Gentoo Archives: gentoo-commits

From: Jeroen Roovers <jer@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] repo/gentoo:master commit in: net-analyzer/cacti/, net-analyzer/cacti/files/
Date: Tue, 02 Feb 2016 05:11:17
Message-Id: 1454389843.aa240655c683eb070932a40e3b0773be307603bf.jer@gentoo
1 commit: aa240655c683eb070932a40e3b0773be307603bf
2 Author: Jeroen Roovers <jer <AT> gentoo <DOT> org>
3 AuthorDate: Tue Feb 2 05:10:43 2016 +0000
4 Commit: Jeroen Roovers <jer <AT> gentoo <DOT> org>
5 CommitDate: Tue Feb 2 05:10:43 2016 +0000
6 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=aa240655
7
8 net-analyzer/cacti: Add upstream patch for CVE-2015-8369 (bug #568400).
9
10 Package-Manager: portage-2.2.27
11
12 net-analyzer/cacti/cacti-0.8.8f-r1.ebuild | 62 +++++++
13 .../cacti/files/cacti-0.8.8f-CVE-2015-8369.patch | 204 +++++++++++++++++++++
14 2 files changed, 266 insertions(+)
15
16 diff --git a/net-analyzer/cacti/cacti-0.8.8f-r1.ebuild b/net-analyzer/cacti/cacti-0.8.8f-r1.ebuild
17 new file mode 100644
18 index 0000000..782f241
19 --- /dev/null
20 +++ b/net-analyzer/cacti/cacti-0.8.8f-r1.ebuild
21 @@ -0,0 +1,62 @@
22 +# Copyright 1999-2016 Gentoo Foundation
23 +# Distributed under the terms of the GNU General Public License v2
24 +# $Id$
25 +
26 +EAPI=5
27 +
28 +inherit eutils webapp
29 +
30 +# Support for _p* in version.
31 +MY_P=${P/_p*/}
32 +
33 +DESCRIPTION="Cacti is a complete frontend to rrdtool"
34 +HOMEPAGE="http://www.cacti.net/"
35 +SRC_URI="http://www.cacti.net/downloads/${MY_P}.tar.gz"
36 +
37 +LICENSE="GPL-2"
38 +KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ppc ~ppc64 ~sparc ~x86"
39 +IUSE="snmp doc"
40 +
41 +need_httpd
42 +
43 +RDEPEND="
44 + dev-lang/php[cli,mysql,session,sockets,xml]
45 + dev-php/adodb
46 + net-analyzer/rrdtool[graph]
47 + virtual/cron
48 + virtual/mysql
49 + snmp? ( >=net-analyzer/net-snmp-5.2.0 )
50 +"
51 +
52 +src_prepare() {
53 + epatch "${FILESDIR}"/${P}-CVE-2015-8369.patch
54 +
55 + sed -i -e \
56 + 's:$config\["library_path"\] . "/adodb/adodb.inc.php":"adodb/adodb.inc.php":' \
57 + "${S}"/include/global.php || die
58 +
59 + rm -rf lib/adodb || die # don't use bundled adodb
60 +}
61 +
62 +src_compile() { :; }
63 +
64 +src_install() {
65 + webapp_src_preinst
66 +
67 + rm LICENSE README || die
68 + dodoc docs/{CHANGELOG,CONTRIB,README,txt/manual.txt}
69 + use doc && dohtml -r docs/html/
70 + rm -rf docs
71 +
72 + edos2unix `find -type f -name '*.php'`
73 +
74 + dodir ${MY_HTDOCSDIR}
75 + cp -r . "${D}"${MY_HTDOCSDIR}
76 +
77 + webapp_serverowned ${MY_HTDOCSDIR}/rra
78 + webapp_serverowned ${MY_HTDOCSDIR}/log/cacti.log
79 + webapp_configfile ${MY_HTDOCSDIR}/include/config.php
80 + webapp_postinst_txt en "${FILESDIR}"/postinstall-en.txt
81 +
82 + webapp_src_install
83 +}
84
85 diff --git a/net-analyzer/cacti/files/cacti-0.8.8f-CVE-2015-8369.patch b/net-analyzer/cacti/files/cacti-0.8.8f-CVE-2015-8369.patch
86 new file mode 100644
87 index 0000000..2019a61
88 --- /dev/null
89 +++ b/net-analyzer/cacti/files/cacti-0.8.8f-CVE-2015-8369.patch
90 @@ -0,0 +1,204 @@
91 +--- a/graph.php
92 ++++ b/graph.php
93 +@@ -32,43 +32,43 @@
94 +
95 + api_plugin_hook_function('graph');
