Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 519900 (CVE-2014-5261)

Summary: <net-analyzer/cacti-0.8.8f-r1: remote code execution and SQL injection possibilities (CVE-2014-{5261,5262})
Product: Gentoo Security Reporter: Kristian Fiskerstrand (RETIRED) <k_f>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: genzilla, netmon
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://seclists.org/oss-sec/2014/q3/351
Whiteboard: B3 [glsa cve]
Package list:
Runtime testing required: ---

Description Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-08-14 08:39:49 UTC
From ${URL}:
Mischa Sallé and Wilco Baan Hofman reported a security issue in cacti to 
Debian when processing arguments passed to the graph settings script:
http://svn.cacti.net/viewvc?view=rev&revision=7454 

No CVE has currently been assigned. Additional information from RedHat at 

https://bugzilla.redhat.com/show_bug.cgi?id=1129762:
"It was reported [1] that upstream fixed incomplete and incorrect input parsing,
that leads to remote code execution and SQL injection attack scenarios. [2]"


https://bugzilla.redhat.com/show_bug.cgi?id=1127165
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2014-08-25 12:44:20 UTC
CVE-2014-5262 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-5262):
  SQL injection vulnerability in the graph settings script
  (graph_settings.php) in Cacti 0.8.8b and earlier allows remote attackers to
  execute arbitrary SQL commands via unspecified vectors.

CVE-2014-5261 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-5261):
  The graph settings script (graph_settings.php) in Cacti 0.8.8b and earlier
  allows remote attackers to execute arbitrary commands via shell
  metacharacters in a font size, related to the rrdtool commandline in
  lib/rrd.php.
Comment 2 Yury German Gentoo Infrastructure gentoo-dev 2015-07-13 15:08:44 UTC
Maintainers, please confirm if this was fixed in 0.8.8d. It looks like it was, but would like verification, as upstream page doe snot have the CVE's added. 

http://www.cacti.net/changelog.php
Comment 3 Aaron Bauman (RETIRED) gentoo-dev 2016-03-22 07:29:23 UTC
Doesn't look like it was fixed until after the 0.8.9 tag:

http://svn.cacti.net/viewvc/cacti/branches/0.8.9/graph_settings.php?view=log&pathrev=7454

0.8.9 is not available yet from upstream.  Package has not been updated upstream in quite some time.

@maintainer(s), can this be backported and included in the tree?
Comment 4 Aaron Bauman (RETIRED) gentoo-dev 2016-06-30 13:44:31 UTC
Added to existing GLSA request.
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2016-07-16 13:16:37 UTC
This issue was resolved and addressed in
 GLSA 201607-05 at https://security.gentoo.org/glsa/201607-05
by GLSA coordinator Aaron Bauman (b-man).