}/log
 CACTI_RRADIR?=		${CACTIDIR}/rra
-REPLACE_INTERPRETER+=   php
+REPLACE_INTERPRETER+=	php
-REPLACE.php.old=        .*php[^ ]*
+REPLACE.php.old=	.*php[^ ]*
-REPLACE.php.new=        ${PREFIX}/bin/php
+REPLACE.php.new=	${PREFIX}/bin/php
-REPLACE_FILES.php=      cli/*.php
+REPLACE_FILES.php=	cli/*.php
-REPLACE_PERL+=         scripts/*.pl
+REPLACE_PERL+=		scripts/*.pl
-MESSAGE_SUBST+=         CACTIDIR=${CACTIDIR}
+MESSAGE_SUBST+=		CACTIDIR=${CACTIDIR}
-MESSAGE_SUBST+=         CACTI_USER=${CACTI_USER}
+MESSAGE_SUBST+=		CACTI_USER=${CACTI_USER}
-MESSAGE_SUBST+=         EGDIR=${EGDIR}
+MESSAGE_SUBST+=		EGDIR=${EGDIR}
-MESSAGE_SUBST+=         PREFIX=${PREFIX}
+MESSAGE_SUBST+=		PREFIX=${PREFIX}
-MESSAGE_SUBST+=         PKG_SYSCONFBASE=${PKG_SYSCONFBASE}
+MESSAGE_SUBST+=		PKG_SYSCONFBASE=${PKG_SYSCONFBASE}
 FILES_SUBST+=		CACTIDIR=${CACTIDIR}
 FILES_SUBST+=		CACTI_GROUP=${CACTI_GROUP}
 FILES_SUBST+=		CACTI_USER=${CACTI_USER}
 FILES_SUBST+=		CACTI_LOGDIR=${CACTI_LOGDIR}
 SUBST_CLASSES+=		paths
 SUBST_STAGE.paths=	pre-configure
 SUBST_FILES.paths=	${WRKDIR}/httpd-cacti.conf install/index.php
 SUBST_FILES.paths+=	include/global.php include/global_settings.php
 SUBST_FILES.paths+=	${WRKDIR}/cacti-poller
 SUBST_VARS.paths=	CACTIDIR PREFIX CACTI_USER CACTI_LOGDIR CACTI_RRADIR
 SUBST_VARS.paths+=	PKG_PHP_MAJOR_VERS SH

 @@ -1,11 +1,15 @@
-$NetBSD: distinfo,v 1.4 2014/01/08 20:51:28 tron Exp $
+$NetBSD: distinfo,v 1.5 2014/08/23 12:50:25 adam Exp $
 SHA1 (cacti-0.8.8b.tar.gz) = 84979416ae08d586064328d6451a3108b74a3b06
 RMD160 (cacti-0.8.8b.tar.gz) = a2c88961565c6b5d593b4f2603514139800c9145
 Size (cacti-0.8.8b.tar.gz) = 2272130 bytes
 SHA1 (patch-cacti.sql) = 37e18026c4136630d939ab5a7a4d6336bf166282
 SHA1 (patch-cdef.php) = ee898fcbb0da5db1a1127ba54fbf72c308df47eb
 SHA1 (patch-graph_xport.php) = 275717883721c674ab149e163be0ba780b86b11b
 SHA1 (patch-host.php) = 679fd76c81a719d949e023cecc4cc0c47ac6acf4
 SHA1 (patch-include_global.php) = fb0d2f15596b051c60ed6032ecb9038315b7c663
 SHA1 (patch-include_global__settings.php) = 54ffd0c3fc9d927595b1568a874c45a4a6033f7b
 SHA1 (patch-install_index.php) = e5ee36159968e1ca160aba953e02b9e80a2eb5d9
 SHA1 (patch-lib_api_device.php) = 0a2d495a0245c8957bfd5214a5e79dbb31f135c4
 SHA1 (patch-lib_graph_export.php) = ef91e864bc830653fbcf490419d39511aa7a258e
 SHA1 (patch-lib_rrd.php) = cf7483d9a67f9f146d130de7da86a0f37f1041c9