96 +
97 +-include_once("./lib/html_tree.php");
98 +-include_once("./include/top_graph_header.php");
99 +-
100 + /* ================= input validation ================= */
101 +-input_validate_input_regex(get_request_var("rra_id"), "^([0-9]+|all)$");
102 +-input_validate_input_number(get_request_var("local_graph_id"));
103 +-input_validate_input_number(get_request_var("graph_end"));
104 +-input_validate_input_number(get_request_var("graph_start"));
105 ++input_validate_input_regex(get_request_var_request("rra_id"), "^([0-9]+|all)$");
106 ++input_validate_input_number(get_request_var_request("local_graph_id"));
107 ++input_validate_input_number(get_request_var_request("graph_end"));
108 ++input_validate_input_number(get_request_var_request("graph_start"));
109 + input_validate_input_regex(get_request_var_request("view_type"), "^([a-zA-Z0-9]+)$");
110 + /* ==================================================== */
111 +
112 +-if (!isset($_GET['rra_id'])) {
113 +- $_GET['rra_id'] = 'all';
114 ++include_once("./lib/html_tree.php");
115 ++include_once("./include/top_graph_header.php");
116 ++
117 ++if (!isset($_REQUEST['rra_id'])) {
118 ++ $_REQUEST['rra_id'] = 'all';
119 + }
120 +
121 +-if ($_GET["rra_id"] == "all") {
122 ++if ($_REQUEST["rra_id"] == "all") {
123 + $sql_where = " where id is not null";
124 + }else{
125 +- $sql_where = " where id=" . $_GET["rra_id"];
126 ++ $sql_where = " where id=" . $_REQUEST["rra_id"];
127 + }
128 +
129 + /* make sure the graph requested exists (sanity) */
130 +-if (!(db_fetch_cell("select local_graph_id from graph_templates_graph where local_graph_id=" . $_GET["local_graph_id"]))) {
131 ++if (!(db_fetch_cell("select local_graph_id from graph_templates_graph where local_graph_id=" . $_REQUEST["local_graph_id"]))) {
132 + print "<strong><font size='+1' color='FF0000'>GRAPH DOES NOT EXIST</font></strong>"; exit;
133 + }
134 +
135 + /* take graph permissions into account here, if the user does not have permission
136 + give an "access denied" message */
137 + if (read_config_option("auth_method") != 0) {
138 +- $access_denied = !(is_graph_allowed($_GET["local_graph_id"]));
139 ++ $access_denied = !(is_graph_allowed($_REQUEST["local_graph_id"]));
140 +
141 + if ($access_denied == true) {
142 + print "<strong><font size='+1' color='FF0000'>ACCESS DENIED</font></strong>"; exit;
143 + }
144 + }
145 +
146 +-$graph_title = get_graph_title($_GET["local_graph_id"]);
147 ++$graph_title = get_graph_title($_REQUEST["local_graph_id"]);
148 +
149 + if ($_REQUEST["view_type"] == "tree") {
150 + print "<table width='100%' style='background-color: #ffffff; border: 1px solid #ffffff;' align='center' cellspacing='0' cellpadding='3'>";
151 +@@ -76,15 +76,15 @@
152 + print "<table width='100%' style='background-color: #f5f5f5; border: 1px solid #bbbbbb;' align='center' cellspacing='0' cellpadding='3'>";
153 + }
154 +
155 +-$rras = get_associated_rras($_GET["local_graph_id"]);
156 ++$rras = get_associated_rras($_REQUEST["local_graph_id"]);
157 +
158 + switch ($_REQUEST["action"]) {
159 + case 'view':
160 + api_plugin_hook_function('page_buttons',
161 +- array('lgid' => $_GET["local_graph_id"],
