CVE-2011-4824 SQL injection issue in auth_login.php

 status new
 assignee nobody
 private no
 subscribe ubuntu-security-sponsors
 tag patch
 done

On 12/20/2011 03:20 PM, Mahyuddin Susanto wrote:
> ** Bug watch added: Debian Bug tracker #652371
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=652371
>
> ** Also affects: cacti (Debian) via
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=652371
> Importance: Unknown
> Status: Unknown
>

Attached debdiff for lucid, maverick, natty and oneiric

Thanks for the debdiffs! Unfortunately, the do not apply (patching the series file fails on each). How did you generate these? Did you test the patched packages? Per https://wiki.ubuntu.com/SecurityTeam/SponsorsQueue, I have marked these tasks Incomplete and assigned them to you. Please adjust the debdiff and note the testing performed.

Unsubscribing ubuntu-security-sponsors. Please resubscribe after submitting updated debdiffs. Thanks again.

Also, the lucid debdiff contains undocumented changes to debian/po files. When submitting, can you remove this from the debdiff?

One last thing, cacti on lucid has several other open CVEs: CVE-2010-1644, CVE-2010-1645, CVE-2010-2543, CVE-2010-2544 and CVE-2010-2545. Do you plan on providing patches for these as well? If so, please update the debdiff to include these as well. Thanks again!

> How did you generate these? Did you test the patched packages?

By looking at upstream svn changes i can modify debian sources easily. Yes, i tested it.

 > When submitting, can you remove this from the debdiff?

Yup

> One last thing, cacti on lucid has several other open CVEs: CVE-2010-1644, CVE-2010-1645, CVE-2010-2543, CVE-2010-2544 and CVE-2010-2545. Do you plan on providing patches for these as well? If so, please update the debdiff to include these as well. Thanks again!

CVE's as mention in above has been resolved in 0.8.7e-2ubuntu0.1 by Brian Thomson. Here is changelog in 0.8.7e-2ubuntu0.1:
cacti (0.8.7e-2ubuntu0.1) lucid-security; urgency=low

  * SECURITY UPDATE: Fix SQL injection vulnerability in templates_export.php
    (LP: #599892)
    - debian/patches/CVE-2010-1431.patch: patch derived from upstream patch
    - CVE-2010-1431
  * SECURITY UPDATE: Fix cross-site scripting (XSS) vulnerabilities
    - debian/patches/CVE-2010-1644.patch: patch derived from upstream patch
    - CVE-2010-1644
  * SECURITY UPDATE: Fix arbitrary command execution vuln
    - debian/patches/CVE-2010-1645.patch: patch derived from upstream patches
    - CVE-2010-1645
  * SECURITY UPDATE: Fix a SQL injection vulnerability in graph.php
    - debian/patches/CVE-2010-2092.patch: patch derived from Debian patch
    - CVE-2010-2092
    - DSA-2060
  * SECURITY UPDATE: Fix cross-site scripting (XSS) vulnerabilities
    - debian/patches/CVE-2010-2543.patch: patch derived from upstream patches
    - CVE-2010-2543
    - CVE-2010-2544
    - CVE-2010-2545

 -- Brian Thomason <email address hidden> Mon, 24 Jan 2011 11:20:13 -0500

Perhaps due to LP's email processing, the debdiff I tried (natty) was lacking a trailing newline on the last line. After adding that, things went nicely.

I've confirmed that the natty debdiff builds for me, and that cacti continues to behave after update.

Agreed with Kees Cook,

Here updated debdiff

Regarding newline in maverick-oneiric: weird. Thanks for the update. I can confirm the patches apply after adding the newline.

ACK lucid-oneiric. Thanks for the patches!

Uploaded to the security ppa.

The attachment "cacti_lucid.debdiff" of this bug report has been identified as being a patch in the form of a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. In the event that this is in fact not a patch you can resolve this situation by removing the tag 'patch' from the bug report and editing the attachment so that it is not flagged as a patch. Additionally, if you are member of the ubuntu-sponsors team please also unsubscribe the team from this bug report.

[This is an automated message performed by a Launchpad user owned by Brian Murray. Please contact him regarding any issues with the action taken in this bug report.]

Oops, maverick and natty have the same version. We need to use 0.8.7g-1ubuntu0.10.10.1 and 0.8.7g-1ubuntu0.11.04.1. Adjusting and reuploading.

