Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 480196 (CVE-2013-1434) - <net-analyzer/cacti-0.8.8b: SQL and Command Injection Vulnerabilities (CVE-2013-{1434,1435})
Summary: <net-analyzer/cacti-0.8.8b: SQL and Command Injection Vulnerabilities (CVE-20...
Status: RESOLVED FIXED
Alias: CVE-2013-1434
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://secunia.com/advisories/54386/
Whiteboard: B2 [glsa]
Keywords:
Depends on: CVE-2013-5588
Blocks:
  Show dependency tree
 
Reported: 2013-08-07 18:55 UTC by Agostino Sarubbo
Modified: 2014-01-21 19:30 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-08-07 18:55:12 UTC
From ${URL} :

Description

Some vulnerabilities have been reported in Cacti, which can be exploited by malicious people to 
conduct SQL injection attacks and compromise a vulnerable system.

1) Certain unspecified input is not properly sanitised before being used in a SQL query. This can 
be exploited to manipulate SQL queries by injecting arbitrary SQL code.

2) Certain unspecified input is not properly properly sanitised before being used to execute 
commands. This can be exploited to inject and execute arbitrary shell commands.

The vulnerabilities are reported in versions prior to 0.8.8b.


Solution:
Update to version 0.8.8b.

Provided and/or discovered by:
Reported by the vendor.

Original Advisory:
http://forums.cacti.net/viewtopic.php?f=21&t=50593


@maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
Comment 1 Jorge Manuel B. S. Vicetto (RETIRED) Gentoo Infrastructure gentoo-dev 2013-08-13 00:25:25 UTC
I've bumped cacti on my overlay to 0.8.8b. I'll add it to the tree tomorrow if the maintainer doesn't get to it before me.
Comment 2 Jorge Manuel B. S. Vicetto (RETIRED) Gentoo Infrastructure gentoo-dev 2013-08-25 13:08:45 UTC
I've added the ebuild to the tree.

Since I see no CVE references here and I have at least one oss-security email requesting them without reply, I'm adding the following snippet from another oss-security thread so someone can confirm if these are the CVE identifiers that should be used for this case:

From Giuseppe Iuculano iuculano AT debian DOT org
The Debian Security Team had assigned the following CVEs:

CVE-2013-1434: for the SQL injection issues, fixed by
http://svn.cacti.net/viewvc?view=rev&revision=7394

CVE-2013-1435: for the shell escaping issues, fixed by
http://svn.cacti.net/viewvc?view=rev&revision=7392 and
http://svn.cacti.net/viewvc?view=rev&revision=7393
Comment 3 Chris Reffett (RETIRED) gentoo-dev Security 2013-08-25 14:16:14 UTC
Those CVEs appear to be correct. Let's hold off on stabilizing for a bit, though, since a couple more Cacti CVEs just got issued this morning.
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2013-08-27 02:34:54 UTC
CVE-2013-1435 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1435):
  (1) snmp.php and (2) rrd.php in Cacti before 0.8.8b allows remote attackers
  to execute arbitrary commands via shell metacharacters in unspecified
  vectors.

CVE-2013-1434 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1434):
  Multiple SQL injection vulnerabilities in (1) api_poller.php and (2)
  utility.php in Cacti before 0.8.8b allow remote attackers to execute
  arbitrary SQL commands via unspecified vectors.
Comment 5 Sergey Popov gentoo-dev 2014-01-15 12:28:16 UTC
Added to existing GLSA draft
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2014-01-21 19:30:05 UTC
This issue was resolved and addressed in
 GLSA 201401-20 at http://security.gentoo.org/glsa/glsa-201401-20.xml
by GLSA coordinator Sean Amoss (ackle).