Version in base suite: 1.2.16+ds1-2+deb11u1 Base version: cacti_1.2.16+ds1-2+deb11u1 Target version: cacti_1.2.16+ds1-2+deb11u2 Base file: /srv/ftp-master.debian.org/ftp/pool/main/c/cacti/cacti_1.2.16+ds1-2+deb11u1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/c/cacti/cacti_1.2.16+ds1-2+deb11u2.dsc changelog | 8 + patches/0001-Fixing-5318-Multiple-minor-stored-XSS-vulnerabilitie.patch | 40 +++++++ patches/CVE-2023-39357.patch | 30 +++++ patches/CVE-2023-39359.patch | 35 ++++++ patches/CVE-2023-39361.patch | 23 ++++ patches/CVE-2023-39362_1.patch | 42 +++++++ patches/CVE-2023-39362_2.patch | 25 ++++ patches/CVE-2023-39364.patch | 34 +++++ patches/CVE-2023-39365.patch | 57 ++++++++++ patches/series | 8 + 10 files changed, 302 insertions(+) diff -Nru cacti-1.2.16+ds1/debian/changelog cacti-1.2.16+ds1/debian/changelog --- cacti-1.2.16+ds1/debian/changelog 2022-12-08 08:50:14.000000000 +0000 +++ cacti-1.2.16+ds1/debian/changelog 2023-10-27 20:31:19.000000000 +0000 @@ -1,3 +1,11 @@ +cacti (1.2.16+ds1-2+deb11u2) bullseye-security; urgency=high + + * Backport security patches from 1.2.25: CVE-2023-39357, CVE-2023-39359, + CVE-2023-39361, CVE-2023-39362, CVE-2023-39364, CVE-2023-39365, + CVE-2023-39513, CVE-2023-39515, CVE-2023-39516 + + -- Paul Gevers Fri, 27 Oct 2023 22:31:19 +0200 + cacti (1.2.16+ds1-2+deb11u1) bullseye-security; urgency=medium * Add 7f0e16312dd5ce20f93744ef8b9c3b0f1ece2216.patch to fix CVE-2022-46169 diff -Nru cacti-1.2.16+ds1/debian/patches/0001-Fixing-5318-Multiple-minor-stored-XSS-vulnerabilitie.patch cacti-1.2.16+ds1/debian/patches/0001-Fixing-5318-Multiple-minor-stored-XSS-vulnerabilitie.patch --- cacti-1.2.16+ds1/debian/patches/0001-Fixing-5318-Multiple-minor-stored-XSS-vulnerabilitie.patch 1970-01-01 00:00:00.000000000 +0000 +++ cacti-1.2.16+ds1/debian/patches/0001-Fixing-5318-Multiple-minor-stored-XSS-vulnerabilitie.patch 2023-10-27 20:31:19.000000000 +0000 @@ -0,0 +1,40 @@ +From 8d8aeec0eca3be7b10a12e6c2a78e6560bcef43e Mon Sep 17 00:00:00 2001 +From: TheWitness +Date: Sat, 29 Apr 2023 14:51:41 -0400 +Subject: [PATCH] Fixing #5318 - Multiple minor stored XSS vulnerabilities + +SECURITY: Multiple minor stored XSS vulnerabilities in Cacti 1.2.24 +--- + CHANGELOG | 1 + + data_debug.php | 2 +- + data_sources.php | 4 ++-- + graphs.php | 5 ++++- + lib/reports.php | 3 ++- + 5 files changed, 10 insertions(+), 5 deletions(-) + +diff --git a/data_debug.php b/data_debug.php +index 6bad3d397..666cb4107 100644 +--- a/data_debug.php ++++ b/data_debug.php +@@ -848,7 +848,7 @@ function debug_view() { + } + + if (array_key_exists('value', $field)) { +- $value = $field['value']; ++ $value = html_escape($field['value']); + } + + if (array_key_exists('icon', $field)) { +diff --git a/data_sources.php b/data_sources.php +index 54753a7fa..928182e6b 100644 +--- a/data_sources.php ++++ b/data_sources.php +@@ -1163,7 +1163,7 @@ function ds_edit() { + + +
+-
++
