[gentoo-commits] repo/gentoo:master commit in: net-analyzer/cacti/, net-analyzer/cacti/files/ - gentoo-commits

From:	Jeroen Roovers <jer@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] repo/gentoo:master commit in: net-analyzer/cacti/, net-analyzer/cacti/files/
Date:	Tue, 02 Feb 2016 05:11:17
Message-Id:	`1454389843.aa240655c683eb070932a40e3b0773be307603bf.jer@gentoo`

1

commit:     aa240655c683eb070932a40e3b0773be307603bf

2

Author:     Jeroen Roovers <jer <AT> gentoo <DOT> org>

3

AuthorDate: Tue Feb  2 05:10:43 2016 +0000

4

Commit:     Jeroen Roovers <jer <AT> gentoo <DOT> org>

5

CommitDate: Tue Feb  2 05:10:43 2016 +0000

6

URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=aa240655

7

8

net-analyzer/cacti: Add upstream patch for CVE-2015-8369 (bug #568400).

9

10

Package-Manager: portage-2.2.27

11

12

 net-analyzer/cacti/cacti-0.8.8f-r1.ebuild          |  62 +++++++

13

 .../cacti/files/cacti-0.8.8f-CVE-2015-8369.patch   | 204 +++++++++++++++++++++

14

 2 files changed, 266 insertions(+)

15

16

diff --git a/net-analyzer/cacti/cacti-0.8.8f-r1.ebuild b/net-analyzer/cacti/cacti-0.8.8f-r1.ebuild

17

new file mode 100644

18

index 0000000..782f241

19

--- /dev/null

20

+++ b/net-analyzer/cacti/cacti-0.8.8f-r1.ebuild

21

@@ -0,0 +1,62 @@

22

+# Copyright 1999-2016 Gentoo Foundation

23

+# Distributed under the terms of the GNU General Public License v2

24

+# $Id$

25

+

26

+EAPI=5

27

+

28

+inherit eutils webapp

29

+

30

+# Support for _p* in version.

31

+MY_P=${P/_p*/}

32

+

33

+DESCRIPTION="Cacti is a complete frontend to rrdtool"

34

+HOMEPAGE="http://www.cacti.net/"

35

+SRC_URI="http://www.cacti.net/downloads/${MY_P}.tar.gz"

36

+

37

+LICENSE="GPL-2"

38

+KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ppc ~ppc64 ~sparc ~x86"

39

+IUSE="snmp doc"

40

+

41

+need_httpd

42

+

43

+RDEPEND="

44

+	dev-lang/php[cli,mysql,session,sockets,xml]

45

+	dev-php/adodb

46

+	net-analyzer/rrdtool[graph]

47

+	virtual/cron

48

+	virtual/mysql

49

+	snmp? ( >=net-analyzer/net-snmp-5.2.0 )

50

+"

51

+

52

+src_prepare() {

53

+	epatch "${FILESDIR}"/${P}-CVE-2015-8369.patch

54

+

55

+	sed -i -e \

56

+		's:$config\["library_path"\] . "/adodb/adodb.inc.php":"adodb/adodb.inc.php":' \

57

+		"${S}"/include/global.php || die

58

+

59

+	rm -rf lib/adodb || die # don't use bundled adodb

60

+}

61

+

62

+src_compile() { :; }

63

+

64

+src_install() {

65

+	webapp_src_preinst

66

+

67

+	rm LICENSE README || die

68

+	dodoc docs/{CHANGELOG,CONTRIB,README,txt/manual.txt}

69

+	use doc && dohtml -r docs/html/

70

+	rm -rf docs

71

+

72

+	edos2unix `find -type f -name '*.php'`

73

+

74

+	dodir ${MY_HTDOCSDIR}

75

+	cp -r . "${D}"${MY_HTDOCSDIR}

76

+

77

+	webapp_serverowned ${MY_HTDOCSDIR}/rra

78

+	webapp_serverowned ${MY_HTDOCSDIR}/log/cacti.log

79

+	webapp_configfile ${MY_HTDOCSDIR}/include/config.php

80

+	webapp_postinst_txt en "${FILESDIR}"/postinstall-en.txt

81

+

82

+	webapp_src_install

83

+}

84

85

diff --git a/net-analyzer/cacti/files/cacti-0.8.8f-CVE-2015-8369.patch b/net-analyzer/cacti/files/cacti-0.8.8f-CVE-2015-8369.patch

86

new file mode 100644

87

index 0000000..2019a61

88

--- /dev/null

89

+++ b/net-analyzer/cacti/files/cacti-0.8.8f-CVE-2015-8369.patch

90

@@ -0,0 +1,204 @@

91

+--- a/graph.php

92

++++ b/graph.php

93

+@@ -32,43 +32,43 @@

94

+

95

+ api_plugin_hook_function('graph');

96

+

97

+-include_once("./lib/html_tree.php");

98

+-include_once("./include/top_graph_header.php");

99

+-

100

+ /* ================= input validation ================= */

101

+-input_validate_input_regex(get_request_var("rra_id"), "^([0-9]+|all)$");

102

+-input_validate_input_number(get_request_var("local_graph_id"));

103

+-input_validate_input_number(get_request_var("graph_end"));

104

+-input_validate_input_number(get_request_var("graph_start"));

105

++input_validate_input_regex(get_request_var_request("rra_id"), "^([0-9]+|all)$");

106

++input_validate_input_number(get_request_var_request("local_graph_id"));

107

++input_validate_input_number(get_request_var_request("graph_end"));

108

++input_validate_input_number(get_request_var_request("graph_start"));

109

+ input_validate_input_regex(get_request_var_request("view_type"), "^([a-zA-Z0-9]+)$");

110

+ /* ==================================================== */

111

+

112

+-if (!isset($_GET['rra_id'])) {

113

+-	$_GET['rra_id'] = 'all';

114

++include_once("./lib/html_tree.php");

115

++include_once("./include/top_graph_header.php");

116

++

117

++if (!isset($_REQUEST['rra_id'])) {

118

++	$_REQUEST['rra_id'] = 'all';

119

+ }

120

+

121

+-if ($_GET["rra_id"] == "all") {

122

++if ($_REQUEST["rra_id"] == "all") {

123

+ 	$sql_where = " where id is not null";