This bug was fixed in the package cacti - 0.8.7g-2.1ubuntu0.1

---------------
cacti (0.8.7g-2.1ubuntu0.1) oneiric-security; urgency=low

  * SECURITY UPDATE: FIX SQL injection in auth_login.php (LP: #906773)
    - debian/patches/CVE-2011-4824.patch: patch derived from upstream.
    - CVE-2011-4824
 -- Mahyuddin Susanto <email address hidden> Tue, 20 Dec 2011 16:01:16 +0700

This bug was fixed in the package cacti - 0.8.7g-1ubuntu0.11.04.1

---------------
cacti (0.8.7g-1ubuntu0.11.04.1) natty-security; urgency=low

  * SECURITY UPDATE: FIX SQL injection in auth_login.php (LP: #906773)
    - debian/patches/CVE-2011-4824.patch: patch derived from upstream.
    - CVE-2011-4824
 -- Mahyuddin Susanto <email address hidden> Tue, 20 Dec 2011 15:52:09 +0700

This bug was fixed in the package cacti - 0.8.7g-1ubuntu0.10.10.1

---------------
cacti (0.8.7g-1ubuntu0.10.10.1) maverick-security; urgency=low

  * SECURITY UPDATE: FIX SQL injection in auth_login.php (LP: #906773)
    - debian/patches/CVE-2011-4824.patch: patch derived from upstream.
    - CVE-2011-4824
 -- Mahyuddin Susanto <email address hidden> Tue, 20 Dec 2011 15:46:56 +0700

This bug was fixed in the package cacti - 0.8.7e-2ubuntu0.2

---------------
cacti (0.8.7e-2ubuntu0.2) lucid-security; urgency=low

  * SECURITY UPDATE: FIX SQL injection in auth_login.php (LP: #906773)
    - debian/patches/CVE-2011-4824.patch: patch derived from upstream.
    - CVE-2011-4824
 -- Mahyuddin Susanto <email address hidden> Tue, 20 Dec 2011 22:39:36 +0700

Fixed in precise

cacti (0.8.7i-2) unstable; urgency=3Dlow

  * Cherry-pick upstream patches
    - debian/patches/10_settings_checkbox.patch
  * debian/patches/05_no-adodb.patch: Updates, add semicolon at line 190.
    (Closes: #653863)
  * Updated last changelog to mention security bug.

cacti (0.8.7i-1) unstable; urgency=3Dlow

  * New upstream release. (Closes: #642971)
    - Fix Ping query. (Closes: #616320, #561488)
    - Fix SQL injection issue in auth_login.php (Closes: #652371) this is
      CVE-2011-4824
  * debian/control:
    - Bump Standard-Version to 3.9.2, no source changes.
    - Change Maintainer to pkg-cacti. (Closes: #613857)
    - Add Sean and myself as uploaders.
    - Change Vcs-* to pkg-cacti.
  * debian/copyright: Rewriting as per dep5 format.
  * debian/source: Added to mentioning quilt patch system.
  * debian/README.source: Deleted, not needed anymore
  * debian/patches/09_use-utf8.patch: Use UTF-8 while creating database and
    producing RRD, Thanks to Slavko <email address hidden>. (Closes: #604395)
  * Refreshed pathces:
    - debian/patches/01_config.php.patch
    - debian/patches/05_no-adodb.patch
    - debian/patches/06_config_settings.php_cactid_path.patch
    - debian/patches/07_cli-include-path.patch (Closes: #604396)
    - debian/patches/08_563955_local_data_id.patch (Closes: #563955)
  * Drop patches apllied upstream:
    - 606062_ping.pl.patch
    - data_source_deactivate.patch
    - graph_list_view.patch
    - html_output.patch
    - ldap_group_authenication.patch
    - ping.patch
    - poller_interval.patch
    - script_server_command_line_parse.patch
  * Add Lighttpd support:
    - debian/docs: updated
    - debian/cacti.lighttpd.conf: added
    - debian/cacti.{postinst|postrm|templates}: updated

I suspect bug 914746 is the result of regression in the patch for lucid. If so, maybe also maverick, natty and oneiric are effected, as the proposed solution comes from upstream 0.8.7i version. My suspicion is raised by the first patch that was attached to the bug, which was against the 0.8.7g version of cacti (in Maverick, Natty and Oneiric).

If this all is true, a proposed patch is already available in that bug [1].

[1] https://launchpadlibrarian.net/109336601/LP914746_data_query.patch

The package based on 0.8.7g are fine. The problem is only in lucid. The patch did not work. Improved patch available [2].

[2] https://launchpadlibrarian.net/109541404/LP914746_regression_lucid_string_offset_in_data_query.patch

After even more investigation, I don't think bug 914746 is caused by regression, I think it is a bug on it's own. Sorry for the noise.