162 ++ array('lgid' => $_REQUEST["local_graph_id"],
163 + 'leafid' => '',//$leaf_id,
164 + 'mode' => 'mrtg',
165 +- 'rraid' => $_GET["rra_id"])
166 ++ 'rraid' => $_REQUEST["rra_id"])
167 + );
168 + ?>
169 + <tr class='tableHeader'>
170 +@@ -105,13 +105,13 @@
171 + <table width='1' cellpadding='0'>
172 + <tr>
173 + <td>
174 +- <img class='graphimage' id='graph_<?php print $_GET["local_graph_id"] ?>' src='<?php print htmlspecialchars("graph_image.php?action=view&local_graph_id=" . $_GET["local_graph_id"] . "&rra_id=" . $rra["id"]);?>' border='0' alt='<?php print htmlspecialchars($graph_title, ENT_QUOTES);?>'>
175 ++ <img class='graphimage' id='graph_<?php print $_REQUEST["local_graph_id"] ?>' src='<?php print htmlspecialchars("graph_image.php?action=view&local_graph_id=" . $_REQUEST["local_graph_id"] . "&rra_id=" . $rra["id"]);?>' border='0' alt='<?php print htmlspecialchars($graph_title, ENT_QUOTES);?>'>
176 + </td>
177 + <td valign='top' style='padding: 3px;' class='noprint'>
178 +- <a href='<?php print htmlspecialchars("graph.php?action=zoom&local_graph_id=" . $_GET["local_graph_id"]. "&rra_id=" . $rra["id"] . "&view_type=" . $_REQUEST["view_type"] . "&graph_start=" . $graph_start . "&graph_end=" . $graph_end);?>'><img src='images/graph_zoom.gif' border='0' alt='Zoom Graph' title='Zoom Graph' style='padding: 3px;'></a><br>
179 +- <a href='<?php print htmlspecialchars("graph_xport.php?local_graph_id=" . $_GET["local_graph_id"] . "&rra_id=" . $rra["id"] . "&view_type=" . $_REQUEST["view_type"] . "&graph_start=" . $graph_start . "&graph_end=" . $graph_end);?>'><img src='images/graph_query.png' border='0' alt='CSV Export' title='CSV Export' style='padding: 3px;'></a><br>
180 +- <a href='<?php print htmlspecialchars("graph.php?action=properties&local_graph_id=" . $_GET["local_graph_id"] . "&rra_id=" . $rra["id"] . "&view_type=" . $_REQUEST["view_type"] . "&graph_start=" . $graph_start . "&graph_end=" . $graph_end);?>'><img src='images/graph_properties.gif' border='0' alt='Graph Source/Properties' title='Graph Source/Properties' style='padding: 3px;'></a>
181 +- <?php api_plugin_hook('graph_buttons', array('hook' => 'view', 'local_graph_id' => $_GET['local_graph_id'], 'rra' => $rra['id'], 'view_type' => $_REQUEST['view_type'])); ?>
182 ++ <a href='<?php print htmlspecialchars("graph.php?action=zoom&local_graph_id=" . $_REQUEST["local_graph_id"]. "&rra_id=" . $rra["id"] . "&view_type=" . $_REQUEST["view_type"] . "&graph_start=" . $graph_start . "&graph_end=" . $graph_end);?>'><img src='images/graph_zoom.gif' border='0' alt='Zoom Graph' title='Zoom Graph' style='padding: 3px;'></a><br>
183 ++ <a href='<?php print htmlspecialchars("graph_xport.php?local_graph_id=" . $_REQUEST["local_graph_id"] . "&rra_id=" . $rra["id"] . "&view_type=" . $_REQUEST["view_type"] . "&graph_start=" . $graph_start . "&graph_end=" . $graph_end);?>'><img src='images/graph_query.png' border='0' alt='CSV Export' title='CSV Export' style='padding: 3px;'></a><br>
184 ++ <a href='<?php print htmlspecialchars("graph.php?action=properties&local_graph_id=" . $_REQUEST["local_graph_id"] . "&rra_id=" . $rra["id"] . "&view_type=" . $_REQUEST["view_type"] . "&graph_start=" . $graph_start . "&graph_end=" . $graph_end);?>'><img src='images/graph_properties.gif' border='0' alt='Graph Source/Properties' title='Graph Source/Properties' style='padding: 3px;'></a>
