From ${URL}: Mischa Sallé and Wilco Baan Hofman reported a security issue in cacti to Debian when processing arguments passed to the graph settings script: http://svn.cacti.net/viewvc?view=rev&revision=7454 No CVE has currently been assigned. Additional information from RedHat at https://bugzilla.redhat.com/show_bug.cgi?id=1129762: "It was reported [1] that upstream fixed incomplete and incorrect input parsing, that leads to remote code execution and SQL injection attack scenarios. [2]" https://bugzilla.redhat.com/show_bug.cgi?id=1127165
CVE-2014-5262 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-5262): SQL injection vulnerability in the graph settings script (graph_settings.php) in Cacti 0.8.8b and earlier allows remote attackers to execute arbitrary SQL commands via unspecified vectors. CVE-2014-5261 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-5261): The graph settings script (graph_settings.php) in Cacti 0.8.8b and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in a font size, related to the rrdtool commandline in lib/rrd.php.
Maintainers, please confirm if this was fixed in 0.8.8d. It looks like it was, but would like verification, as upstream page doe snot have the CVE's added. http://www.cacti.net/changelog.php
Doesn't look like it was fixed until after the 0.8.9 tag: http://svn.cacti.net/viewvc/cacti/branches/0.8.9/graph_settings.php?view=log&pathrev=7454 0.8.9 is not available yet from upstream. Package has not been updated upstream in quite some time. @maintainer(s), can this be backported and included in the tree?
Added to existing GLSA request.
This issue was resolved and addressed in GLSA 201607-05 at https://security.gentoo.org/glsa/201607-05 by GLSA coordinator Aaron Bauman (b-man).