$NetBSD: patch-cdef.php,v 1.1 2014/08/23 12:50:25 adam Exp $ Fixes for: CVE-2014-2326 Unspecified HTML Injection Vulnerability CVE-2014-2328 Unspecified Remote Command Execution Vulnerability CVE-2014-2708 Unspecified SQL Injection Vulnerability CVE-2014-2709 Unspecified Remote Command Execution Vulnerability --- cdef.php.orig 2013-08-06 22:31:19.000000000 -0400 +++ cdef.php 2014-04-04 21:39:04.000000000 -0400 @@ -431,7 +431,7 @@ <a class="linkEditMain" href="<?php print htmlspecialchars("cdef.php?action=item_edit&id=" . $cdef_item["id"] . "&cdef_id=" . $cdef["id"]);?>">Item #<?php print htmlspecialchars($i);?></a> </td> <td> - <?php $cdef_item_type = $cdef_item["type"]; print $cdef_item_types[$cdef_item_type];?>: <?php print get_cdef_item_name($cdef_item["id"]);?> + <?php $cdef_item_type = $cdef_item["type"]; print $cdef_item_types[$cdef_item_type];?>: <?php print htmlspecialchars(get_cdef_item_name($cdef_item["id"]));?> </td> <td> <a href="<?php print htmlspecialchars("cdef.php?action=item_movedown&id=" . $cdef_item["id"] . "&cdef_id=" . $cdef["id"]);?>"><img src="images/move_down.gif" border="0" alt="Move Down"></a> diff -ruBbd graph_xport.php graph_xport.php

$NetBSD: patch-graph_xport.php,v 1.1 2014/08/23 12:50:25 adam Exp $ Fixes for: CVE-2014-2326 Unspecified HTML Injection Vulnerability CVE-2014-2328 Unspecified Remote Command Execution Vulnerability CVE-2014-2708 Unspecified SQL Injection Vulnerability CVE-2014-2709 Unspecified Remote Command Execution Vulnerability --- graph_xport.php.orig 2013-08-06 22:31:19.000000000 -0400 +++ graph_xport.php 2014-04-04 21:39:04.000000000 -0400 @@ -47,43 +47,48 @@ $graph_data_array = array(); +/* ================= input validation ================= */ +input_validate_input_number(get_request_var("local_graph_id")); +input_validate_input_number(get_request_var("rra_id")); +/* ==================================================== */ + /* override: graph start time (unix time) */ -if (!empty($_GET["graph_start"]) && $_GET["graph_start"] < 1600000000) { - $graph_data_array["graph_start"] = $_GET["graph_start"]; +if (!empty($_GET["graph_start"]) && is_numeric($_GET["graph_start"] && $_GET["graph_start"] < 1600000000)) { + $graph_data_array["graph_start"] = get_request_var("graph_start"); } /* override: graph end time (unix time) */ -if (!empty($_GET["graph_end"]) && $_GET["graph_end"] < 1600000000) { - $graph_data_array["graph_end"] = $_GET["graph_end"]; +if (!empty($_GET["graph_end"]) && is_numeric($_GET["graph_end"]) && $_GET["graph_end"] < 1600000000) { + $graph_data_array["graph_end"] = get_request_var("graph_end"); } /* override: graph height (in pixels) */ -if (!empty($_GET["graph_height"]) && $_GET["graph_height"] < 3000) { - $graph_data_array["graph_height"] = $_GET["graph_height"]; +if (!empty($_GET["graph_height"]) && is_numeric($_GET["graph_height"]) && $_GET["graph_height"] < 3000) { + $graph_data_array["graph_height"] = get_request_var("graph_height"); } /* override: graph width (in pixels) */ -if (!empty($_GET["graph_width"]) && $_GET["graph_width"] < 3000) { - $graph_data_array["graph_width"] = $_GET["graph_width"]; +if (!empty($_GET["graph_width"]) && is_numeric($_GET["graph_width"]) && $_GET["graph_width"] < 3000) { + $graph_data_array["graph_width"] = get_request_var("graph_width"); } /* override: skip drawing the legend? */ if (!empty($_GET["graph_nolegend"])) { - $graph_data_array["graph_nolegend"] = $_GET["graph_nolegend"]; + $graph_data_array["graph_nolegend"] = get_request_var("graph_nolegend"); } /* print RRDTool graph source? */ if (!empty($_GET["show_source"])) { - $graph_data_array["print_source"] = $_GET["show_source"]; + $graph_data_array["print_source"] = get_request_var("show_source"); } -$graph_info = db_fetch_row("SELECT * FROM graph_templates_graph WHERE local_graph_id='" . $_REQUEST["local_graph_id"] . "'"); +$graph_info = db_fetch_row("SELECT * FROM graph_templates_graph WHERE local_graph_id='" . get_request_var("local_graph_id") . "'"); /* for bandwidth, NThPercentile */ $xport_meta = array(); /* Get graph export */ -$xport_array = @rrdtool_function_xport($_GET["local_graph_id"], $_GET["rra_id"], $graph_data_array, $xport_meta); +$xport_array = @rrdtool_function_xport($_GET["local_graph_id"], get_request_var("rra_id"), $graph_data_array, $xport_meta); /* Make graph title the suggested file name */ if (is_array($xport_array["meta"])) {