185 ++ <?php api_plugin_hook('graph_buttons', array('hook' => 'view', 'local_graph_id' => $_REQUEST['local_graph_id'], 'rra' => $rra['id'], 'view_type' => $_REQUEST['view_type'])); ?>
186 + <a href='#page_top'><img src='<?php print $config['url_path']; ?>images/graph_page_top.gif' border='0' alt='Page Top' title='Page Top' style='padding: 3px;'></a><br>
187 + </td>
188 + </tr>
189 +@@ -143,7 +143,7 @@
190 + }
191 +
192 + /* fetch information for the current RRA */
193 +- $rra = db_fetch_row("select id,timespan,steps,name from rra where id=" . $_GET["rra_id"]);
194 ++ $rra = db_fetch_row("select id,timespan,steps,name from rra where id=" . $_REQUEST["rra_id"]);
195 +
196 + /* define the time span, which decides which rra to use */
197 + $timespan = -($rra["timespan"]);
198 +@@ -154,24 +154,24 @@
199 + FROM (data_template_data,data_template_rrd,graph_templates_item)
200 + WHERE graph_templates_item.task_item_id=data_template_rrd.id
201 + AND data_template_rrd.local_data_id=data_template_data.local_data_id
202 +- AND graph_templates_item.local_graph_id=" . $_GET["local_graph_id"] .
203 ++ AND graph_templates_item.local_graph_id=" . $_REQUEST["local_graph_id"] .
204 + " LIMIT 0,1");
205 + $ds_step = empty($ds_step) ? 300 : $ds_step;
206 + $seconds_between_graph_updates = ($ds_step * $rra["steps"]);
207 +
208 + $now = time();
209 +
210 +- if (isset($_GET["graph_end"]) && ($_GET["graph_end"] <= $now - $seconds_between_graph_updates)) {
211 +- $graph_end = $_GET["graph_end"];
212 ++ if (isset($_REQUEST["graph_end"]) && ($_REQUEST["graph_end"] <= $now - $seconds_between_graph_updates)) {
213 ++ $graph_end = $_REQUEST["graph_end"];
214 + }else{
215 + $graph_end = $now - $seconds_between_graph_updates;
216 + }
217 +
218 +- if (isset($_GET["graph_start"])) {
219 +- if (($graph_end - $_GET["graph_start"])>$max_timespan) {
220 ++ if (isset($_REQUEST["graph_start"])) {
221 ++ if (($graph_end - $_REQUEST["graph_start"])>$max_timespan) {
222 + $graph_start = $now - $max_timespan;
223 + }else {
224 +- $graph_start = $_GET["graph_start"];
225 ++ $graph_start = $_REQUEST["graph_start"];
226 + }
227 + }else{
228 + $graph_start = $now + $timespan;
229 +@@ -186,7 +186,7 @@
230 + graph_templates_graph.height,
231 + graph_templates_graph.width
232 + from graph_templates_graph
233 +- where graph_templates_graph.local_graph_id=" . $_GET["local_graph_id"]);
234 ++ where graph_templates_graph.local_graph_id=" . $_REQUEST["local_graph_id"]);
235 +
236 + $graph_height = $graph["height"];
237 + $graph_width = $graph["width"];
238 +@@ -214,12 +214,12 @@
239 + <table width='1' cellpadding='0'>
240 + <tr>
241 + <td>
242 +- <img id='zoomGraphImage' class="graphimage" src='<?php print htmlspecialchars("graph_image.php?action=zoom&local_graph_id=" . $_GET["local_graph_id"] . "&rra_id=" . $_GET["rra_id"] . "&view_type=" . $_REQUEST["view_type"] . "&graph_start=" . $graph_start . "&graph_end=" . $graph_end . "&graph_height=" . $graph_height . "&graph_width=" . $graph_width . "&title_font_size=" . $title_font_size);?>' border='0' alt='<?php print htmlspecialchars($graph_title, ENT_QUOTES);?>'>
