Hello community,
here is the log from the commit of package cacti
checked in at Tue Jan 9 17:41:24 CET 2007.
--------
--- cacti/cacti.changes 2006-03-17 11:37:29.000000000 +0100
+++ /mounts/work_src_done/NOARCH/cacti/cacti.changes 2007-01-09 16:12:40.000000000 +0100
@@ -1,0 +2,5 @@
+Tue Jan 9 16:12:03 CET 2007 - prusnak@suse.cz
+
+- fixed CVE-2006-6799 [#231082]
+
+-------------------------------------------------------------------
Old:
----
path_fix.patch
New:
----
cacti-0.8.6h-CVE-2006-6799.patch
cacti-0.8.6h-path_fix.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ cacti.spec ++++++
--- /var/tmp/diff_new_pack.Sf1664/_old 2007-01-09 17:40:40.000000000 +0100
+++ /var/tmp/diff_new_pack.Sf1664/_new 2007-01-09 17:40:40.000000000 +0100
@@ -1,7 +1,7 @@
#
# spec file for package cacti (Version 0.8.6h)
#
-# Copyright (c) 2006 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2007 SUSE LINUX Products GmbH, Nuernberg, Germany.
# This file and all modifications and additions to the pristine
# package are under the same license as the package itself.
#
@@ -12,16 +12,17 @@
Name: cacti
BuildRequires: apache2-devel libapr-util1-devel pcre-devel
Version: 0.8.6h
-Release: 8
+Release: 41
Summary: Web Front-End to Monitor System Data via RRDtool
-License: GPL
+License: GNU General Public License (GPL)
Group: System/Monitoring
URL: http://www.cacti.net/
Source0: %{name}-%{version}.tar.bz2
-Source1: cacti.cron
-Source2: cacti-httpd.conf
-Source3: cacti.logrotate
-Patch: path_fix.patch
+Source1: %{name}.cron
+Source2: %{name}-httpd.conf
+Source3: %{name}.logrotate
+Patch: %{name}-%{version}-path_fix.patch
+Patch1: %{name}-%{version}-CVE-2006-6799.patch
Requires: http_daemon net-snmp rrdtool php mod_php_any
Requires: php-snmp php-mysql php-session
BuildArch: noarch
@@ -49,6 +50,7 @@
%prep
%setup -q
%patch
+%patch1
%build
@@ -95,6 +97,8 @@
%config(noreplace) /etc/logrotate.d/%{name}
%changelog -n cacti
+* Tue Jan 09 2007 - prusnak@suse.cz
+- fixed CVE-2006-6799 [#231082]
* Fri Mar 17 2006 - stark@suse.de
- fix path settings
* Wed Jan 25 2006 - mls@suse.de
++++++ cacti-0.8.6h-CVE-2006-6799.patch ++++++
--- include/html/inc_timespan_settings.php
+++ include/html/inc_timespan_settings.php
@@ -24,6 +24,20 @@
+-------------------------------------------------------------------------+
*/
+/* ================= input validation ================= */
+input_validate_input_number(get_request_var_request("predefined_timespan"));
+/* ==================================================== */
+
+/* clean up date1 string */
+if (isset($_REQUEST["date1"])) {
+ $_REQUEST["date1"] = sanitize_search_string(get_request_var("date1"));
+}
+
+/* clean up date2 string */
+if (isset($_REQUEST["date2"])) {
+ $_REQUEST["date2"] = sanitize_search_string(get_request_var("date2"));
+}
+
/* initialize the timespan array */
$timespan = array();
--- lib/api_device.php
+++ lib/api_device.php
@@ -65,7 +65,7 @@
}
$save["id"] = $id;
- $save["host_template_id"] = $host_template_id;
+ $save["host_template_id"] = form_input_validate($host_template_id, "host_template_id", "^[0-9]+$", false, 3);
$save["description"] = form_input_validate($description, "description", "", false, 3);
$save["hostname"] = form_input_validate($hostname, "hostname", "", false, 3);
$save["snmp_community"] = form_input_validate($snmp_community, "snmp_community", "", true, 3);
--- scripts/ss_host_cpu.php
+++ scripts/ss_host_cpu.php
@@ -1,8 +1,14 @@
= " .
- $_SERVER["argv"][1] .
- " and id <= " .
- $_SERVER["argv"][2] . ") ORDER by id");
+
+ /* address potential exploits */
+ input_validate_input_number($_SERVER["argv"][1]);
+ input_validate_input_number($_SERVER["argv"][2]);
+
+ $hosts = db_fetch_assoc("
+ SELECT * FROM host
+ WHERE (disabled = ''
+ AND id >= " . $_SERVER["argv"][1] . "
+ AND id <= " . $_SERVER["argv"][2] . ")
+ ORDER by id");
$hosts = array_rekey($hosts,"id",$host_struc);
$host_count = sizeof($hosts);
- $polling_items = db_fetch_assoc("SELECT * from poller_item " .
