Version in base suite: 1.2.2+ds1-2+deb10u1

Base version: cacti_1.2.2+ds1-2+deb10u1
Target version: cacti_1.2.2+ds1-2+deb10u2
Base file: /srv/ftp-master.debian.org/ftp/pool/main/c/cacti/cacti_1.2.2+ds1-2+deb10u1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/c/cacti/cacti_1.2.2+ds1-2+deb10u2.dsc

 changelog                    |   12 +++
 patches/CVE-2019-16723.patch |  154 +++++++++++++++++++++++++++++++++++++++++++
 patches/CVE-2019-17357.patch |   32 ++++++++
 patches/CVE-2019-17358.patch |   42 +++++++++++
 patches/series               |    3 
 5 files changed, 243 insertions(+)

diff -Nru cacti-1.2.2+ds1/debian/changelog cacti-1.2.2+ds1/debian/changelog
--- cacti-1.2.2+ds1/debian/changelog	2019-07-16 19:40:32.000000000 +0000
+++ cacti-1.2.2+ds1/debian/changelog	2019-12-29 18:53:28.000000000 +0000
@@ -1,3 +1,15 @@
+cacti (1.2.2+ds1-2+deb10u2) buster-security; urgency=medium
+
+  * Non-maintainer upload by the Security Team.
+  * Acknowledgements to Paul Gevers!
+  * CVE-2019-17358: insufficient validation of form input leading to unsafe
+    unserialization operations and memory corruption (Closes: #947375).
+  * CVE-2019-17357: SQL injection vulnerability in graphs.php (Closes: #947374).
+  * CVE-2019-16723: Authentication bypass allows unprivileged users to view all
+    graphs (Closes: #941036).
+
+ -- Hugo Lefeuvre <hle@debian.org>  Sun, 29 Dec 2019 19:53:28 +0100
+
 cacti (1.2.2+ds1-2+deb10u1) buster; urgency=medium
 
   * Depends i.s.o. Recommends on php-gmp as this is now a requirement of
diff -Nru cacti-1.2.2+ds1/debian/patches/CVE-2019-16723.patch cacti-1.2.2+ds1/debian/patches/CVE-2019-16723.patch
--- cacti-1.2.2+ds1/debian/patches/CVE-2019-16723.patch	1970-01-01 00:00:00.000000000 +0000
+++ cacti-1.2.2+ds1/debian/patches/CVE-2019-16723.patch	2019-12-29 18:53:28.000000000 +0000
@@ -0,0 +1,154 @@
+Description: fix authorization bypass with modified local_graph_id parameter
+ This patch addresses CVE-2019-16723. It is a combination of following upstream
+ patches:
+  + https://github.com/Cacti/cacti/commit/cfb0733597af97abc92270de4f47cbfa32f9c
+  + https://github.com/Cacti/cacti/commit/9a1d2ec46d2dde23826c134ca70a0cd3bef43
+  + https://github.com/Cacti/cacti/commit/d5f98679a06aa96adfe04f60908f9108cfc9f
+  + https://github.com/Cacti/cacti/commit/4cecb19f6be8b84fa1c7b6450b66176007cb5
+ Patches are left unchanged, just merged together, apart from the addition of
+ directories=no in graph.php which has nothing to do with security and was
+ omitted here.
