[Security] cacti - CVE-2009-4032, CVE-2010-1431, and CVE-2010-2092

Sanity tested package (built, installed, basic functionality works). Also tested the input validation to ensure if improper offsets were passed, a validation error would be thrown. This was confirmed to work.

There are more security issues in cacti that need fixing:

cacti 0.8.7g fixes CVE-2010-2543, CVE-2010-2544, CVE-2010-2545
cacti 0.8.7f fixes CVE-2010-1644, CVE-2010-1645, CVE-2010-2092, CVE-2010-1431

Unsubscribing ubuntu-security-sponsors since the debdiff is incomplete.

Please resubscribe ubuntu-security-sponsors and set the status to 'NEW' when the changes are complete. Thanks!

Maverick is affected by CVE-2009-4032 for sure, and CVE-2009-4112 needs to be investigated.

CVE-2009-4032, CVE-2010-1644, CVE-2010-1645, CVE-2010-2543, CVE-2010-2544, and CVE-2010-2545 are all fixed in 0.8.7g-1.

I am going to close the maverick task since I created a sync request for it in https://bugs.edge.launchpad.net/ubuntu/+source/cacti/+bug/646909.

2009-4032 - Already patched
2009-4112 - Affected but of low importance; upstream has not provided a patch
2010-1431 - Patched
2010-1644 - Patched
2010-1645 - Patched
2010-2092 - Patched
2010-2543,2544,2545 - Patched

Thanks for the debdiff Brian.

There seems to be parts missing from the 2010-254* patch...AFAICT, the upstream commits are:

http://svn.cacti.net/viewvc?view=rev&revision=6025
http://svn.cacti.net/viewvc?view=rev&revision=6037
http://svn.cacti.net/viewvc?view=rev&revision=6038
http://svn.cacti.net/viewvc?view=rev&revision=6041
http://svn.cacti.net/viewvc?view=rev&revision=6042

Could you check, and update the patch if necessary?

Also, you should add Origin tags to your patches in the future so they are easier to retrace to the upstream commits, for example:

Origin: upstream, http://svn.cacti.net/viewvc?view=rev&revision=6025
or
Origin: backport, http://svn.cacti.net/viewvc?view=rev&revision=6025

I'm unsubscribing ubuntu-security-sponsors for now. Please re-subscribe ubuntu-security-sponsors when you update debdiff, and set the status to "NEW".

Thanks!

Sorry about that major oversight. The lucid debdiff should be complete now.

Jaunty is EOL.

ACK for lucid, though I updated the version to be -2ubuntu0.1 instead of -2.1, following the versioning guide at https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation

I'll upload this to security-proposed shortly. Thanks!

Pocket copied cacti to proposed. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Thank you in advance!

To ubuntu-sru: if this passes the verification process, please also pocket copy to security. Thanks!

Unsubscribing ubuntu-security-sponsors. Please resubscribe if providing another debdiff for review.

I tested this package pretty thoroughly before submitting the debdiff. I installed it, added graphs, and verified that all the scripts that were modified could be used successfully.

I'm sure you want a second pair of eyes on it though.

This bug was fixed in the package cacti - 0.8.7e-2ubuntu0.1

---------------
cacti (0.8.7e-2ubuntu0.1) lucid-security; urgency=low

  * SECURITY UPDATE: Fix SQL injection vulnerability in templates_export.php
    (LP: #599892)
    - debian/patches/CVE-2010-1431.patch: patch derived from upstream patch
    - CVE-2010-1431
  * SECURITY UPDATE: Fix cross-site scripting (XSS) vulnerabilities
    - debian/patches/CVE-2010-1644.patch: patch derived from upstream patch
    - CVE-2010-1644
  * SECURITY UPDATE: Fix arbitrary command execution vuln
    - debian/patches/CVE-2010-1645.patch: patch derived from upstream patches
    - CVE-2010-1645
  * SECURITY UPDATE: Fix a SQL injection vulnerability in graph.php
    - debian/patches/CVE-2010-2092.patch: patch derived from Debian patch
    - CVE-2010-2092
    - DSA-2060
  * SECURITY UPDATE: Fix cross-site scripting (XSS) vulnerabilities
    - debian/patches/CVE-2010-2543.patch: patch derived from upstream patches
    - CVE-2010-2543
    - CVE-2010-2544
    - CVE-2010-2545
 -- Brian Thomason <email address hidden> Mon, 24 Jan 2011 11:20:13 -0500

Copied to lucid-security, too.

Thank you for reporting this bug and helping to make Ubuntu better. The package referred to in this bug is in universe or multiverse and reported against a release of Ubuntu (hardy) which no longer receives updates outside of the explicitly supported LTS packages. While the bug against hardy is being marked "Won't Fix" for now, if you are interested feel free to post a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures'

Please feel free to report any other bugs you may find.

Thank you for reporting this bug to Ubuntu. karmic has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against karmic is being marked "Won't Fix". Please see
https://wiki.ubuntu.com/Releases for currently supported Ubuntu
releases.

Please feel free to report any other bugs you may find.