124

+ }else{

125

+-	$sql_where = " where id=" . $_GET["rra_id"];

126

++	$sql_where = " where id=" . $_REQUEST["rra_id"];

127

+ }

128

+

129

+ /* make sure the graph requested exists (sanity) */

130

+-if (!(db_fetch_cell("select local_graph_id from graph_templates_graph where local_graph_id=" . $_GET["local_graph_id"]))) {

131

++if (!(db_fetch_cell("select local_graph_id from graph_templates_graph where local_graph_id=" . $_REQUEST["local_graph_id"]))) {

132

+ 	print "<strong><font size='+1' color='FF0000'>GRAPH DOES NOT EXIST</font></strong>"; exit;

133

+ }

134

+

135

+ /* take graph permissions into account here, if the user does not have permission

136

+ give an "access denied" message */

137

+ if (read_config_option("auth_method") != 0) {

138

+-	$access_denied = !(is_graph_allowed($_GET["local_graph_id"]));

139

++	$access_denied = !(is_graph_allowed($_REQUEST["local_graph_id"]));

140

+

141

+ 	if ($access_denied == true) {

142

+ 		print "<strong><font size='+1' color='FF0000'>ACCESS DENIED</font></strong>"; exit;

143

+ 	}

144

+ }

145

+

146

+-$graph_title = get_graph_title($_GET["local_graph_id"]);

147

++$graph_title = get_graph_title($_REQUEST["local_graph_id"]);

148

+

149

+ if ($_REQUEST["view_type"] == "tree") {

150

+ 	print "<table width='100%' style='background-color: #ffffff; border: 1px solid #ffffff;' align='center' cellspacing='0' cellpadding='3'>";

151

+@@ -76,15 +76,15 @@

152

+ 	print "<table width='100%' style='background-color: #f5f5f5; border: 1px solid #bbbbbb;' align='center' cellspacing='0' cellpadding='3'>";

153

+ }

154

+

155

+-$rras = get_associated_rras($_GET["local_graph_id"]);

156

++$rras = get_associated_rras($_REQUEST["local_graph_id"]);

157

+

158

+ switch ($_REQUEST["action"]) {

159

+ case 'view':

160

+ 	api_plugin_hook_function('page_buttons',

161

+-		array('lgid' => $_GET["local_graph_id"],

162

++		array('lgid' => $_REQUEST["local_graph_id"],

163

+ 			'leafid' => '',//$leaf_id,

164

+ 			'mode' => 'mrtg',

165

+-			'rraid' => $_GET["rra_id"])

166

++			'rraid' => $_REQUEST["rra_id"])

167

+ 		);

168

+ 	?>

169

+ 	<tr class='tableHeader'>

170

+@@ -105,13 +105,13 @@

171

+ 					<table width='1' cellpadding='0'>

172

+ 						<tr>

173

+ 							<td>

174

+-								<img class='graphimage' id='graph_<?php print $_GET["local_graph_id"] ?>' src='<?php print htmlspecialchars("graph_image.php?action=view&local_graph_id=" . $_GET["local_graph_id"] . "&rra_id=" . $rra["id"]);?>' border='0' alt='<?php print htmlspecialchars($graph_title, ENT_QUOTES);?>'>

175

++								<img class='graphimage' id='graph_<?php print $_REQUEST["local_graph_id"] ?>' src='<?php print htmlspecialchars("graph_image.php?action=view&local_graph_id=" . $_REQUEST["local_graph_id"] . "&rra_id=" . $rra["id"]);?>' border='0' alt='<?php print htmlspecialchars($graph_title, ENT_QUOTES);?>'>

176

+ 							</td>

177

+ 							<td valign='top' style='padding: 3px;' class='noprint'>

178

+-								<a href='<?php print htmlspecialchars("graph.php?action=zoom&local_graph_id=" . $_GET["local_graph_id"]. "&rra_id=" . $rra["id"] . "&view_type=" . $_REQUEST["view_type"] . "&graph_start=" . $graph_start . "&graph_end=" . $graph_end);?>'><img src='images/graph_zoom.gif' border='0' alt='Zoom Graph' title='Zoom Graph' style='padding: 3px;'></a><br>

179

+-								<a href='<?php print htmlspecialchars("graph_xport.php?local_graph_id=" . $_GET["local_graph_id"] . "&rra_id=" . $rra["id"] . "&view_type=" . $_REQUEST["view_type"] .  "&graph_start=" . $graph_start . "&graph_end=" . $graph_end);?>'><img src='images/graph_query.png' border='0' alt='CSV Export' title='CSV Export' style='padding: 3px;'></a><br>

180

+-								<a href='<?php print htmlspecialchars("graph.php?action=properties&local_graph_id=" . $_GET["local_graph_id"] . "&rra_id=" . $rra["id"] . "&view_type=" . $_REQUEST["view_type"] .  "&graph_start=" . $graph_start . "&graph_end=" . $graph_end);?>'><img src='images/graph_properties.gif' border='0' alt='Graph Source/Properties' title='Graph Source/Properties' style='padding: 3px;'></a>

181

+-								<?php api_plugin_hook('graph_buttons', array('hook' => 'view', 'local_graph_id' => $_GET['local_graph_id'], 'rra' => $rra['id'], 'view_type' => $_REQUEST['view_type'])); ?>

182

++								<a href='<?php print htmlspecialchars("graph.php?action=zoom&local_graph_id=" . $_REQUEST["local_graph_id"]. "&rra_id=" . $rra["id"] . "&view_type=" . $_REQUEST["view_type"] . "&graph_start=" . $graph_start . "&graph_end=" . $graph_end);?>'><img src='images/graph_zoom.gif' border='0' alt='Zoom Graph' title='Zoom Graph' style='padding: 3px;'></a><br>

183

++								<a href='<?php print htmlspecialchars("graph_xport.php?local_graph_id=" . $_REQUEST["local_graph_id"] . "&rra_id=" . $rra["id"] . "&view_type=" . $_REQUEST["view_type"] .  "&graph_start=" . $graph_start . "&graph_end=" . $graph_end);?>'><img src='images/graph_query.png' border='0' alt='CSV Export' title='CSV Export' style='padding: 3px;'></a><br>