243 ++ <img id='zoomGraphImage' class="graphimage" src='<?php print htmlspecialchars("graph_image.php?action=zoom&local_graph_id=" . $_REQUEST["local_graph_id"] . "&rra_id=" . $_REQUEST["rra_id"] . "&view_type=" . $_REQUEST["view_type"] . "&graph_start=" . $graph_start . "&graph_end=" . $graph_end . "&graph_height=" . $graph_height . "&graph_width=" . $graph_width . "&title_font_size=" . $title_font_size);?>' border='0' alt='<?php print htmlspecialchars($graph_title, ENT_QUOTES);?>'>
244 + </td>
245 + <td valign='top' style='padding: 3px;' class='noprint'>
246 +- <a href='<?php print htmlspecialchars("graph.php?action=properties&local_graph_id=" . $_GET["local_graph_id"] . "&rra_id=" . $_GET["rra_id"] . "&view_type=" . $_REQUEST["view_type"] . "&graph_start=" . $graph_start . "&graph_end=" . $graph_end);?>'><img src='images/graph_properties.gif' border='0' alt='Graph Source/Properties' title='Graph Source/Properties' style='padding: 3px;'></a>
247 +- <a href='<?php print htmlspecialchars("graph_xport.php?local_graph_id=" . $_GET["local_graph_id"] . "&rra_id=" . $_GET["rra_id"] . "&view_type=" . $_REQUEST["view_type"]);?>&graph_start=<?php print $graph_start;?>&graph_end=<?php print $graph_end;?>'><img src='images/graph_query.png' border='0' alt='CSV Export' title='CSV Export' style='padding: 3px;'></a><br>
248 +- <?php api_plugin_hook('graph_buttons', array('hook' => 'zoom', 'local_graph_id' => $_GET['local_graph_id'], 'rra' => $_GET['rra_id'], 'view_type' => $_REQUEST['view_type'])); ?>
249 ++ <a href='<?php print htmlspecialchars("graph.php?action=properties&local_graph_id=" . $_REQUEST["local_graph_id"] . "&rra_id=" . $_REQUEST["rra_id"] . "&view_type=" . $_REQUEST["view_type"] . "&graph_start=" . $graph_start . "&graph_end=" . $graph_end);?>'><img src='images/graph_properties.gif' border='0' alt='Graph Source/Properties' title='Graph Source/Properties' style='padding: 3px;'></a>
250 ++ <a href='<?php print htmlspecialchars("graph_xport.php?local_graph_id=" . $_REQUEST["local_graph_id"] . "&rra_id=" . $_REQUEST["rra_id"] . "&view_type=" . $_REQUEST["view_type"]);?>&graph_start=<?php print $graph_start;?>&graph_end=<?php print $graph_end;?>'><img src='images/graph_query.png' border='0' alt='CSV Export' title='CSV Export' style='padding: 3px;'></a><br>
251 ++ <?php api_plugin_hook('graph_buttons', array('hook' => 'zoom', 'local_graph_id' => $_REQUEST['local_graph_id'], 'rra' => $_REQUEST['rra_id'], 'view_type' => $_REQUEST['view_type'])); ?>
252 + </td>
253 + </tr>
254 + <tr>
255 +@@ -249,17 +249,17 @@
256 + <table width='1' cellpadding='0'>
257 + <tr>
258 + <td>
259 +- <img src='<?php print htmlspecialchars("graph_image.php?action=properties&local_graph_id=" . $_GET["local_graph_id"] . "&rra_id=" . $_GET["rra_id"] . "&graph_start=" . (isset($_GET["graph_start"]) ? $_GET["graph_start"] : "0") . "&graph_end=" . (isset($_GET["graph_end"]) ? $_GET["graph_end"] : "0"));?>' border='0' alt='<?php print htmlspecialchars($graph_title);?>'>