+Author: cigamit <jimmy@sqmail.org>, ddb4github <jingchen328@gmail.com>, Hugo Lefeuvre <hle@debian.org>
+Bug: https://github.com/Cacti/cacti/issues/2964
+--- a/graph_image.php	2020-01-13 20:53:51.636352534 +0100
++++ b/graph_image.php	2020-01-13 20:53:51.628352595 +0100
+@@ -129,7 +129,8 @@
+ 	$rra_id = null;
+ }
+ 
+-$output = rrdtool_function_graph(get_request_var('local_graph_id'), $rra_id, $graph_data_array);
++$null_param = array();
++$output = rrdtool_function_graph(get_request_var('local_graph_id'), $rra_id, $graph_data_array, '', $null_param, $_SESSION['sess_user_id']);
+ 
+ if ($output !== false && $output != '') {
+ 	/* flush the headers now */
+@@ -142,7 +143,8 @@
+ 
+ 	/* get the error string */
+ 	$graph_data_array['get_error'] = true;
+-	rrdtool_function_graph(get_request_var('local_graph_id'), $rra_id, $graph_data_array);
++	$null_param = array();
++	rrdtool_function_graph(get_request_var('local_graph_id'), $rra_id, $graph_data_array, '', $null_param, $_SESSION['sess_user_id']);
+ 
+ 	$error = ob_get_contents();
+ 
+--- a/graph_json.php	2020-01-13 20:53:51.636352534 +0100
++++ b/graph_json.php	2020-01-13 20:53:51.632352564 +0100
+@@ -155,7 +155,8 @@
+ $graph_data_array['image_format'] = $gtype;
+ 
+ if ($config['poller_id'] == 1 || read_config_option('storage_location')) {
+-	$output = rrdtool_function_graph(get_request_var('local_graph_id'), $rra_id, $graph_data_array);
++	$xport_meta = array();
++	$output = rrdtool_function_graph(get_request_var('local_graph_id'), $rra_id, $graph_data_array, '', $xport_meta, $_SESSION['sess_user_id']);
+ 
+ 	ob_end_clean();
+ } else {
+@@ -217,7 +218,8 @@
+ 
+ 	$graph_data_array['get_error'] = true;
+ 
+-	rrdtool_function_graph(get_request_var('local_graph_id'), $rra_id, $graph_data_array);
++	$null_param = array();
++	rrdtool_function_graph(get_request_var('local_graph_id'), $rra_id, $graph_data_array, '', $null_param, $_SESSION['sess_user_id']);
+ 
+ 	$error = ob_get_contents();
+ 
+--- a/graph.php	2020-01-13 20:53:51.636352534 +0100
++++ b/graph.php	2020-01-13 21:01:20.773002579 +0100
+@@ -532,10 +532,16 @@
+ 	print "<tr class='tableHeader'><td colspan='3' class='linkOverDark' style='font-weight:bold;'>" . __('RRDtool Graph Syntax') . "</td></tr>\n";
+ 	print "<tr><td><pre>\n";
+ 	print "<span class='textInfo'>" . __('RRDtool Command:') . "</span><br>";
+-	print @rrdtool_function_graph(get_request_var('local_graph_id'), get_request_var('rra_id'), $graph_data_array);
++
++	$null_param = array();
++	print @rrdtool_function_graph(get_request_var('local_graph_id'), get_request_var('rra_id'), $graph_data_array, '', $null_param, $_SESSION['sess_user_id']);
+ 	unset($graph_data_array['print_source']);
+ 	print "<span class='textInfo'>" . __('RRDtool Says:') . "</span><br>";
+-	print @rrdtool_function_graph(get_request_var('local_graph_id'), get_request_var('rra_id'), $graph_data_array);
++ 	if ($config['poller_id'] == 1) {
++		print @rrdtool_function_graph(get_request_var('local_graph_id'), get_request_var('rra_id'), $graph_data_array, '', $null_param, $_SESSION['sess_user_id']);
++ 	} else {
++ 		print __esc('Not Checked');
++ 	}
+ 	print "</pre></td></tr>\n";
+ 	print "</table></td></tr></table>\n";
+ 	exit;
+--- a/graphs.php	2020-01-13 20:53:51.636352534 +0100
++++ b/graphs.php	2020-01-13 20:53:51.632352564 +0100
+@@ -1538,15 +1538,17 @@
+ 			$graph_data_array['print_source'] = 1;
+ 			$graph_data_array['graph_end']    = $graph_end;
+ 			$graph_data_array['graph_start']  = $graph_start;
++
++			$null_param = array();
+ 		?>
+ 		</div>
+ 		<div class='cactiTable'>
+ 			<div style='float:left'>
+ 				<span class='textInfo'><?php print __('RRDtool Command:');?></span><br>
+-				<pre><?php print @rrdtool_function_graph(get_request_var('id'), 1, $graph_data_array);?></pre>
++				<pre><?php print @rrdtool_function_graph(get_request_var('id'), 1, $graph_data_array, '', $null_param, $_SESSION['sess_user_id']);?></pre>