184

++								<a href='<?php print htmlspecialchars("graph.php?action=properties&local_graph_id=" . $_REQUEST["local_graph_id"] . "&rra_id=" . $rra["id"] . "&view_type=" . $_REQUEST["view_type"] .  "&graph_start=" . $graph_start . "&graph_end=" . $graph_end);?>'><img src='images/graph_properties.gif' border='0' alt='Graph Source/Properties' title='Graph Source/Properties' style='padding: 3px;'></a>

185

++								<?php api_plugin_hook('graph_buttons', array('hook' => 'view', 'local_graph_id' => $_REQUEST['local_graph_id'], 'rra' => $rra['id'], 'view_type' => $_REQUEST['view_type'])); ?>

186

+ 								<a href='#page_top'><img src='<?php print $config['url_path']; ?>images/graph_page_top.gif' border='0' alt='Page Top' title='Page Top' style='padding: 3px;'></a><br>

187

+ 							</td>

188

+ 						</tr>

189

+@@ -143,7 +143,7 @@

190

+ 	}

191

+

192

+ 	/* fetch information for the current RRA */

193

+-	$rra = db_fetch_row("select id,timespan,steps,name from rra where id=" . $_GET["rra_id"]);

194

++	$rra = db_fetch_row("select id,timespan,steps,name from rra where id=" . $_REQUEST["rra_id"]);

195

+

196

+ 	/* define the time span, which decides which rra to use */

197

+ 	$timespan = -($rra["timespan"]);

198

+@@ -154,24 +154,24 @@

199

+ 		FROM (data_template_data,data_template_rrd,graph_templates_item)

200

+ 		WHERE graph_templates_item.task_item_id=data_template_rrd.id

201

+ 		AND data_template_rrd.local_data_id=data_template_data.local_data_id

202

+-		AND graph_templates_item.local_graph_id=" . $_GET["local_graph_id"] .

203

++		AND graph_templates_item.local_graph_id=" . $_REQUEST["local_graph_id"] .

204

+ 		" LIMIT 0,1");

205

+ 	$ds_step = empty($ds_step) ? 300 : $ds_step;

206

+ 	$seconds_between_graph_updates = ($ds_step * $rra["steps"]);

207

+

208

+ 	$now = time();

209

+

210

+-	if (isset($_GET["graph_end"]) && ($_GET["graph_end"] <= $now - $seconds_between_graph_updates)) {

211

+-		$graph_end = $_GET["graph_end"];

212

++	if (isset($_REQUEST["graph_end"]) && ($_REQUEST["graph_end"] <= $now - $seconds_between_graph_updates)) {

213

++		$graph_end = $_REQUEST["graph_end"];

214

+ 	}else{

215

+ 		$graph_end = $now - $seconds_between_graph_updates;

216

+ 	}

217

+

218

+-	if (isset($_GET["graph_start"])) {

219

+-		if (($graph_end - $_GET["graph_start"])>$max_timespan) {

220

++	if (isset($_REQUEST["graph_start"])) {

221

++		if (($graph_end - $_REQUEST["graph_start"])>$max_timespan) {

222

+ 			$graph_start = $now - $max_timespan;

223

+ 		}else {

224

+-			$graph_start = $_GET["graph_start"];

225

++			$graph_start = $_REQUEST["graph_start"];

226

+ 		}

227

+ 	}else{

228

+ 		$graph_start = $now + $timespan;

229

+@@ -186,7 +186,7 @@

230

+ 		graph_templates_graph.height,

231

+ 		graph_templates_graph.width

232

+ 		from graph_templates_graph

233

+-		where graph_templates_graph.local_graph_id=" . $_GET["local_graph_id"]);

234

++		where graph_templates_graph.local_graph_id=" . $_REQUEST["local_graph_id"]);

235

+

236

+ 	$graph_height = $graph["height"];

237

+ 	$graph_width = $graph["width"];

238

+@@ -214,12 +214,12 @@

239

+ 			<table width='1' cellpadding='0'>

240

+ 				<tr>

241

+ 					<td>

242

+-						<img id='zoomGraphImage' class="graphimage" src='<?php print htmlspecialchars("graph_image.php?action=zoom&local_graph_id=" . $_GET["local_graph_id"] . "&rra_id=" . $_GET["rra_id"] . "&view_type=" . $_REQUEST["view_type"] . "&graph_start=" . $graph_start . "&graph_end=" . $graph_end . "&graph_height=" . $graph_height . "&graph_width=" . $graph_width . "&title_font_size=" . $title_font_size);?>' border='0' alt='<?php print htmlspecialchars($graph_title, ENT_QUOTES);?>'>

243

++						<img id='zoomGraphImage' class="graphimage" src='<?php print htmlspecialchars("graph_image.php?action=zoom&local_graph_id=" . $_REQUEST["local_graph_id"] . "&rra_id=" . $_REQUEST["rra_id"] . "&view_type=" . $_REQUEST["view_type"] . "&graph_start=" . $graph_start . "&graph_end=" . $graph_end . "&graph_height=" . $graph_height . "&graph_width=" . $graph_width . "&title_font_size=" . $title_font_size);?>' border='0' alt='<?php print htmlspecialchars($graph_title, ENT_QUOTES);?>'>

244

+ 					</td>

245

+ 					<td valign='top' style='padding: 3px;' class='noprint'>

246

+-						<a href='<?php print htmlspecialchars("graph.php?action=properties&local_graph_id=" . $_GET["local_graph_id"] . "&rra_id=" . $_GET["rra_id"] . "&view_type=" . $_REQUEST["view_type"] . "&graph_start=" . $graph_start . "&graph_end=" . $graph_end);?>'><img src='images/graph_properties.gif' border='0' alt='Graph Source/Properties' title='Graph Source/Properties' style='padding: 3px;'></a>

247

+-						<a href='<?php print htmlspecialchars("graph_xport.php?local_graph_id=" . $_GET["local_graph_id"] . "&rra_id=" . $_GET["rra_id"] . "&view_type=" . $_REQUEST["view_type"]);?>&graph_start=<?php print $graph_start;?>&graph_end=<?php print $graph_end;?>'><img src='images/graph_query.png' border='0' alt='CSV Export' title='CSV Export' style='padding: 3px;'></a><br>

