Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 96243

Summary: net-analyzer/cacti SQL injection / global php var security issues
Product: Gentoo Security Reporter: Lance Albertson (RETIRED) <ramereth>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: blubb, eldad, gustavoz, hansmi, ka0ttic, tester
Priority: High    
Version: unspecified   
Hardware: All   
OS: Other   
URL: http://www.cacti.net/downloads/cacti-0.8.6e.tar.gz
Whiteboard: C1 [glsa] jaervosz
Package list:
Runtime testing required: ---

Description Lance Albertson (RETIRED) gentoo-dev 2005-06-15 19:39:27 UTC 
I recently got in contact with the authors of cacti, so I'm the first gentoo person to see this. Got an email from this not too long ago:

----

Recently the Cacti group had been informed of some serious security 
issues that would allow for SQL injection and global php variable 
overwriting.  To resolve these issues, we have new release of Cacti 
0.8.6e, which includes the security fixes and some minor bug fixes.

We will be announcing the new release of Cacti 0.8.6e on Monday June 20th.

You can find Cacti 0.8.6e at 
http://www.cacti.net/downloads/cacti-0.8.6e.tar.gz, which is the 
standard download location.

We hope this will at least be enough time to get the ball rolling for 
updating related packages in distributions.

If you have any questions, please let us know.

Thanks,

The Cacti Group

Tony Roman
Cacti Developer

----

Not sure if they want this kind of quiet till the official release, so I'll mark this only visible for security folks. (I noticed they put it on vendor-disclosure).
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-06-15 22:10:10 UTC 
Adding individual maintainers as aliases don't work on restricted bugs.  
 
Eldad/Aaron please attach an updated ebuild to this bug, do NOT commit 
anything.
Comment 2 Lance Albertson (RETIRED) gentoo-dev 2005-06-15 22:56:18 UTC 
FYI, I talked with solar about this and he already just bumped an ebuild in
portage (but its masked -*). No mention of why its there was included. I emailed
the author to see how quiet he wants this since he was a bit vague on that in
the email. I've already upgraded my personal setup at home on x86 and seems to
be working fine. 

Sorry that I didn't include individual folks, I knew I forgot something :-)

I'll keep you upprised of any more info from upstream.
Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-06-16 10:01:42 UTC 
Please test and report back success on this bug. Do NOT mark stable. Since it 
is marked -* I've also called unstable arches.
Comment 4 Lance Albertson (RETIRED) gentoo-dev 2005-06-16 18:01:27 UTC 
FYI: If you tried testing this ebuild before this comment, please try again. The
author just sent an email stating the tarball has changed with one more minor
bug fix. I just updated the digest for it and should hit the rsync mirrors in
30-45min.
Comment 5 Simon Stelling (RETIRED) gentoo-dev 2005-06-18 13:36:38 UTC 
works fine on amd64
Comment 6 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-06-18 14:18:59 UTC 
Works on ppc.
Comment 7 Bryan Østergaard (RETIRED) gentoo-dev 2005-06-18 17:10:38 UTC 
Alpha works.
Comment 8 Gustavo Zacarias (RETIRED) gentoo-dev 2005-06-20 08:23:59 UTC 
sparc good.
Sorry for the delay on this one.
Comment 9 Lance Albertson (RETIRED) gentoo-dev 2005-06-20 08:38:47 UTC 
Let me find out from the cacti authors when we can officially mark this stable
and release an announcement.
Comment 10 Lance Albertson (RETIRED) gentoo-dev 2005-06-20 10:56:02 UTC 
Looks like it won't be posted till later tonight:

---
I still have a few announcements to type up, so hopefully not after 8:00
PM EDT. Either way, keep your eyes on the website for the official
announcement before posting the distribution advisories.

Regarding Michael's question about a patch URL, I will post the
0.8.6d->0.8.6e security patch to the following URL:

http://www.cacti.net/downloads/patches/0.8.6d/cacti_0_8_6e_security.patch

Ian
Comment 11 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-06-20 14:19:09 UTC 
Soon time for GLSA decision on this one. I vote YES.
Comment 12 Lance Albertson (RETIRED) gentoo-dev 2005-06-20 19:55:33 UTC 
Its been announced on the cacti site. We're a go to start marking it stable and
whatever else you guys do.
Comment 13 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-06-20 23:07:52 UTC 
This is now public -> opening. 
 
maintainers/patchers I think we can commit with target keywords:   
   
x86 ~ppc sparc ~alpha ~amd64
Comment 14 Thierry Carrez (RETIRED) gentoo-dev 2005-06-21 00:29:16 UTC 
I vote YES for GLSA
Comment 15 Lance Albertson (RETIRED) gentoo-dev 2005-06-21 11:22:10 UTC 
I'll go ahead and mark these as stated earlier, any objections?
Comment 16 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-06-21 11:26:55 UTC 
Lance: no.
Comment 17 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-06-21 13:01:53 UTC 
ramereth please go ahead.
Comment 18 Lance Albertson (RETIRED) gentoo-dev 2005-06-21 13:37:41 UTC 
commited
Comment 19 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-06-21 13:47:02 UTC 
Thx Lance. This one is ready for GLSA. Security please review draft.
Comment 20 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-06-22 08:27:15 UTC 
Thx everyone. 
 
GLSA 200506-20