+ + + diff -Nru cacti-1.2.16+ds1/debian/patches/CVE-2023-39357.patch cacti-1.2.16+ds1/debian/patches/CVE-2023-39357.patch --- cacti-1.2.16+ds1/debian/patches/CVE-2023-39357.patch 1970-01-01 00:00:00.000000000 +0000 +++ cacti-1.2.16+ds1/debian/patches/CVE-2023-39357.patch 2023-10-27 20:31:19.000000000 +0000 @@ -0,0 +1,30 @@ +From 21f6b5c9238b3e8c83f2c9295374d96eb104f21d Mon Sep 17 00:00:00 2001 +From: TheWitness +Date: Fri, 4 Aug 2023 11:55:34 -0400 +Subject: [PATCH] Correct against possible SQL Injections + +--- + CHANGELOG | 1 + + lib/database.php | 5 ++++- + 2 files changed, 5 insertions(+), 1 deletion(-) + +diff --git a/lib/database.php b/lib/database.php +index a42c09b6b..57ca0aeb9 100644 +--- a/lib/database.php ++++ b/lib/database.php +@@ -1787,8 +1787,11 @@ function sql_save($array_items, $table_name, $key_cols = 'id', $autoinc = true, + } + } elseif (empty($value)) { + $array_items[$key] = 0; +- } else { ++ } elseif (is_numeric($value)) { + $array_items[$key] = $value; ++ } else { ++ cacti_log('ERROR: Column: ' . $key . ' contains and invald value: ' . $value, false, 'DBCALL'); ++ $array_items[$key] = 0; + } + } else { + $array_items[$key] = db_qstr($value); +-- +2.42.0 + diff -Nru cacti-1.2.16+ds1/debian/patches/CVE-2023-39359.patch cacti-1.2.16+ds1/debian/patches/CVE-2023-39359.patch --- cacti-1.2.16+ds1/debian/patches/CVE-2023-39359.patch 1970-01-01 00:00:00.000000000 +0000 +++ cacti-1.2.16+ds1/debian/patches/CVE-2023-39359.patch 2023-10-27 20:31:19.000000000 +0000 @@ -0,0 +1,35 @@ +From 7459ff57abcd97ab8bc7a19de9e308ca62c17d38 Mon Sep 17 00:00:00 2001 +From: TheWitness +Date: Fri, 4 Aug 2023 13:26:23 -0400 +Subject: [PATCH] Fixing XSS in graphs.php + +--- + CHANGELOG | 1 + + graphs.php | 4 ++-- + 2 files changed, 3 insertions(+), 2 deletions(-) + +diff --git a/graphs.php b/graphs.php +index a0534a245..2ee43447b 100644 +--- a/graphs.php ++++ b/graphs.php +@@ -92,7 +92,7 @@ switch (get_request_var('action')) { + case 'ajax_hosts': + $sql_where = ''; + if (get_request_var('site_id') > 0) { +- $sql_where = 'site_id = ' . get_request_var('site_id'); ++ $sql_where = 'site_id = ' . get_filter_request_var('site_id'); + } + + get_allowed_ajax_hosts(true, 'applyFilter', $sql_where); +@@ -101,7 +101,7 @@ switch (get_request_var('action')) { + case 'ajax_hosts_noany': + $sql_where = ''; + if (get_request_var('site_id') > 0) { +- $sql_where = 'site_id = ' . get_request_var('site_id'); ++ $sql_where = 'site_id = ' . get_filter_request_var('site_id'); + } + + get_allowed_ajax_hosts(false, 'applyFilter', $sql_where); +-- +2.42.0 + diff -Nru cacti-1.2.16+ds1/debian/patches/CVE-2023-39361.patch cacti-1.2.16+ds1/debian/patches/CVE-2023-39361.patch --- cacti-1.2.16+ds1/debian/patches/CVE-2023-39361.patch 1970-01-01 00:00:00.000000000 +0000 +++ cacti-1.2.16+ds1/debian/patches/CVE-2023-39361.patch 2023-10-27 20:31:19.000000000 +0000 @@ -0,0 +1,23 @@ +From 4246aee6310846d0e106bd05279e54fff3765822 Mon Sep 17 00:00:00 2001 +From: TheWitness +Date: Fri, 4 Aug 2023 15:27:40 -0400 +Subject: [PATCH] QA: Additional REGEXP and RLIKE changes + +--- + aggregate_graphs.php | 2 +- + lib/html_tree.php | 8 ++++---- + 2 files changed, 5 insertions(+), 5 deletions(-) + +diff --git a/aggregate_graphs.php b/aggregate_graphs.php +index 6ef088a29..514585667 100644 +--- a/aggregate_graphs.php ++++ b/aggregate_graphs.php +@@ -1192,7 +1192,7 @@ function aggregate_items() { + if (get_request_var('rfilter') == '') { + $sql_where = ''; + } elseif (validate_is_regex(get_request_var('rfilter'))) { +- $sql_where = 'WHERE gtg.title_cache RLIKE "' . get_request_var('rfilter') . '"'; ++ $sql_where = "WHERE gtg.title_cache RLIKE '" . get_request_var('rfilter') . "'"; + } else { + $filters = explode(' ', get_request_var('rfilter')); + $sql_where = ''; diff -Nru