248

+-						<?php api_plugin_hook('graph_buttons', array('hook' => 'zoom', 'local_graph_id' => $_GET['local_graph_id'], 'rra' =>  $_GET['rra_id'], 'view_type' => $_REQUEST['view_type'])); ?>

249

++						<a href='<?php print htmlspecialchars("graph.php?action=properties&local_graph_id=" . $_REQUEST["local_graph_id"] . "&rra_id=" . $_REQUEST["rra_id"] . "&view_type=" . $_REQUEST["view_type"] . "&graph_start=" . $graph_start . "&graph_end=" . $graph_end);?>'><img src='images/graph_properties.gif' border='0' alt='Graph Source/Properties' title='Graph Source/Properties' style='padding: 3px;'></a>

250

++						<a href='<?php print htmlspecialchars("graph_xport.php?local_graph_id=" . $_REQUEST["local_graph_id"] . "&rra_id=" . $_REQUEST["rra_id"] . "&view_type=" . $_REQUEST["view_type"]);?>&graph_start=<?php print $graph_start;?>&graph_end=<?php print $graph_end;?>'><img src='images/graph_query.png' border='0' alt='CSV Export' title='CSV Export' style='padding: 3px;'></a><br>

251

++						<?php api_plugin_hook('graph_buttons', array('hook' => 'zoom', 'local_graph_id' => $_REQUEST['local_graph_id'], 'rra' =>  $_REQUEST['rra_id'], 'view_type' => $_REQUEST['view_type'])); ?>

252

+ 					</td>

253

+ 				</tr>

254

+ 				<tr>

255

+@@ -249,17 +249,17 @@

256

+ 			<table width='1' cellpadding='0'>

257

+ 				<tr>

258

+ 					<td>

259

+-						<img src='<?php print htmlspecialchars("graph_image.php?action=properties&local_graph_id=" . $_GET["local_graph_id"] . "&rra_id=" . $_GET["rra_id"] . "&graph_start=" . (isset($_GET["graph_start"]) ? $_GET["graph_start"] : "0") . "&graph_end=" . (isset($_GET["graph_end"]) ? $_GET["graph_end"] : "0"));?>' border='0' alt='<?php print htmlspecialchars($graph_title);?>'>

260

++						<img src='<?php print htmlspecialchars("graph_image.php?action=properties&local_graph_id=" . $_REQUEST["local_graph_id"] . "&rra_id=" . $_REQUEST["rra_id"] . "&graph_start=" . (isset($_REQUEST["graph_start"]) ? $_REQUEST["graph_start"] : "0") . "&graph_end=" . (isset($_REQUEST["graph_end"]) ? $_REQUEST["graph_end"] : "0"));?>' border='0' alt='<?php print htmlspecialchars($graph_title);?>'>

261

+ 					</td>

262

+ 					<td valign='top' style='padding: 3px;'>

263

+-						<a href='<?php print htmlspecialchars("graph.php?action=zoom&local_graph_id=" . $_GET["local_graph_id"]. "&rra_id=" . $_GET["rra_id"] . "&view_type=" . $_REQUEST["view_type"] . "&graph_start=" . get_request_var("graph_start") . "&graph_end=" . get_request_var("graph_end"));?>'><img src='images/graph_zoom.gif' border='0' alt='Zoom Graph' title='Zoom Graph' style='padding: 3px;'></a><br>

264

+-						<a href='<?php print htmlspecialchars("graph_xport.php?local_graph_id=" . $_GET["local_graph_id"] . "&rra_id=" . $_GET["rra_id"] . "&view_type=" . $_REQUEST["view_type"]);?>'><img src='images/graph_query.png' border='0' alt='CSV Export' title='CSV Export' style='padding: 3px;'></a><br>

265

+-						<?php api_plugin_hook('graph_buttons', array('hook' => 'properties', 'local_graph_id' => $_GET['local_graph_id'], 'rra' =>  $_GET['rra_id'], 'view_type' => $_REQUEST['view_type'])); ?>

266

++						<a href='<?php print htmlspecialchars("graph.php?action=zoom&local_graph_id=" . $_REQUEST["local_graph_id"]. "&rra_id=" . $_REQUEST["rra_id"] . "&view_type=" . $_REQUEST["view_type"] . "&graph_start=" . get_request_var("graph_start") . "&graph_end=" . get_request_var("graph_end"));?>'><img src='images/graph_zoom.gif' border='0' alt='Zoom Graph' title='Zoom Graph' style='padding: 3px;'></a><br>

267

++						<a href='<?php print htmlspecialchars("graph_xport.php?local_graph_id=" . $_REQUEST["local_graph_id"] . "&rra_id=" . $_REQUEST["rra_id"] . "&view_type=" . $_REQUEST["view_type"]);?>'><img src='images/graph_query.png' border='0' alt='CSV Export' title='CSV Export' style='padding: 3px;'></a><br>

268

++						<?php api_plugin_hook('graph_buttons', array('hook' => 'properties', 'local_graph_id' => $_REQUEST['local_graph_id'], 'rra' =>  $_REQUEST['rra_id'], 'view_type' => $_REQUEST['view_type'])); ?>

269

+ 					</td>

270

+ 				</tr>

271

+ 				<tr>

272

+ 					<td colspan='2' align='center'>

273

+-						<strong><?php print htmlspecialchars(db_fetch_cell("select name from rra where id=" . $_GET["rra_id"]));?></strong>

274

++						<strong><?php print htmlspecialchars(db_fetch_cell("select name from rra where id=" . $_REQUEST["rra_id"]));?></strong>

275

+ 					</td>

276

+ 				</tr>

277

+ 			</table>

278

+--- a/include/top_graph_header.php

279

++++ b/include/top_graph_header.php

280

+@@ -146,12 +146,12 @@

281

+ 			$graph_data_array["print_source"] = true;

282

+

283

+ 			/* override: graph start time (unix time) */

284

+-			if (!empty($_GET["graph_start"])) {

285

++			if (!empty($_REQUEST["graph_start"])) {

286

+ 				$graph_data_array["graph_start"] = get_request_var_request("graph_start");

