diff options
| author | tron <tron@pkgsrc.org> | 2014-01-08 20:51:28 +0000 |
|---|---|---|
| committer | tron <tron@pkgsrc.org> | 2014-01-08 20:51:28 +0000 |
| commit | 05d5f2b54ae0a1cd08b595a06b7025b354e208cc (patch) | |
| tree | ac4c500285f779d2a21af6093061d77a45a11996 | |
| parent | 602b9deeb12e113e9d47fb409ad0bfc9c2fbf15c (diff) | |
| download | pkgsrc-05d5f2b54ae0a1cd08b595a06b7025b354e208cc.tar.gz | |
Update the "cacti" package to version 0.8.8b. Changes since 0.8.8a:
- bug: Fixed issue with custom data source information being lost when
saved from edit
- bug: Repopulate the poller cache on new installations
- bug: Fix issue with poller not escaping the script query path correctly
- bug: Allow snmpv3 priv proto none
- bug: Fix issue where host activate may flush the entire poller item
cache
-security: SQL injection and shell escaping issues
Also add the fix for the security vulnerability reported in SA54531
taken from the SVN repository.
| -rw-r--r-- | net/cacti/Makefile | 6 | ||||
| -rw-r--r-- | net/cacti/PLIST | 3 | ||||
| -rw-r--r-- | net/cacti/distinfo | 12 | ||||
| -rw-r--r-- | net/cacti/patches/patch-host.php | 18 | ||||
| -rw-r--r-- | net/cacti/patches/patch-install_index.php | 138 | ||||
| -rw-r--r-- | net/cacti/patches/patch-lib_api_device.php | 17 |
6 files changed, 175 insertions, 19 deletions
diff --git a/net/cacti/Makefile b/net/cacti/Makefile index b3017faaae5..97ba50face0 100644 --- a/net/cacti/Makefile +++ b/net/cacti/Makefile @@ -1,8 +1,6 @@ -# $NetBSD: Makefile,v 1.20 2013/10/10 14:42:26 ryoon Exp $ -# +# $NetBSD: Makefile,v 1.21 2014/01/08 20:51:28 tron Exp $ -DISTNAME= cacti-0.8.8a -PKGREVISION= 8 +DISTNAME= cacti-0.8.8b CATEGORIES= net MASTER_SITES= http://www.cacti.net/downloads/ diff --git a/net/cacti/PLIST b/net/cacti/PLIST index 4bc7919e9ba..254c0c28fb8 100644 --- a/net/cacti/PLIST +++ b/net/cacti/PLIST @@ -1,4 +1,4 @@ -@comment $NetBSD: PLIST,v 1.3 2012/12/12 10:48:43 wiz Exp $ +@comment $NetBSD: PLIST,v 1.4 2014/01/08 20:51:28 tron Exp $ share/cacti/LICENSE share/cacti/README share/cacti/about.php @@ -316,6 +316,7 @@ share/cacti/install/0_8_7g_to_0_8_7h.php share/cacti/install/0_8_7h_to_0_8_7i.php share/cacti/install/0_8_7i_to_0_8_8.php share/cacti/install/0_8_8_to_0_8_8a.php +share/cacti/install/0_8_8_to_0_8_8b.php share/cacti/install/0_8_to_0_8_1.php share/cacti/install/index.php share/cacti/install/install_finish.gif diff --git a/net/cacti/distinfo b/net/cacti/distinfo index 911d50863c8..c13eaf4b613 100644 --- a/net/cacti/distinfo +++ b/net/cacti/distinfo @@ -1,9 +1,11 @@ -$NetBSD: distinfo,v 1.3 2012/12/12 10:48:43 wiz Exp $ +$NetBSD: distinfo,v 1.4 2014/01/08 20:51:28 tron Exp $ -SHA1 (cacti-0.8.8a.tar.gz) = e66f5fde96b28b273a9e62f79f8a7bb8827812c2 -RMD160 (cacti-0.8.8a.tar.gz) = 1462a71af844810a3451c24fd733b3f2351b75df -Size (cacti-0.8.8a.tar.gz) = 2273280 bytes +SHA1 (cacti-0.8.8b.tar.gz) = 84979416ae08d586064328d6451a3108b74a3b06 +RMD160 (cacti-0.8.8b.tar.gz) = a2c88961565c6b5d593b4f2603514139800c9145 +Size (cacti-0.8.8b.tar.gz) = 2272130 bytes SHA1 (patch-cacti.sql) = 37e18026c4136630d939ab5a7a4d6336bf166282 +SHA1 (patch-host.php) = 679fd76c81a719d949e023cecc4cc0c47ac6acf4 SHA1 (patch-include_global.php) = fb0d2f15596b051c60ed6032ecb9038315b7c663 SHA1 (patch-include_global__settings.php) = 54ffd0c3fc9d927595b1568a874c45a4a6033f7b -SHA1 (patch-install_index.php) = 84b25c39a4ce1bc6144cffcdb9e32bf257cfcae6 +SHA1 (patch-install_index.php) = e5ee36159968e1ca160aba953e02b9e80a2eb5d9 +SHA1 (patch-lib_api_device.php) = 0a2d495a0245c8957bfd5214a5e79dbb31f135c4 diff --git a/net/cacti/patches/patch-host.php b/net/cacti/patches/patch-host.php new file mode 100644 index 00000000000..1b27e7ccaad --- /dev/null +++ b/net/cacti/patches/patch-host.php @@ -0,0 +1,18 @@ +$NetBSD: patch-host.php,v 1.1 2014/01/08 20:51:28 tron Exp $ + +Fix vulnerability reported in SA54531. Patch taken from here: + +http://svn.cacti.net/viewvc?view=rev&revision=7420 + +--- host.php.orig 2013-08-07 03:31:19.000000000 +0100 ++++ host.php 2014-01-08 20:26:33.000000000 +0000 +@@ -149,6 +149,9 @@ + if ($_POST["snmp_version"] == 3 && ($_POST["snmp_password"] != $_POST["snmp_password_confirm"])) { + raise_message(4); + }else{ ++ input_validate_input_number(get_request_var_post("id")); ++ input_validate_input_number(get_request_var_post("host_template_id")); ++ + $host_id = api_device_save($_POST["id"], $_POST["host_template_id"], $_POST["description"], + trim($_POST["hostname"]), $_POST["snmp_community"], $_POST["snmp_version"], + $_POST["snmp_username"], $_POST["snmp_password"], diff --git a/net/cacti/patches/patch-install_index.php b/net/cacti/patches/patch-install_index.php index a009b198c39..e149aa73e14 100644 --- a/net/cacti/patches/patch-install_index.php +++ b/net/cacti/patches/patch-install_index.php @@ -1,12 +1,15 @@ -$NetBSD: patch-install_index.php,v 1.1.1.1 2011/11/22 22:23:13 tez Exp $ +$NetBSD: patch-install_index.php,v 1.2 2014/01/08 20:51:28 tron Exp $ -find utilites in PREFIX first -fixup hard coded user and path (documentaion only) -make log directory configurable by package variable +- Find utilites in PREFIX first. +- Fix-up hard coded user and path (documentaion only). +- Make log directory configurable by package variable +- Fix vulnerability reported in SA54531. Patch taken from here: ---- install/index.php.orig 2011-09-26 20:41:03.000000000 +0000 -+++ install/index.php -@@ -95,7 +95,7 @@ function find_best_path($binary_name) { + http://svn.cacti.net/viewvc?view=rev&revision=7420 + +--- install/index.php.orig 2013-08-07 03:31:19.000000000 +0100 ++++ install/index.php 2014-01-08 20:26:33.000000000 +0000 +@@ -96,7 +96,7 @@ if ($config["cacti_server_os"] == "win32") { $search_paths = array("c:/usr/bin", "c:/cacti", "c:/rrdtool", "c:/spine", "c:/php", "c:/progra~1/php", "c:/net-snmp/bin", "c:/progra~1/net-snmp/bin", "d:/usr/bin", "d:/net-snmp/bin", "d:/progra~1/net-snmp/bin", "d:/cacti", "d:/rrdtool", "d:/spine", "d:/php", "d:/progra~1/php"); }else{ @@ -15,7 +18,7 @@ make log directory configurable by package variable } for ($i=0; $i<count($search_paths); $i++) { -@@ -266,7 +266,7 @@ $input["path_cactilog"]["description"] = +@@ -267,7 +267,7 @@ if (config_value_exists("path_cactilog")) { $input["path_cactilog"]["default"] = read_config_option("path_cactilog"); } else { @@ -24,7 +27,108 @@ make log directory configurable by package variable } /* SNMP Version */ -@@ -652,7 +652,7 @@ if ($_REQUEST["step"] == "4") { +@@ -310,27 +310,28 @@ + } + + /* pre-processing that needs to be done for each step */ +-if (empty($_REQUEST["step"])) { +- $_REQUEST["step"] = 1; +-}else{ +- if ($_REQUEST["step"] == "1") { +- $_REQUEST["step"] = "2"; +- }elseif (($_REQUEST["step"] == "2") && ($_REQUEST["install_type"] == "1")) { +- $_REQUEST["step"] = "3"; +- }elseif (($_REQUEST["step"] == "2") && ($_REQUEST["install_type"] == "3")) { +- $_REQUEST["step"] = "8"; +- }elseif (($_REQUEST["step"] == "8") && ($old_version_index <= array_search("0.8.5a", $cacti_versions))) { +- $_REQUEST["step"] = "9"; +- }elseif ($_REQUEST["step"] == "8") { +- $_REQUEST["step"] = "3"; +- }elseif ($_REQUEST["step"] == "9") { +- $_REQUEST["step"] = "3"; +- }elseif ($_REQUEST["step"] == "3") { +- $_REQUEST["step"] = "4"; ++if (isset($_REQUEST["step"]) && $_REQUEST["step"] > 0) { ++ $step = intval($_REQUEST["step"]); ++ if ($step == "1") { ++ $step = "2"; ++ } elseif (($step == "2") && ($_REQUEST["install_type"] == "1")) { ++ $step = "3"; ++ } elseif (($step == "2") && ($_REQUEST["install_type"] == "3")) { ++ $step = "8"; ++ } elseif (($step == "8") && ($old_version_index <= array_search("0.8.5a", $cacti_versions))) { ++ $step = "9"; ++ } elseif ($step == "8") { ++ $step = "3"; ++ } elseif ($step == "9") { ++ $step = "3"; ++ } elseif ($step == "3") { ++ $step = "4"; + } ++} else { ++ $step = 1; + } + +-if ($_REQUEST["step"] == "4") { ++if ($step == "4") { + include_once("../lib/data_query.php"); + include_once("../lib/utility.php"); + +@@ -366,7 +367,7 @@ + + header ("Location: ../index.php"); + exit; +-}elseif (($_REQUEST["step"] == "8") && ($_REQUEST["install_type"] == "3")) { ++}elseif (($step == "8") && ($_REQUEST["install_type"] == "3")) { + /* if the version is not found, die */ + if (!is_int($old_version_index)) { + print " <p style='font-family: Verdana, Arial; font-size: 16px; font-weight: bold; color: red;'>Error</p> +@@ -505,7 +506,7 @@ + </tr> + <tr> + <td width="100%" style="font-size: 12px;"> +- <?php if ($_REQUEST["step"] == "1") { ?> ++ <?php if ($step == "1") { ?> + + <p>Thanks for taking the time to download and install cacti, the complete graphing + solution for your network. Before you can start making cool graphs, there are a few +@@ -530,7 +531,7 @@ + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details.</p> + +- <?php }elseif ($_REQUEST["step"] == "2") { ?> ++ <?php }elseif ($step == "2") { ?> + + <p>Please select the type of installation</p> + +@@ -551,7 +552,7 @@ + print "Server Operating System Type: " . $config["cacti_server_os"] . "<br>"; ?> + </p> + +- <?php }elseif ($_REQUEST["step"] == "3") { ?> ++ <?php }elseif ($step == "3") { ?> + + <p>Make sure all of these values are correct before continuing.</p> + <?php +@@ -609,7 +610,7 @@ + is an upgrade. You can change any of the settings on this screen at a later + time by going to "Cacti Settings" from within Cacti.</p> + +- <?php }elseif ($_REQUEST["step"] == "8") { ?> ++ <?php }elseif ($step == "8") { ?> + + <p>Upgrade results:</p> + +@@ -659,7 +660,7 @@ + print $upgrade_results; + ?> + +- <?php }elseif ($_REQUEST["step"] == "9") { ?> ++ <?php }elseif ($step == "9") { ?> + + <p style='font-size: 16px; font-weight: bold; color: red;'>Important Upgrade Notice</p> + +@@ -667,13 +668,13 @@ <p>See the sample crontab entry below with the change made in red. Your crontab line will look slightly different based upon your setup.</p> @@ -33,3 +137,19 @@ make log directory configurable by package variable <p>Once you have made this change, please click Next to continue.</p> + <?php }?> + +- <p align="right"><input type="image" src="install_<?php if ($_REQUEST["step"] == "3") {?>finish<?php }else{?>next<?php }?>.gif" alt="<?php if ($_REQUEST["step"] == "3"){?>Finish<?php }else{?>Next<?php }?>"></p> ++ <p align="right"><input type="image" src="install_<?php if ($step == "3") {?>finish<?php }else{?>next<?php }?>.gif" alt="<?php if ($step == "3"){?>Finish<?php }else{?>Next<?php }?>"></p> + </td> + </tr> + </table> +@@ -681,7 +682,7 @@ + </tr> + </table> + +-<input type="hidden" name="step" value="<?php print $_REQUEST["step"];?>"> ++<input type="hidden" name="step" value="<?php print $step;?>"> + + </form> + diff --git a/net/cacti/patches/patch-lib_api_device.php b/net/cacti/patches/patch-lib_api_device.php new file mode 100644 index 00000000000..b4c0a10dbbd --- /dev/null +++ b/net/cacti/patches/patch-lib_api_device.php @@ -0,0 +1,17 @@ +$NetBSD: patch-lib_api_device.php,v 1.1 2014/01/08 20:51:28 tron Exp $ + +Fix vulnerability reported in SA54531. Patch taken from here: + +http://svn.cacti.net/viewvc?view=rev&revision=7420 + +--- lib/api_device.php.orig 2013-08-07 03:31:18.000000000 +0100 ++++ lib/api_device.php 2014-01-08 20:26:33.000000000 +0000 +@@ -107,7 +107,7 @@ + $_host_template_id = db_fetch_cell("select host_template_id from host where id=$id"); + } + +- $save["id"] = $id; ++ $save["id"] = form_input_validate($id, "id", "^[0-9]+$", false, 3); + $save["host_template_id"] = form_input_validate($host_template_id, "host_template_id", "^[0-9]+$", false, 3); + $save["description"] = form_input_validate($description, "description", "", false, 3); + $save["hostname"] = form_input_validate(trim($hostname), "hostname", "", false, 3); |