- "WHERE (host_id >= " .
- $_SERVER["argv"][1] .
- " and host_id <= " .
- $_SERVER["argv"][2] . ") ORDER by host_id");
-
- $script_server_calls = db_fetch_cell("SELECT count(*) from poller_item " .
- "WHERE (action=2 AND (host_id >= " .
- $_SERVER["argv"][1] .
- " and host_id <= " .
- $_SERVER["argv"][2] . "))");
+ $polling_items = db_fetch_assoc("
+ SELECT * from poller_item
+ WHERE (host_id >= " . $_SERVER["argv"][1] . "
+ AND host_id <= " . $_SERVER["argv"][2] . ")
+ ORDER by host_id");
+
+ $script_server_calls = db_fetch_cell("
+ SELECT count(*)
+ FROM poller_item
+ WHERE (action=2
+ AND (host_id >= " . $_SERVER["argv"][1] . "
+ AND host_id <= " . $_SERVER["argv"][2] . "))");
}else{
print "ERROR: Invalid Arguments. The first argument must be less than or equal to the first.\n";
print "USAGE: CMD.PHP [[first_host] [second_host]]\n";
--- copy_cacti_user.php
+++ copy_cacti_user.php
@@ -25,9 +25,10 @@
*/
/* do NOT run this script through a web browser */
-if (! isset($_SERVER["argv"][0])) {
- die("This script is only meant to run at the command line.\n");
+if (!isset($_SERVER["argv"][0]) || isset($_SERVER['REQUEST_METHOD']) || isset($_SERVER['REMOTE_ADDR'])) {
+ die("<br><strong>This script is only meant to run at the command line.</strong>");
}
+
if (empty($_SERVER["argv"][2])) {
die("\nSyntax:\n php copy_cacti_user.php <template user> <new user>\n\n");
}
--- poller.php
+++ poller.php
@@ -26,8 +26,8 @@
*/
/* do NOT run this script through a web browser */
-if (!isset($_SERVER["argv"][0])) {
- die("<br><strong>This script is only meant to run at the command line.</strong>");
+if (!isset($_SERVER["argv"][0]) || isset($_SERVER['REQUEST_METHOD']) || isset($_SERVER['REMOTE_ADDR'])) {
+ die("<br><strong>This script is only meant to run at the command line.</strong>");
}
/* We are not talking to the browser */
--- poller_commands.php
+++ poller_commands.php
@@ -27,8 +27,8 @@
define("MAX_RECACHE_RUNTIME", 296);
/* do NOT run this script through a web browser */
-if (!isset($_SERVER["argv"][0])) {
- die("<br><strong>This script is only meant to run at the command line.</strong>");
+if (!isset($_SERVER["argv"][0]) || isset($_SERVER['REQUEST_METHOD']) || isset($_SERVER['REMOTE_ADDR'])) {
+ die("<br><strong>This script is only meant to run at the command line.</strong>");
}
/* We are not talking to the browser */
--- poller_export.php
+++ poller_export.php
@@ -25,8 +25,8 @@
*/
/* do NOT run this script through a web browser */
-if (!isset($_SERVER["argv"][0])) {
- die("<br><strong>This script is only meant to run at the command line.</strong>");
+if (!isset($_SERVER["argv"][0]) || isset($_SERVER['REQUEST_METHOD']) || isset($_SERVER['REMOTE_ADDR'])) {
+ die("<br><strong>This script is only meant to run at the command line.</strong>");
}
/* We are not talking to the browser */
--- poller_reindex_hosts.php
+++ poller_reindex_hosts.php
@@ -25,8 +25,8 @@
*/
/* do NOT run this script through a web browser */
-if (!isset($_SERVER["argv"][0])) {
- die("<br><strong>This script is only meant to run at the command line.</strong>");
+if (!isset($_SERVER["argv"][0]) || isset($_SERVER['REQUEST_METHOD']) || isset($_SERVER['REMOTE_ADDR'])) {
+ die("<br><strong>This script is only meant to run at the command line.</strong>");
}
ini_set("max_execution_time", "0");
--- rebuild_poller_cache.php
+++ rebuild_poller_cache.php
@@ -25,8 +25,8 @@
*/
/* do NOT run this script through a web browser */
-if (!isset($_SERVER["argv"][0])) {
- die("<br><strong>This script is only meant to run at the command line.</strong>");
+if (!isset($_SERVER["argv"][0]) || isset($_SERVER['REQUEST_METHOD']) || isset($_SERVER['REMOTE_ADDR'])) {
+ die("<br><strong>This script is only meant to run at the command line.</strong>");
}
$no_http_headers = true;
--- script_server.php
+++ script_server.php
@@ -1,3 +1,4 @@
+#!/usr/bin/php -q
"Cacti Log File Path",
"description" => "The path to your Cacti log file (if blank, defaults to