cacti-1.2.16+ds1/debian/patches/CVE-2023-39362_1.patch cacti-1.2.16+ds1/debian/patches/CVE-2023-39362_1.patch --- cacti-1.2.16+ds1/debian/patches/CVE-2023-39362_1.patch 1970-01-01 00:00:00.000000000 +0000 +++ cacti-1.2.16+ds1/debian/patches/CVE-2023-39362_1.patch 2023-10-27 20:31:19.000000000 +0000 @@ -0,0 +1,42 @@ +From cb9ab92f2580fc6cb9b64ce129655fb15e35d056 Mon Sep 17 00:00:00 2001 +From: TheWitness +Date: Fri, 4 Aug 2023 13:22:01 -0400 +Subject: [PATCH] Addressing some potential command level injections + +-SECURITY: Protect against certain command level injections in snmp functions +--- + CHANGELOG | 1 + + lib/snmp.php | 14 +++++++------- + 2 files changed, 8 insertions(+), 7 deletions(-) + +diff --git a/lib/snmp.php b/lib/snmp.php +index 04307f3f2..d06dd8bc9 100644 +--- a/lib/snmp.php ++++ b/lib/snmp.php +@@ -931,16 +931,16 @@ function snmp_escape_string($string) { + if (! defined('SNMP_ESCAPE_CHARACTER')) { + if ($config['cacti_server_os'] == 'win32') { + define('SNMP_ESCAPE_CHARACTER', '"'); ++ ++ if (substr_count($string, SNMP_ESCAPE_CHARACTER)) { ++ $string = str_replace(SNMP_ESCAPE_CHARACTER, "\\" . SNMP_ESCAPE_CHARACTER, $string); ++ } ++ ++ return SNMP_ESCAPE_CHARACTER . $string . SNMP_ESCAPE_CHARACTER; + } else { +- define('SNMP_ESCAPE_CHARACTER', "'"); ++ return cacti_escape_shell_arg($string); + } + } +- +- if (substr_count($string, SNMP_ESCAPE_CHARACTER)) { +- $string = substr_replace(SNMP_ESCAPE_CHARACTER, "\\" . SNMP_ESCAPE_CHARACTER, $string); +- } +- +- return SNMP_ESCAPE_CHARACTER . $string . SNMP_ESCAPE_CHARACTER; + } + + function snmp_get_method($type = 'walk', $version = 1, $context = '', $engineid = '', +-- +2.42.0 + diff -Nru cacti-1.2.16+ds1/debian/patches/CVE-2023-39362_2.patch cacti-1.2.16+ds1/debian/patches/CVE-2023-39362_2.patch --- cacti-1.2.16+ds1/debian/patches/CVE-2023-39362_2.patch 1970-01-01 00:00:00.000000000 +0000 +++ cacti-1.2.16+ds1/debian/patches/CVE-2023-39362_2.patch 2023-10-27 20:31:19.000000000 +0000 @@ -0,0 +1,25 @@ +From 4c26f39fa3567553192823a5e8096b187bbaddde Mon Sep 17 00:00:00 2001 +From: TheWitness +Date: Fri, 4 Aug 2023 15:45:50 -0400 +Subject: [PATCH] QA: On command injection + +--- + lib/snmp.php | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/snmp.php b/lib/snmp.php +index d06dd8bc9..c9958b68c 100644 +--- a/lib/snmp.php ++++ b/lib/snmp.php +@@ -938,7 +938,7 @@ function snmp_escape_string($string) { + + return SNMP_ESCAPE_CHARACTER . $string . SNMP_ESCAPE_CHARACTER; + } else { +- return cacti_escape_shell_arg($string); ++ return cacti_escapeshellarg($string); + } + } + } +-- +2.42.0 + diff -Nru cacti-1.2.16+ds1/debian/patches/CVE-2023-39364.patch cacti-1.2.16+ds1/debian/patches/CVE-2023-39364.patch --- cacti-1.2.16+ds1/debian/patches/CVE-2023-39364.patch 1970-01-01 00:00:00.000000000 +0000 +++ cacti-1.2.16+ds1/debian/patches/CVE-2023-39364.patch 2023-10-27 20:31:19.000000000 +0000 @@ -0,0 +1,34 @@ +From 05bf9dd89d056c7de9591396d92b25ddf140c0da Mon Sep 17 00:00:00 2001 +From: TheWitness +Date: Fri, 4 Aug 2023 15:42:23 -0400 +Subject: [PATCH] Correct issue with Hijacking Reference URL + +--- + auth_changepassword.php | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/auth_changepassword.php b/auth_changepassword.php +index 5009ff5ef..c07da5e32 100644 +--- a/auth_changepassword.php ++++ b/auth_changepassword.php +@@ -308,6 +308,17 @@ $secpass_tooltip .