$NetBSD: patch-lib_graph_export.php,v 1.1 2014/08/23 12:50:25 adam Exp $ Fixes for: CVE-2014-2326 Unspecified HTML Injection Vulnerability CVE-2014-2328 Unspecified Remote Command Execution Vulnerability CVE-2014-2708 Unspecified SQL Injection Vulnerability CVE-2014-2709 Unspecified Remote Command Execution Vulnerability --- lib/graph_export.php.orig 2013-08-06 22:31:19.000000000 -0400 +++ lib/graph_export.php 2014-04-04 21:39:05.000000000 -0400 @@ -339,7 +339,7 @@ chdir($stExportDir); /* set the initial command structure */ - $stExecute = 'ncftpput -R -V -r 1 -u '.$aFtpExport['username'].' -p '.$aFtpExport['password']; + $stExecute = 'ncftpput -R -V -r 1 -u ' . cacti_escapeshellarg($aFtpExport['username']) . ' -p ' . cacti_escapeshellarg($aFtpExport['password']); /* if the user requested passive mode, use it */ if ($aFtpExport['passive']) { @@ -347,7 +347,7 @@ } /* setup the port, server, remote directory and all files */ - $stExecute .= ' -P ' . $aFtpExport['port'] . ' ' . $aFtpExport['server'] . ' ' . $aFtpExport['remotedir'] . "."; + $stExecute .= ' -P ' . cacti_escapeshellarg($aFtpExport['port']) . ' ' . cacti_escapeshellarg($aFtpExport['server']) . ' ' . cacti_escapeshellarg($aFtpExport['remotedir']) . "."; /* run the command */ $iExecuteReturns = 0;

$NetBSD: patch-lib_rrd.php,v 1.1 2014/08/23 12:50:25 adam Exp $ Fixes for: CVE-2014-2326 Unspecified HTML Injection Vulnerability CVE-2014-2328 Unspecified Remote Command Execution Vulnerability CVE-2014-2708 Unspecified SQL Injection Vulnerability CVE-2014-2709 Unspecified Remote Command Execution Vulnerability --- lib/rrd.php.orig 2013-08-06 22:31:18.000000000 -0400 +++ lib/rrd.php 2014-04-04 21:39:04.000000000 -0400 @@ -865,13 +865,13 @@ /* basic graph options */ $graph_opts .= "--imgformat=" . $image_types{$graph["image_format_id"]} . RRD_NL . - "--start=$graph_start" . RRD_NL . - "--end=$graph_end" . RRD_NL . + "--start=" . cacti_escapeshellarg($graph_start) . RRD_NL . + "--end=" . cacti_escapeshellarg($graph_end) . RRD_NL . "--title=" . cacti_escapeshellarg($graph["title_cache"]) . RRD_NL . "$rigid" . - "--base=" . $graph["base_value"] . RRD_NL . - "--height=$graph_height" . RRD_NL . - "--width=$graph_width" . RRD_NL . + "--base=" . cacti_escapeshellarg($graph["base_value"]) . RRD_NL . + "--height=" . cacti_escapeshellarg($graph_height) . RRD_NL . + "--width=" . cacti_escapeshellarg($graph_width) . RRD_NL . "$scale" . "$unit_value" . "$unit_exponent_value" . @@ -1606,8 +1606,8 @@ /* basic export options */ $xport_opts = - "--start=$xport_start" . RRD_NL . - "--end=$xport_end" . RRD_NL . + "--start=" . cacti_escapeshellarg($xport_start) . RRD_NL . + "--end=" . cacti_escapeshellarg($xport_end) . RRD_NL . "--maxrows=10000" . RRD_NL; $xport_defs = ""; @@ -1997,7 +1997,7 @@ $stacked_columns["col" . $j] = ($graph_item_types{$xport_item["graph_type_id"]} == "STACK") ? 1 : 0; $j++; - $txt_xport_items .= "XPORT:" . $data_source_name . ":" . str_replace(":", "", cacti_escapeshellarg($legend_name)) ; + $txt_xport_items .= "XPORT:" . cacti_escapeshellarg($data_source_name) . ":" . str_replace(":", "", cacti_escapeshellarg($legend_name)) ; }else{ $need_rrd_nl = FALSE; }