From ${URL} : Description Some vulnerabilities have been reported in Cacti, which can be exploited by malicious people to conduct SQL injection attacks and compromise a vulnerable system. 1) Certain unspecified input is not properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. 2) Certain unspecified input is not properly properly sanitised before being used to execute commands. This can be exploited to inject and execute arbitrary shell commands. The vulnerabilities are reported in versions prior to 0.8.8b. Solution: Update to version 0.8.8b. Provided and/or discovered by: Reported by the vendor. Original Advisory: http://forums.cacti.net/viewtopic.php?f=21&t=50593 @maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
I've bumped cacti on my overlay to 0.8.8b. I'll add it to the tree tomorrow if the maintainer doesn't get to it before me.
I've added the ebuild to the tree. Since I see no CVE references here and I have at least one oss-security email requesting them without reply, I'm adding the following snippet from another oss-security thread so someone can confirm if these are the CVE identifiers that should be used for this case: From Giuseppe Iuculano iuculano AT debian DOT org The Debian Security Team had assigned the following CVEs: CVE-2013-1434: for the SQL injection issues, fixed by http://svn.cacti.net/viewvc?view=rev&revision=7394 CVE-2013-1435: for the shell escaping issues, fixed by http://svn.cacti.net/viewvc?view=rev&revision=7392 and http://svn.cacti.net/viewvc?view=rev&revision=7393
Those CVEs appear to be correct. Let's hold off on stabilizing for a bit, though, since a couple more Cacti CVEs just got issued this morning.
CVE-2013-1435 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1435): (1) snmp.php and (2) rrd.php in Cacti before 0.8.8b allows remote attackers to execute arbitrary commands via shell metacharacters in unspecified vectors. CVE-2013-1434 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1434): Multiple SQL injection vulnerabilities in (1) api_poller.php and (2) utility.php in Cacti before 0.8.8b allow remote attackers to execute arbitrary SQL commands via unspecified vectors.
Added to existing GLSA draft
This issue was resolved and addressed in GLSA 201401-20 at http://security.gentoo.org/glsa/glsa-201401-20.xml by GLSA coordinator Sean Amoss (ackle).