Fixes for:

CVE-2014-2326 Unspecified HTML Injection Vulnerability
CVE-2014-2328 Unspecified Remote Command Execution Vulnerability
CVE-2014-2708 Unspecified SQL Injection Vulnerability
CVE-2014-2709 Unspecified Remote Command Execution Vulnerability

6 files changed, 192 insertions, 20 deletions

diff --git a/net/cacti/Makefile b/net/cacti/Makefile
index 04331f921ee..0899c2bf58b 100644
--- a/net/cacti/Makefile
+++ b/net/cacti/Makefile
@@ -1,14 +1,14 @@
-# $NetBSD: Makefile,v 1.23 2014/05/05 00:48:13 ryoon Exp $
+# $NetBSD: Makefile,v 1.24 2014/08/23 12:50:25 adam Exp $
 
-DISTNAME=		cacti-0.8.8b
-PKGREVISION=		2
-CATEGORIES=		net
-MASTER_SITES=		http://www.cacti.net/downloads/
+DISTNAME=	cacti-0.8.8b
+PKGREVISION=	3
+CATEGORIES=	net
+MASTER_SITES=	http://www.cacti.net/downloads/
 
-MAINTAINER=		pkgsrc-users@NetBSD.org
-HOMEPAGE=		http://www.cacti.net/
-COMMENT=		Frontend to rrdtool for monitoring systems and services
-LICENSE=		gnu-gpl-v2
+MAINTAINER=	pkgsrc-users@NetBSD.org
+HOMEPAGE=	http://www.cacti.net/
+COMMENT=	Frontend to rrdtool for monitoring systems and services
+LICENSE=	gnu-gpl-v2
 
 USE_LANGUAGES=		# none
 USE_TOOLS+=		pax
@@ -39,18 +39,18 @@ CACTIDIR=		${PREFIX}/share/cacti
 CACTI_LOGDIR?=		${CACTIDIR}/log
 CACTI_RRADIR?=		${CACTIDIR}/rra
 
-REPLACE_INTERPRETER+=   php
-REPLACE.php.old=        .*php[^ ]*
-REPLACE.php.new=        ${PREFIX}/bin/php
-REPLACE_FILES.php=      cli/*.php
+REPLACE_INTERPRETER+=	php
+REPLACE.php.old=	.*php[^ ]*
+REPLACE.php.new=	${PREFIX}/bin/php
+REPLACE_FILES.php=	cli/*.php
 
-REPLACE_PERL+=         scripts/*.pl
+REPLACE_PERL+=		scripts/*.pl
 
-MESSAGE_SUBST+=         CACTIDIR=${CACTIDIR}
-MESSAGE_SUBST+=         CACTI_USER=${CACTI_USER}
-MESSAGE_SUBST+=         EGDIR=${EGDIR}
-MESSAGE_SUBST+=         PREFIX=${PREFIX}
-MESSAGE_SUBST+=         PKG_SYSCONFBASE=${PKG_SYSCONFBASE}
+MESSAGE_SUBST+=		CACTIDIR=${CACTIDIR}
+MESSAGE_SUBST+=		CACTI_USER=${CACTI_USER}
+MESSAGE_SUBST+=		EGDIR=${EGDIR}
+MESSAGE_SUBST+=		PREFIX=${PREFIX}
+MESSAGE_SUBST+=		PKG_SYSCONFBASE=${PKG_SYSCONFBASE}
 FILES_SUBST+=		CACTIDIR=${CACTIDIR}
 FILES_SUBST+=		CACTI_GROUP=${CACTI_GROUP}
 FILES_SUBST+=		CACTI_USER=${CACTI_USER}
diff --git a/net/cacti/distinfo b/net/cacti/distinfo
index c13eaf4b613..12436d645b4 100644
--- a/net/cacti/distinfo
+++ b/net/cacti/distinfo
@@ -1,11 +1,15 @@
-$NetBSD: distinfo,v 1.4 2014/01/08 20:51:28 tron Exp $
+$NetBSD: distinfo,v 1.5 2014/08/23 12:50:25 adam Exp $
 