287

+ 			}

288

+

289

+ 			/* override: graph end time (unix time) */

290

+-			if (!empty($_GET["graph_end"])) {

291

++			if (!empty($_REQUEST["graph_end"])) {

292

+ 				$graph_data_array["graph_end"] = get_request_var_request("graph_end");

293

+ 			}

294

+

1	commit: aa240655c683eb070932a40e3b0773be307603bf
2	Author: Jeroen Roovers <jer <AT> gentoo <DOT> org>
3	AuthorDate: Tue Feb 2 05:10:43 2016 +0000
4	Commit: Jeroen Roovers <jer <AT> gentoo <DOT> org>
5	CommitDate: Tue Feb 2 05:10:43 2016 +0000
6	URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=aa240655
7
8	net-analyzer/cacti: Add upstream patch for CVE-2015-8369 (bug #568400).
9
10	Package-Manager: portage-2.2.27
11
12	net-analyzer/cacti/cacti-0.8.8f-r1.ebuild \| 62 +++++++
13	.../cacti/files/cacti-0.8.8f-CVE-2015-8369.patch \| 204 +++++++++++++++++++++
14	2 files changed, 266 insertions(+)
15
16	diff --git a/net-analyzer/cacti/cacti-0.8.8f-r1.ebuild b/net-analyzer/cacti/cacti-0.8.8f-r1.ebuild
17	new file mode 100644
18	index 0000000..782f241
19	--- /dev/null
20	+++ b/net-analyzer/cacti/cacti-0.8.8f-r1.ebuild
21	@@ -0,0 +1,62 @@
22	+# Copyright 1999-2016 Gentoo Foundation
23	+# Distributed under the terms of the GNU General Public License v2
24	+# $Id$
25	+
26	+EAPI=5
27	+
28	+inherit eutils webapp
29	+
30	+# Support for _p* in version.
31	+MY_P=${P/_p*/}
32	+
33	+DESCRIPTION="Cacti is a complete frontend to rrdtool"
34	+HOMEPAGE="http://www.cacti.net/"
35	+SRC_URI="http://www.cacti.net/downloads/${MY_P}.tar.gz"
36	+
37	+LICENSE="GPL-2"
38	+KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ppc ~ppc64 ~sparc ~x86"
39	+IUSE="snmp doc"
40	+
41	+need_httpd
42	+
43	+RDEPEND="
44	+ dev-lang/php[cli,mysql,session,sockets,xml]
45	+ dev-php/adodb
46	+ net-analyzer/rrdtool[graph]
47	+ virtual/cron
48	+ virtual/mysql
49	+ snmp? ( >=net-analyzer/net-snmp-5.2.0 )
50	+"
51	+
52	+src_prepare() {
53	+ epatch "${FILESDIR}"/${P}-CVE-2015-8369.patch
54	+
55	+ sed -i -e \
56	+ 's:$config\["library_path"\] . "/adodb/adodb.inc.php":"adodb/adodb.inc.php":' \
57	+ "${S}"/include/global.php \|\| die
58	+
59	+ rm -rf lib/adodb \|\| die # don't use bundled adodb
60	+}
61	+
62	+src_compile() { :; }
63	+
64	+src_install() {
65	+ webapp_src_preinst
66	+
67	+ rm LICENSE README \|\| die
68	+ dodoc docs/{CHANGELOG,CONTRIB,README,txt/manual.txt}
69	+ use doc && dohtml -r docs/html/
70	+ rm -rf docs
71	+
72	+ edos2unix `find -type f -name '*.php'`
73	+
74	+ dodir ${MY_HTDOCSDIR}
75	+ cp -r . "${D}"${MY_HTDOCSDIR}
76	+
77	+ webapp_serverowned ${MY_HTDOCSDIR}/rra
78	+ webapp_serverowned ${MY_HTDOCSDIR}/log/cacti.log
79	+ webapp_configfile ${MY_HTDOCSDIR}/include/config.php
80	+ webapp_postinst_txt en "${FILESDIR}"/postinstall-en.txt
81	+
82	+ webapp_src_install
83	+}
84
85	diff --git a/net-analyzer/cacti/files/cacti-0.8.8f-CVE-2015-8369.patch b/net-analyzer/cacti/files/cacti-0.8.8f-CVE-2015-8369.patch
86	new file mode 100644
87	index 0000000..2019a61
88	--- /dev/null
89	+++ b/net-analyzer/cacti/files/cacti-0.8.8f-CVE-2015-8369.patch
90	@@ -0,0 +1,204 @@
91	+--- a/graph.php
92	++++ b/graph.php
93	+@@ -32,43 +32,43 @@
94	+
95	+ api_plugin_hook_function('graph');
96	+
97	+-include_once("./lib/html_tree.php");
98	+-include_once("./include/top_graph_header.php");
99	+-
100	+ /* ================= input validation ================= */
101	+-input_validate_input_regex(get_request_var("rra_id"), "^([0-9]+\|all)$");
102	+-input_validate_input_number(get_request_var("local_graph_id"));
103	+-input_validate_input_number(get_request_var("graph_end"));
104	+-input_validate_input_number(get_request_var("graph_start"));
105	++input_validate_input_regex(get_request_var_request("rra_id"), "^([0-9]+\|all)$");
106	++input_validate_input_number(get_request_var_request("local_graph_id"));
107	++input_validate_input_number(get_request_var_request("graph_end"));
108	++input_validate_input_number(get_request_var_request("graph_start"));
109	+ input_validate_input_regex(get_request_var_request("view_type"), "^([a-zA-Z0-9]+)$");
110	+ /* ==================================================== */
111	+
112	+-if (!isset($_GET['rra_id'])) {
113	+- $_GET['rra_id'] = 'all';
114	++include_once("./lib/html_tree.php");
115	++include_once("./include/top_graph_header.php");
116	++
117	++if (!isset($_REQUEST['rra_id'])) {
118	++ $_REQUEST['rra_id'] = 'all';
119	+ }
120	+
121	+-if ($_GET["rra_id"] == "all") {
122	++if ($_REQUEST["rra_id"] == "all") {
123	+ $sql_where = " where id is not null";
124	+ }else{
125	+- $sql_where = " where id=" . $_GET["rra_id"];
126	++ $sql_where = " where id=" . $_REQUEST["rra_id"];
127	+ }
128	+
129	+ /* make sure the graph requested exists (sanity) */
130	+-if (!(db_fetch_cell("select local_graph_id from graph_templates_graph where local_graph_id=" . $_GET["local_graph_id"]))) {
