Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 3 Apr 2014 09:17:46 -0400 (EDT)
From: cve-assign@...re.org
To: mmcallis@...hat.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE request: cacti "bug#0002405: SQL injection in graph_xport.php"

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

https://bugs.gentoo.org/show_bug.cgi?id=506356#c3 seems unusual
because it says:

   One more (no CVE yet):

   http://www.openwall.com/lists/oss-security/2014/04/01/3
    http://svn.cacti.net/viewvc?view=rev&revision=7393
     http://bugs.cacti.net/view.php?id=2405 (undisclosed)

but those references are from two different times. The
http://svn.cacti.net/viewvc?view=rev&revision=7393 reference
corresponds to part of CVE-2013-1435, fixed in July 2013. The
http://bugs.cacti.net/view.php?id=2405 reference is for March 2014
issues.

> bug#0002405: SQL injection in graph_xport.php
> 
>   - Fixed form input validation problems
>   - Fixed rrd export and graph shell escape issues
> 
> http://svn.cacti.net/viewvc/cacti/branches/0.8.8/lib/rrd.php?r1=7437&r2=7439

That lib/rrd.php diff is part of the bug#0002405 fix, but a possibly
complete reference is:

  http://svn.cacti.net/viewvc?view=rev&revision=7439

where the graph_xport.php change was for SQL injection, and the
lib/rrd.php change is related to addressing shell metacharacters with
this approach:

  http://php.net/manual/en/function.escapeshellcmd.php

We have not looked at whether that approach is sufficient. If it
isn't, one more CVE ID would be needed.

The graph_xport.php change also introduces get_request_var in a few
places. As far as we can tell, this is not a security fix. It is
documented as "returns the current value of a PHP $_GET variable,
optionally returning a default value if the request variable does not
exist."

So, the new CVEs are:

   CVE-2014-2708 = http://svn.cacti.net/viewvc?view=rev&revision=7439 -
     all of the changes to graph_xport.php to ensure that data is
     numeric (reported as SQL injection fixes)

   CVE-2014-2709 = http://svn.cacti.net/viewvc?view=rev&revision=7439 -
     all of the changes to lib/rrd.php to add cacti_escapeshellarg calls

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJTPV5gAAoJEKllVAevmvmshtQH/0OYTWBx/yMC7hqyobziVGTi
yofilPXlMPAXI/VvS+RFrrxjF9I5xH6pd28xd8H+KLiPC2PU2r3L9VXkbmddmjGi
Uc4X9W9Oqn8pGxtea8nZJfaA9ar8zybOk5Xa5TEIx7ZjUnWtmvBIqWbgqkCfe2Jq
oZBi1+Dfj1ImxdYRLi/8npYe9M9wqpJ2hLyyg/QXBoW84o6b9ghYuAU7wcVY7o8o
1GndTYq1OvbHFMwQlANa87AfOduliHGO0KihKOqhFWr4h8k2wOQpuIc+bYA9PXS7
EWhF95VmXNdfF7b2XhidwCDSsGgQgL73+vlIAMZSUcW+ic5D0yp2vcHGnRHJ8ZU=
=ERTT
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