260 ++ <img src='<?php print htmlspecialchars("graph_image.php?action=properties&local_graph_id=" . $_REQUEST["local_graph_id"] . "&rra_id=" . $_REQUEST["rra_id"] . "&graph_start=" . (isset($_REQUEST["graph_start"]) ? $_REQUEST["graph_start"] : "0") . "&graph_end=" . (isset($_REQUEST["graph_end"]) ? $_REQUEST["graph_end"] : "0"));?>' border='0' alt='<?php print htmlspecialchars($graph_title);?>'>
261 + </td>
262 + <td valign='top' style='padding: 3px;'>
263 +- <a href='<?php print htmlspecialchars("graph.php?action=zoom&local_graph_id=" . $_GET["local_graph_id"]. "&rra_id=" . $_GET["rra_id"] . "&view_type=" . $_REQUEST["view_type"] . "&graph_start=" . get_request_var("graph_start") . "&graph_end=" . get_request_var("graph_end"));?>'><img src='images/graph_zoom.gif' border='0' alt='Zoom Graph' title='Zoom Graph' style='padding: 3px;'></a><br>
264 +- <a href='<?php print htmlspecialchars("graph_xport.php?local_graph_id=" . $_GET["local_graph_id"] . "&rra_id=" . $_GET["rra_id"] . "&view_type=" . $_REQUEST["view_type"]);?>'><img src='images/graph_query.png' border='0' alt='CSV Export' title='CSV Export' style='padding: 3px;'></a><br>
265 +- <?php api_plugin_hook('graph_buttons', array('hook' => 'properties', 'local_graph_id' => $_GET['local_graph_id'], 'rra' => $_GET['rra_id'], 'view_type' => $_REQUEST['view_type'])); ?>
266 ++ <a href='<?php print htmlspecialchars("graph.php?action=zoom&local_graph_id=" . $_REQUEST["local_graph_id"]. "&rra_id=" . $_REQUEST["rra_id"] . "&view_type=" . $_REQUEST["view_type"] . "&graph_start=" . get_request_var("graph_start") . "&graph_end=" . get_request_var("graph_end"));?>'><img src='images/graph_zoom.gif' border='0' alt='Zoom Graph' title='Zoom Graph' style='padding: 3px;'></a><br>
267 ++ <a href='<?php print htmlspecialchars("graph_xport.php?local_graph_id=" . $_REQUEST["local_graph_id"] . "&rra_id=" . $_REQUEST["rra_id"] . "&view_type=" . $_REQUEST["view_type"]);?>'><img src='images/graph_query.png' border='0' alt='CSV Export' title='CSV Export' style='padding: 3px;'></a><br>
268 ++ <?php api_plugin_hook('graph_buttons', array('hook' => 'properties', 'local_graph_id' => $_REQUEST['local_graph_id'], 'rra' => $_REQUEST['rra_id'], 'view_type' => $_REQUEST['view_type'])); ?>
269 + </td>
270 + </tr>
271 + <tr>
272 + <td colspan='2' align='center'>
273 +- <strong><?php print htmlspecialchars(db_fetch_cell("select name from rra where id=" . $_GET["rra_id"]));?></strong>
274 ++ <strong><?php print htmlspecialchars(db_fetch_cell("select name from rra where id=" . $_REQUEST["rra_id"]));?></strong>
275 + </td>
276 + </tr>
277 + </table>
278 +--- a/include/top_graph_header.php
279 ++++ b/include/top_graph_header.php
280 +@@ -146,12 +146,12 @@
281 + $graph_data_array["print_source"] = true;
282 +
283 + /* override: graph start time (unix time) */
284 +- if (!empty($_GET["graph_start"])) {
285 ++ if (!empty($_REQUEST["graph_start"])) {
286 + $graph_data_array["graph_start"] = get_request_var_request("graph_start");
287 + }
288 +
289 + /* override: graph end time (unix time) */
290 +- if (!empty($_GET["graph_end"])) {
291 ++ if (!empty($_REQUEST["graph_end"])) {
292 + $graph_data_array["graph_end"] = get_request_var_request("graph_end");
293 + }
294 +