131	++if (!(db_fetch_cell("select local_graph_id from graph_templates_graph where local_graph_id=" . $_REQUEST["local_graph_id"]))) {
132	+ print "<strong><font size='+1' color='FF0000'>GRAPH DOES NOT EXIST</font></strong>"; exit;
133	+ }
134	+
135	+ /* take graph permissions into account here, if the user does not have permission
136	+ give an "access denied" message */
137	+ if (read_config_option("auth_method") != 0) {
138	+- $access_denied = !(is_graph_allowed($_GET["local_graph_id"]));
139	++ $access_denied = !(is_graph_allowed($_REQUEST["local_graph_id"]));
140	+
141	+ if ($access_denied == true) {
142	+ print "<strong><font size='+1' color='FF0000'>ACCESS DENIED</font></strong>"; exit;
143	+ }
144	+ }
145	+
146	+-$graph_title = get_graph_title($_GET["local_graph_id"]);
147	++$graph_title = get_graph_title($_REQUEST["local_graph_id"]);
148	+
149	+ if ($_REQUEST["view_type"] == "tree") {
150	+ print "<table width='100%' style='background-color: #ffffff; border: 1px solid #ffffff;' align='center' cellspacing='0' cellpadding='3'>";
151	+@@ -76,15 +76,15 @@
152	+ print "<table width='100%' style='background-color: #f5f5f5; border: 1px solid #bbbbbb;' align='center' cellspacing='0' cellpadding='3'>";
153	+ }
154	+
155	+-$rras = get_associated_rras($_GET["local_graph_id"]);
156	++$rras = get_associated_rras($_REQUEST["local_graph_id"]);
157	+
158	+ switch ($_REQUEST["action"]) {
159	+ case 'view':
160	+ api_plugin_hook_function('page_buttons',
161	+- array('lgid' => $_GET["local_graph_id"],
162	++ array('lgid' => $_REQUEST["local_graph_id"],
163	+ 'leafid' => '',//$leaf_id,
164	+ 'mode' => 'mrtg',
165	+- 'rraid' => $_GET["rra_id"])
166	++ 'rraid' => $_REQUEST["rra_id"])
167	+ );
168	+ ?>
169	+ <tr class='tableHeader'>
170	+@@ -105,13 +105,13 @@
171	+ <table width='1' cellpadding='0'>
172	+ <tr>
173	+ <td>
174	+- <img class='graphimage' id='graph_<?php print $_GET["local_graph_id"] ?>' src='<?php print htmlspecialchars("graph_image.php?action=view&local_graph_id=" . $_GET["local_graph_id"] . "&rra_id=" . $rra["id"]);?>' border='0' alt='<?php print htmlspecialchars($graph_title, ENT_QUOTES);?>'>
175	++ <img class='graphimage' id='graph_<?php print $_REQUEST["local_graph_id"] ?>' src='<?php print htmlspecialchars("graph_image.php?action=view&local_graph_id=" . $_REQUEST["local_graph_id"] . "&rra_id=" . $rra["id"]);?>' border='0' alt='<?php print htmlspecialchars($graph_title, ENT_QUOTES);?>'>
176	+ </td>
177	+ <td valign='top' style='padding: 3px;' class='noprint'>
178	+- <a href='<?php print htmlspecialchars("graph.php?action=zoom&local_graph_id=" . $_GET["local_graph_id"]. "&rra_id=" . $rra["id"] . "&view_type=" . $_REQUEST["view_type"] . "&graph_start=" . $graph_start . "&graph_end=" . $graph_end);?>'><img src='images/graph_zoom.gif' border='0' alt='Zoom Graph' title='Zoom Graph' style='padding: 3px;'></a><br>
179	+- <a href='<?php print htmlspecialchars("graph_xport.php?local_graph_id=" . $_GET["local_graph_id"] . "&rra_id=" . $rra["id"] . "&view_type=" . $_REQUEST["view_type"] . "&graph_start=" . $graph_start . "&graph_end=" . $graph_end);?>'><img src='images/graph_query.png' border='0' alt='CSV Export' title='CSV Export' style='padding: 3px;'></a><br>
180	+- <a href='<?php print htmlspecialchars("graph.php?action=properties&local_graph_id=" . $_GET["local_graph_id"] . "&rra_id=" . $rra["id"] . "&view_type=" . $_REQUEST["view_type"] . "&graph_start=" . $graph_start . "&graph_end=" . $graph_end);?>'><img src='images/graph_properties.gif' border='0' alt='Graph Source/Properties' title='Graph Source/Properties' style='padding: 3px;'></a>
181	+- <?php api_plugin_hook('graph_buttons', array('hook' => 'view', 'local_graph_id' => $_GET['local_graph_id'], 'rra' => $rra['id'], 'view_type' => $_REQUEST['view_type'])); ?>
182	++ <a href='<?php print htmlspecialchars("graph.php?action=zoom&local_graph_id=" . $_REQUEST["local_graph_id"]. "&rra_id=" . $rra["id"] . "&view_type=" . $_REQUEST["view_type"] . "&graph_start=" . $graph_start . "&graph_end=" . $graph_end);?>'><img src='images/graph_zoom.gif' border='0' alt='Zoom Graph' title='Zoom Graph' style='padding: 3px;'></a><br>
183	++ <a href='<?php print htmlspecialchars("graph_xport.php?local_graph_id=" . $_REQUEST["local_graph_id"] . "&rra_id=" . $rra["id"] . "&view_type=" . $_REQUEST["view_type"] . "&graph_start=" . $graph_start . "&graph_end=" . $graph_end);?>'><img src='images/graph_query.png' border='0' alt='CSV Export' title='CSV Export' style='padding: 3px;'></a><br>
184	++ <a href='<?php print htmlspecialchars("graph.php?action=properties&local_graph_id=" . $_REQUEST["local_graph_id"] . "&rra_id=" . $rra["id"] . "&view_type=" . $_REQUEST["view_type"] . "&graph_start=" . $graph_start . "&graph_end=" . $graph_end);?>'><img src='images/graph_properties.gif' border='0' alt='Graph Source/Properties' title='Graph Source/Properties' style='padding: 3px;'></a>