+ 				<span class='textInfo'><?php print __('RRDtool Says:');?></span><br>
+ 				<?php unset($graph_data_array['print_source']);?>
+-				<pre><?php print @rrdtool_function_graph(get_request_var('id'), 1, $graph_data_array);?></pre>
++				<pre><?php print ($config['poller_id'] == 1 ? @rrdtool_function_graph(get_request_var('id'), 1, $graph_data_array, '', $null_param, $_SESSION['sess_user_id']):__esc('Not Checked'));?></pre>
+ 			</div>
+ 		<?php
+ 		}
+--- a/graph_xport.php	2020-01-13 20:53:51.636352534 +0100
++++ b/graph_xport.php	2020-01-13 20:53:51.632352564 +0100
+@@ -89,7 +89,7 @@
+ $graph_data_array['export_csv'] = true;
+ 
+ /* Get graph export */
+-$xport_array = rrdtool_function_xport(get_request_var('local_graph_id'), get_request_var('rra_id'), $graph_data_array, $xport_meta);
++$xport_array = rrdtool_function_xport(get_request_var('local_graph_id'), get_request_var('rra_id'), $graph_data_array, $xport_meta, $_SESSION['sess_user_id']);
+ 
+ /* Make graph title the suggested file name */
+ if (is_array($xport_array['meta'])) {
+--- a/lib/rrd.php	2020-01-13 20:53:51.636352534 +0100
++++ b/lib/rrd.php	2020-01-13 20:53:51.632352564 +0100
+@@ -2245,8 +2245,8 @@
+ 	return str_replace(array('"', ":", '%'), array('\"', "\:", ''), $text);
+ }
+ 
+-function rrdtool_function_xport($local_graph_id, $rra_id, $xport_data_array, &$xport_meta) {
+-	return rrdtool_function_graph($local_graph_id, $rra_id, $xport_data_array, '', $xport_meta);
++function rrdtool_function_xport($local_graph_id, $rra_id, $xport_data_array, &$xport_meta, $user = 0) {
++	return rrdtool_function_graph($local_graph_id, $rra_id, $xport_data_array, null, $xport_meta, $user);
+ }
+ 
+ function rrdtool_function_format_graph_date(&$graph_data_array) {
+--- a/aggregate_graphs.php	2020-01-13 20:53:51.636352534 +0100
++++ b/aggregate_graphs.php	2020-01-13 20:53:51.632352564 +0100
+@@ -709,12 +709,13 @@
+ 		if (isset($_SESSION['graph_debug_mode']) && isset_request_var('id')) {
+ 			$graph_data_array['output_flag'] = RRDTOOL_OUTPUT_STDERR;
+ 			$graph_data_array['print_source'] = 1;
++			$null_param = array();
+ 			?>
+ 			<tr><td id='rrdtoolinfo' class='left' style='padding-left:15px;max-width:900px;overflow:scroll'>
+ 				<div style='overflow:auto;'>
+ 					<span class='textInfo'><?php print __('RRDtool Command:');?></span><br>
+-					<?php print @rrdtool_function_graph(get_request_var('id'), 1, $graph_data_array);?>
+-					<span class='textInfo'><?php print __('RRDtool Says:');?></span><br><?php unset($graph_data_array['print_source']);?><pre class='monoSpace tableRow left'><?php print @rrdtool_function_graph(get_request_var('id'), 1, $graph_data_array);?></pre>
++					<?php print @rrdtool_function_graph(get_request_var('id'), 1, $graph_data_array, '', $null_param, $_SESSION['sess_user_id']);?>
++					<span class='textInfo'><?php print __('RRDtool Says:');?></span><br><?php unset($graph_data_array['print_source']);?><pre class='monoSpace tableRow left'><?php print ($config['poller_id'] == 1 ? @rrdtool_function_graph(get_request_var('id'), 1, $graph_data_array, '', $null_param, $_SESSION['sess_user_id']):__esc('Not Checked'));?></pre>
+ 				</div>
+ 				<script type='text/javascript'>
+ 				$(function() {
+--- a/graph_realtime.php	2020-01-13 20:53:51.636352534 +0100
++++ b/graph_realtime.php	2020-01-13 20:53:51.632352564 +0100
+@@ -174,8 +174,9 @@
+ 	/* construct the image name  */
+ 	$graph_data_array['export_realtime'] = $graph_rrd;
+ 	$graph_data_array['output_flag']     = RRDTOOL_OUTPUT_GRAPH_DATA;
++	$null_param = array();
+ 
+-	rrdtool_function_graph(get_request_var('local_graph_id'), '', $graph_data_array);
++	rrdtool_function_graph(get_request_var('local_graph_id'), '', $graph_data_array, '', $null_param, $_SESSION['sess_user_id']);
+ 
+ 	if (file_exists($graph_rrd)) {