= $secpass_body; + + $selectedTheme = get_selected_theme(); + ++if (isset_request_var('ref')) { ++ $server_ref = gethostbyname(parse_url(get_nfilter_request_var('ref'), PHP_URL_HOST)); ++ $server_addr = $_SERVER['SERVER_ADDR']; ++ ++ if ($server_ref != $server_addr) { ++ raise_message('problems_with_page', __('There are problems with the Change Password page. Contact your Cacti administrator right away.'), MESSAGE_LEVEL_ERROR); ++ header('Location:index.php'); ++ exit; ++ } ++} ++ + ?> + + +-- +2.42.0 + diff -Nru cacti-1.2.16+ds1/debian/patches/CVE-2023-39365.patch cacti-1.2.16+ds1/debian/patches/CVE-2023-39365.patch --- cacti-1.2.16+ds1/debian/patches/CVE-2023-39365.patch 1970-01-01 00:00:00.000000000 +0000 +++ cacti-1.2.16+ds1/debian/patches/CVE-2023-39365.patch 2023-10-27 20:31:19.000000000 +0000 @@ -0,0 +1,57 @@ +From f775c115e9d6e4b6a326eee682af8afebc43f20e Mon Sep 17 00:00:00 2001 +From: TheWitness +Date: Sun, 4 Jun 2023 14:52:53 -0400 +Subject: [PATCH] Fixing #5348 - Issues with Regular Expression searches in + Cacti + +Unchecked Regular expressions can lead to privilege escalation and data leakage +--- + CHANGELOG | 1 + + lib/html_utility.php | 13 + + link.php | 4 +- + locales/po/cacti.pot | 1346 +++++++++++++++++++++--------------------- + 4 files changed, 703 insertions(+), 661 deletions(-) + +diff --git a/lib/html_utility.php b/lib/html_utility.php +index b92936f5a..0ea1f6a4a 100644 +--- a/lib/html_utility.php ++++ b/lib/html_utility.php +@@ -857,6 +857,19 @@ function validate_is_regex($regex) { + return true; + } + ++ /** ++ * Prevent exploits from encoded Regular expressions that can cause ++ * injections in MariaDB and MySQL. We do this by limiting the ++ * length of the regular expression to 50 bytes or less. ++ */ ++ if (strlen($regex) > 50) { ++ return __('Cacti regular expressions are limited to 50 characters only for security reasons.'); ++ } ++ ++ if (strpos($regex, ';') !== false) { ++ return __('Cacti regular expressions can not includes the semi-color character.'); ++ } ++ + restore_error_handler(); + + $track_errors = ini_get('track_errors'); +diff --git a/link.php b/link.php +index c528170f2..609335e53 100644 +--- a/link.php ++++ b/link.php +@@ -76,12 +76,12 @@ if (!cacti_sizeof($page)) { + } else { + print '
'; + +- $file = $config['base_path'] . "/include/content/" . $page['contentfile']; ++ $file = $config['base_path'] . "/include/content/" . str_replace('../', '', $page['contentfile']); + + if (file_exists($file)) { + include_once($file); + } else { +- print '

The file \'' . $page['contentfile'] . '\' does not exist!!

'; ++ print '

The file \'' . html_escape($page['contentfile']) . '\' does not exist!!

'; + } + + print '
'; diff -Nru cacti-1.2.16+ds1/debian/patches/series cacti-1.2.16+ds1/debian/patches/series --- cacti-1.2.16+ds1/debian/patches/series 2022-12-08 08:50:14.000000000 +0000 +++ cacti-1.2.16+ds1/debian/patches/series 2023-10-27 20:31:19.000000000 +0000 @@ -7,3 +7,11 @@ 1386bdbf7f845a32e24ac9415f3ebb7932e77fe7.patch 8694bf28edad723585915a97b95fbf5b1816a02b.patch 7f0e16312dd5ce20f93744ef8b9c3b0f1ece2216.patch +CVE-2023-39357.patch +CVE-2023-39359.patch +CVE-2023-39361.patch +CVE-2023-39362_1.patch +CVE-2023-39362_2.patch +CVE-2023-39364.patch +CVE-2023-39365.patch +0001-Fixing-5318-Multiple-minor-stored-XSS-vulnerabilitie.patch