185	++ <?php api_plugin_hook('graph_buttons', array('hook' => 'view', 'local_graph_id' => $_REQUEST['local_graph_id'], 'rra' => $rra['id'], 'view_type' => $_REQUEST['view_type'])); ?>
186	+ <a href='#page_top'><img src='<?php print $config['url_path']; ?>images/graph_page_top.gif' border='0' alt='Page Top' title='Page Top' style='padding: 3px;'></a><br>
187	+ </td>
188	+ </tr>
189	+@@ -143,7 +143,7 @@
190	+ }
191	+
192	+ /* fetch information for the current RRA */
193	+- $rra = db_fetch_row("select id,timespan,steps,name from rra where id=" . $_GET["rra_id"]);
194	++ $rra = db_fetch_row("select id,timespan,steps,name from rra where id=" . $_REQUEST["rra_id"]);
195	+
196	+ /* define the time span, which decides which rra to use */
197	+ $timespan = -($rra["timespan"]);
198	+@@ -154,24 +154,24 @@
199	+ FROM (data_template_data,data_template_rrd,graph_templates_item)
200	+ WHERE graph_templates_item.task_item_id=data_template_rrd.id
201	+ AND data_template_rrd.local_data_id=data_template_data.local_data_id
202	+- AND graph_templates_item.local_graph_id=" . $_GET["local_graph_id"] .
203	++ AND graph_templates_item.local_graph_id=" . $_REQUEST["local_graph_id"] .
204	+ " LIMIT 0,1");
205	+ $ds_step = empty($ds_step) ? 300 : $ds_step;
206	+ $seconds_between_graph_updates = ($ds_step * $rra["steps"]);
207	+
208	+ $now = time();
209	+
210	+- if (isset($_GET["graph_end"]) && ($_GET["graph_end"] <= $now - $seconds_between_graph_updates)) {
211	+- $graph_end = $_GET["graph_end"];
212	++ if (isset($_REQUEST["graph_end"]) && ($_REQUEST["graph_end"] <= $now - $seconds_between_graph_updates)) {
213	++ $graph_end = $_REQUEST["graph_end"];
214	+ }else{
215	+ $graph_end = $now - $seconds_between_graph_updates;
216	+ }
217	+
218	+- if (isset($_GET["graph_start"])) {
219	+- if (($graph_end - $_GET["graph_start"])>$max_timespan) {
220	++ if (isset($_REQUEST["graph_start"])) {
221	++ if (($graph_end - $_REQUEST["graph_start"])>$max_timespan) {
222	+ $graph_start = $now - $max_timespan;
223	+ }else {
224	+- $graph_start = $_GET["graph_start"];
225	++ $graph_start = $_REQUEST["graph_start"];
226	+ }
227	+ }else{
228	+ $graph_start = $now + $timespan;
229	+@@ -186,7 +186,7 @@
230	+ graph_templates_graph.height,
231	+ graph_templates_graph.width
232	+ from graph_templates_graph
233	+- where graph_templates_graph.local_graph_id=" . $_GET["local_graph_id"]);
234	++ where graph_templates_graph.local_graph_id=" . $_REQUEST["local_graph_id"]);
235	+
236	+ $graph_height = $graph["height"];
237	+ $graph_width = $graph["width"];
238	+@@ -214,12 +214,12 @@
239	+ <table width='1' cellpadding='0'>
240	+ <tr>
241	+ <td>
242	+- <img id='zoomGraphImage' class="graphimage" src='<?php print htmlspecialchars("graph_image.php?action=zoom&local_graph_id=" . $_GET["local_graph_id"] . "&rra_id=" . $_GET["rra_id"] . "&view_type=" . $_REQUEST["view_type"] . "&graph_start=" . $graph_start . "&graph_end=" . $graph_end . "&graph_height=" . $graph_height . "&graph_width=" . $graph_width . "&title_font_size=" . $title_font_size);?>' border='0' alt='<?php print htmlspecialchars($graph_title, ENT_QUOTES);?>'>
243	++ <img id='zoomGraphImage' class="graphimage" src='<?php print htmlspecialchars("graph_image.php?action=zoom&local_graph_id=" . $_REQUEST["local_graph_id"] . "&rra_id=" . $_REQUEST["rra_id"] . "&view_type=" . $_REQUEST["view_type"] . "&graph_start=" . $graph_start . "&graph_end=" . $graph_end . "&graph_height=" . $graph_height . "&graph_width=" . $graph_width . "&title_font_size=" . $title_font_size);?>' border='0' alt='<?php print htmlspecialchars($graph_title, ENT_QUOTES);?>'>
244	+ </td>
245	+ <td valign='top' style='padding: 3px;' class='noprint'>
246	+- <a href='<?php print htmlspecialchars("graph.php?action=properties&local_graph_id=" . $_GET["local_graph_id"] . "&rra_id=" . $_GET["rra_id"] . "&view_type=" . $_REQUEST["view_type"] . "&graph_start=" . $graph_start . "&graph_end=" . $graph_end);?>'><img src='images/graph_properties.gif' border='0' alt='Graph Source/Properties' title='Graph Source/Properties' style='padding: 3px;'></a>
247	+- <a href='<?php print htmlspecialchars("graph_xport.php?local_graph_id=" . $_GET["local_graph_id"] . "&rra_id=" . $_GET["rra_id"] . "&view_type=" . $_REQUEST["view_type"]);?>&graph_start=<?php print $graph_start;?>&graph_end=<?php print $graph_end;?>'><img src='images/graph_query.png' border='0' alt='CSV Export' title='CSV Export' style='padding: 3px;'></a><br>
248	+- <?php api_plugin_hook('graph_buttons', array('hook' => 'zoom', 'local_graph_id' => $_GET['local_graph_id'], 'rra' => $_GET['rra_id'], 'view_type' => $_REQUEST['view_type'])); ?>