+ 		$data = base64_encode(file_get_contents($graph_rrd));
diff -Nru cacti-1.2.2+ds1/debian/patches/CVE-2019-17357.patch cacti-1.2.2+ds1/debian/patches/CVE-2019-17357.patch
--- cacti-1.2.2+ds1/debian/patches/CVE-2019-17357.patch	1970-01-01 00:00:00.000000000 +0000
+++ cacti-1.2.2+ds1/debian/patches/CVE-2019-17357.patch	2019-12-29 18:53:28.000000000 +0000
@@ -0,0 +1,32 @@
+From d6dc48503bbcde0717e7a93df7638fd4796200f4 Mon Sep 17 00:00:00 2001
+From: cigamit <jimmy@sqmail.org>
+Date: Sat, 12 Oct 2019 14:48:02 -0500
+Subject: [PATCH] Resolving Issue #3025
+
+SQL Injection in graphs.php
+---
+ CHANGELOG  | 1 +
+ graphs.php | 8 +++++---
+ 2 files changed, 6 insertions(+), 3 deletions(-)
+
+--- a/graphs.php	2019-12-29 19:59:58.513887167 +0100
++++ b/graphs.php	2019-12-29 19:59:58.513887167 +0100
+@@ -1929,13 +1929,15 @@
+ 	if (get_request_var('template_id') == '-1') {
+ 		/* Show all items */
+ 	} elseif (get_request_var('template_id') == '0') {
+-		$sql_where .= ($sql_where != '' ? ' AND ':'WHERE ') . ' gtg.graph_template_id=0';
++		$sql_where .= ($sql_where != '' ? ' AND ':'WHERE ') . ' gtg.graph_template_id = 0';
+ 	} elseif (!isempty_request_var('template_id')) {
+ 		$parts = explode('_', get_request_var('template_id'));
+ 		if ($parts[0] == 'cg') {
+-			$sql_where .= ($sql_where != '' ? ' AND ':'WHERE ') . ' gl.graph_template_id=' . $parts[1];
++			input_validate_input_number($parts[1]);
++			$sql_where .= ($sql_where != '' ? ' AND ':'WHERE ') . ' gl.graph_template_id = ' . $parts[1];
+ 		} else {
+-			$sql_where .= ($sql_where != '' ? ' AND ':'WHERE ') . ' gl.snmp_query_graph_id=' . $parts[1];
++			input_validate_input_number($parts[1]);
++			$sql_where .= ($sql_where != '' ? ' AND ':'WHERE ') . ' gl.snmp_query_graph_id = ' . $parts[1];
+ 		}
+ 	}
+ 
diff -Nru cacti-1.2.2+ds1/debian/patches/CVE-2019-17358.patch cacti-1.2.2+ds1/debian/patches/CVE-2019-17358.patch
--- cacti-1.2.2+ds1/debian/patches/CVE-2019-17358.patch	1970-01-01 00:00:00.000000000 +0000
+++ cacti-1.2.2+ds1/debian/patches/CVE-2019-17358.patch	2019-12-29 18:53:28.000000000 +0000
@@ -0,0 +1,42 @@
+From adf221344359f5b02b8aed43dfb6b33ae5d708c8 Mon Sep 17 00:00:00 2001
+From: cigamit <jimmy@sqmail.org>
+Date: Sat, 12 Oct 2019 14:56:43 -0500
+Subject: [PATCH] Resoving Issue #3026
+
+Unsafe deserialization in of selected objects in Cacti
+---
+ lib/functions.php | 23 +++++++++++++++--------
+ 1 file changed, 15 insertions(+), 8 deletions(-)
+
+--- a/lib/functions.php	2019-12-29 20:00:15.801538558 +0100
++++ b/lib/functions.php	2019-12-29 20:00:15.797539385 +0100
+@@ -3032,15 +3032,22 @@
+  */
+ function sanitize_unserialize_selected_items($items) {
+ 	if ($items != '') {
+-		$items = unserialize(stripslashes($items));
++		$unstripped = stripslashes($items);
+ 
+-		if (is_array($items)) {
+-			foreach ($items as $item) {
+-				if (is_array($item)) {
+-					return false;
+-				} elseif (!is_numeric($item) && ($item != '')) {
+-					return false;
++		// validate that sanitized string is correctly formatted
++		if (preg_match('/^a:[0-9]+:{/', $unstripped) && !preg_match('/(^|;|{|})O:\+?[0-9]+:"/', $unstripped)) {
++			$items = unserialize($unstripped);
++
++			if (is_array($items)) {
++				foreach ($items as $item) {
++					if (is_array($item)) {
++						return false;
++					} elseif (!is_numeric($item) && ($item != '')) {
++						return false;
++					}
+ 				}
++			} else {
++				return false;
+ 			}
+ 		} else {
+ 			return false;
diff -Nru cacti-1.2.2+ds1/debian/patches/series cacti-1.2.2+ds1/debian/patches/series
--- cacti-1.2.2+ds1/debian/patches/series	2019-07-16 19:38:38.000000000 +0000
+++ cacti-1.2.2+ds1/debian/patches/series	2019-12-29 18:53:28.000000000 +0000
@@ -5,3 +5,6 @@
 0001-Resolving-Issue-2581.patch
 0001-Resolving-issue-2474.patch
 0001-Resolving-issue-2482.patch
+CVE-2019-17357.patch
+CVE-2019-17358.patch
+CVE-2019-16723.patch