Date: Thu, 3 Apr 2014 09:17:46 -0400 (EDT) From: cve-assign@...re.org To: mmcallis@...hat.com Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: CVE request: cacti "bug#0002405: SQL injection in graph_xport.php" -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 https://bugs.gentoo.org/show_bug.cgi?id=506356#c3 seems unusual because it says: One more (no CVE yet): http://www.openwall.com/lists/oss-security/2014/04/01/3 http://svn.cacti.net/viewvc?view=rev&revision=7393 http://bugs.cacti.net/view.php?id=2405 (undisclosed) but those references are from two different times. The http://svn.cacti.net/viewvc?view=rev&revision=7393 reference corresponds to part of CVE-2013-1435, fixed in July 2013. The http://bugs.cacti.net/view.php?id=2405 reference is for March 2014 issues. > bug#0002405: SQL injection in graph_xport.php > > - Fixed form input validation problems > - Fixed rrd export and graph shell escape issues > > http://svn.cacti.net/viewvc/cacti/branches/0.8.8/lib/rrd.php?r1=7437&r2=7439 That lib/rrd.php diff is part of the bug#0002405 fix, but a possibly complete reference is: http://svn.cacti.net/viewvc?view=rev&revision=7439 where the graph_xport.php change was for SQL injection, and the lib/rrd.php change is related to addressing shell metacharacters with this approach: http://php.net/manual/en/function.escapeshellcmd.php We have not looked at whether that approach is sufficient. If it isn't, one more CVE ID would be needed. The graph_xport.php change also introduces get_request_var in a few places. As far as we can tell, this is not a security fix. It is documented as "returns the current value of a PHP $_GET variable, optionally returning a default value if the request variable does not exist." So, the new CVEs are: CVE-2014-2708 = http://svn.cacti.net/viewvc?view=rev&revision=7439 - all of the changes to graph_xport.php to ensure that data is numeric (reported as SQL injection fixes) CVE-2014-2709 = http://svn.cacti.net/viewvc?view=rev&revision=7439 - all of the changes to lib/rrd.php to add cacti_escapeshellarg calls - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJTPV5gAAoJEKllVAevmvmshtQH/0OYTWBx/yMC7hqyobziVGTi yofilPXlMPAXI/VvS+RFrrxjF9I5xH6pd28xd8H+KLiPC2PU2r3L9VXkbmddmjGi Uc4X9W9Oqn8pGxtea8nZJfaA9ar8zybOk5Xa5TEIx7ZjUnWtmvBIqWbgqkCfe2Jq oZBi1+Dfj1ImxdYRLi/8npYe9M9wqpJ2hLyyg/QXBoW84o6b9ghYuAU7wcVY7o8o 1GndTYq1OvbHFMwQlANa87AfOduliHGO0KihKOqhFWr4h8k2wOQpuIc+bYA9PXS7 EWhF95VmXNdfF7b2XhidwCDSsGgQgL73+vlIAMZSUcW+ic5D0yp2vcHGnRHJ8ZU= =ERTT -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.