249	++ <a href='<?php print htmlspecialchars("graph.php?action=properties&local_graph_id=" . $_REQUEST["local_graph_id"] . "&rra_id=" . $_REQUEST["rra_id"] . "&view_type=" . $_REQUEST["view_type"] . "&graph_start=" . $graph_start . "&graph_end=" . $graph_end);?>'><img src='images/graph_properties.gif' border='0' alt='Graph Source/Properties' title='Graph Source/Properties' style='padding: 3px;'></a>
250	++ <a href='<?php print htmlspecialchars("graph_xport.php?local_graph_id=" . $_REQUEST["local_graph_id"] . "&rra_id=" . $_REQUEST["rra_id"] . "&view_type=" . $_REQUEST["view_type"]);?>&graph_start=<?php print $graph_start;?>&graph_end=<?php print $graph_end;?>'><img src='images/graph_query.png' border='0' alt='CSV Export' title='CSV Export' style='padding: 3px;'></a><br>
251	++ <?php api_plugin_hook('graph_buttons', array('hook' => 'zoom', 'local_graph_id' => $_REQUEST['local_graph_id'], 'rra' => $_REQUEST['rra_id'], 'view_type' => $_REQUEST['view_type'])); ?>
252	+ </td>
253	+ </tr>
254	+ <tr>
255	+@@ -249,17 +249,17 @@
256	+ <table width='1' cellpadding='0'>
257	+ <tr>
258	+ <td>
259	+- <img src='<?php print htmlspecialchars("graph_image.php?action=properties&local_graph_id=" . $_GET["local_graph_id"] . "&rra_id=" . $_GET["rra_id"] . "&graph_start=" . (isset($_GET["graph_start"]) ? $_GET["graph_start"] : "0") . "&graph_end=" . (isset($_GET["graph_end"]) ? $_GET["graph_end"] : "0"));?>' border='0' alt='<?php print htmlspecialchars($graph_title);?>'>
260	++ <img src='<?php print htmlspecialchars("graph_image.php?action=properties&local_graph_id=" . $_REQUEST["local_graph_id"] . "&rra_id=" . $_REQUEST["rra_id"] . "&graph_start=" . (isset($_REQUEST["graph_start"]) ? $_REQUEST["graph_start"] : "0") . "&graph_end=" . (isset($_REQUEST["graph_end"]) ? $_REQUEST["graph_end"] : "0"));?>' border='0' alt='<?php print htmlspecialchars($graph_title);?>'>
261	+ </td>
262	+ <td valign='top' style='padding: 3px;'>
263	+- <a href='<?php print htmlspecialchars("graph.php?action=zoom&local_graph_id=" . $_GET["local_graph_id"]. "&rra_id=" . $_GET["rra_id"] . "&view_type=" . $_REQUEST["view_type"] . "&graph_start=" . get_request_var("graph_start") . "&graph_end=" . get_request_var("graph_end"));?>'><img src='images/graph_zoom.gif' border='0' alt='Zoom Graph' title='Zoom Graph' style='padding: 3px;'></a><br>
264	+- <a href='<?php print htmlspecialchars("graph_xport.php?local_graph_id=" . $_GET["local_graph_id"] . "&rra_id=" . $_GET["rra_id"] . "&view_type=" . $_REQUEST["view_type"]);?>'><img src='images/graph_query.png' border='0' alt='CSV Export' title='CSV Export' style='padding: 3px;'></a><br>
265	+- <?php api_plugin_hook('graph_buttons', array('hook' => 'properties', 'local_graph_id' => $_GET['local_graph_id'], 'rra' => $_GET['rra_id'], 'view_type' => $_REQUEST['view_type'])); ?>
266	++ <a href='<?php print htmlspecialchars("graph.php?action=zoom&local_graph_id=" . $_REQUEST["local_graph_id"]. "&rra_id=" . $_REQUEST["rra_id"] . "&view_type=" . $_REQUEST["view_type"] . "&graph_start=" . get_request_var("graph_start") . "&graph_end=" . get_request_var("graph_end"));?>'><img src='images/graph_zoom.gif' border='0' alt='Zoom Graph' title='Zoom Graph' style='padding: 3px;'></a><br>
267	++ <a href='<?php print htmlspecialchars("graph_xport.php?local_graph_id=" . $_REQUEST["local_graph_id"] . "&rra_id=" . $_REQUEST["rra_id"] . "&view_type=" . $_REQUEST["view_type"]);?>'><img src='images/graph_query.png' border='0' alt='CSV Export' title='CSV Export' style='padding: 3px;'></a><br>
268	++ <?php api_plugin_hook('graph_buttons', array('hook' => 'properties', 'local_graph_id' => $_REQUEST['local_graph_id'], 'rra' => $_REQUEST['rra_id'], 'view_type' => $_REQUEST['view_type'])); ?>
269	+ </td>
270	+ </tr>
271	+ <tr>
272	+ <td colspan='2' align='center'>
273	+- <strong><?php print htmlspecialchars(db_fetch_cell("select name from rra where id=" . $_GET["rra_id"]));?></strong>
274	++ <strong><?php print htmlspecialchars(db_fetch_cell("select name from rra where id=" . $_REQUEST["rra_id"]));?></strong>
275	+ </td>
276	+ </tr>
277	+ </table>
278	+--- a/include/top_graph_header.php
279	++++ b/include/top_graph_header.php
280	+@@ -146,12 +146,12 @@
281	+ $graph_data_array["print_source"] = true;
282	+
283	+ /* override: graph start time (unix time) */
284	+- if (!empty($_GET["graph_start"])) {
285	++ if (!empty($_REQUEST["graph_start"])) {
286	+ $graph_data_array["graph_start"] = get_request_var_request("graph_start");
287	+ }
288	+
289	+ /* override: graph end time (unix time) */
290	+- if (!empty($_GET["graph_end"])) {
291	++ if (!empty($_REQUEST["graph_end"])) {
292	+ $graph_data_array["graph_end"] = get_request_var_request("graph_end");
293	+ }
294	+

Gentoo Archives: gentoo-commits