 SHA1 (cacti-0.8.8b.tar.gz) = 84979416ae08d586064328d6451a3108b74a3b06
 RMD160 (cacti-0.8.8b.tar.gz) = a2c88961565c6b5d593b4f2603514139800c9145
 Size (cacti-0.8.8b.tar.gz) = 2272130 bytes
 SHA1 (patch-cacti.sql) = 37e18026c4136630d939ab5a7a4d6336bf166282
+SHA1 (patch-cdef.php) = ee898fcbb0da5db1a1127ba54fbf72c308df47eb
+SHA1 (patch-graph_xport.php) = 275717883721c674ab149e163be0ba780b86b11b
 SHA1 (patch-host.php) = 679fd76c81a719d949e023cecc4cc0c47ac6acf4
 SHA1 (patch-include_global.php) = fb0d2f15596b051c60ed6032ecb9038315b7c663
 SHA1 (patch-include_global__settings.php) = 54ffd0c3fc9d927595b1568a874c45a4a6033f7b
 SHA1 (patch-install_index.php) = e5ee36159968e1ca160aba953e02b9e80a2eb5d9
 SHA1 (patch-lib_api_device.php) = 0a2d495a0245c8957bfd5214a5e79dbb31f135c4
+SHA1 (patch-lib_graph_export.php) = ef91e864bc830653fbcf490419d39511aa7a258e
+SHA1 (patch-lib_rrd.php) = cf7483d9a67f9f146d130de7da86a0f37f1041c9
diff --git a/net/cacti/patches/patch-cdef.php b/net/cacti/patches/patch-cdef.php
new file mode 100644
index 00000000000..e657d06fe06
--- /dev/null
+++ b/net/cacti/patches/patch-cdef.php
@@ -0,0 +1,20 @@
+$NetBSD: patch-cdef.php,v 1.1 2014/08/23 12:50:25 adam Exp $
+
+Fixes for:
+CVE-2014-2326 Unspecified HTML Injection Vulnerability
+CVE-2014-2328 Unspecified Remote Command Execution Vulnerability
+CVE-2014-2708 Unspecified SQL Injection Vulnerability
+CVE-2014-2709 Unspecified Remote Command Execution Vulnerability
+
+--- cdef.php.orig	2013-08-06 22:31:19.000000000 -0400
++++ cdef.php		2014-04-04 21:39:04.000000000 -0400
+@@ -431,7 +431,7 @@
+ 						<a class="linkEditMain" href="<?php print htmlspecialchars("cdef.php?action=item_edit&id=" . $cdef_item["id"] . "&cdef_id=" . $cdef["id"]);?>">Item #<?php print htmlspecialchars($i);?></a>
+ 					</td>
+ 					<td>
+-						<em><?php $cdef_item_type = $cdef_item["type"]; print $cdef_item_types[$cdef_item_type];?></em>: <strong><?php print get_cdef_item_name($cdef_item["id"]);?></strong>
++						<em><?php $cdef_item_type = $cdef_item["type"]; print $cdef_item_types[$cdef_item_type];?></em>: <strong><?php print htmlspecialchars(get_cdef_item_name($cdef_item["id"]));?></strong>
+ 					</td>
+ 					<td>
+ 						<a href="<?php print htmlspecialchars("cdef.php?action=item_movedown&id=" . $cdef_item["id"] . "&cdef_id=" . $cdef["id"]);?>"><img src="images/move_down.gif" border="0" alt="Move Down"></a>
+diff -ruBbd graph_xport.php graph_xport.php
diff --git a/net/cacti/patches/patch-graph_xport.php b/net/cacti/patches/patch-graph_xport.php
new file mode 100644
index 00000000000..bc59aa49ddc
--- /dev/null
+++ b/net/cacti/patches/patch-graph_xport.php
@@ -0,0 +1,71 @@
+$NetBSD: patch-graph_xport.php,v 1.1 2014/08/23 12:50:25 adam Exp $
+
+Fixes for:
+CVE-2014-2326 Unspecified HTML Injection Vulnerability
+CVE-2014-2328 Unspecified Remote Command Execution Vulnerability
+CVE-2014-2708 Unspecified SQL Injection Vulnerability
+CVE-2014-2709 Unspecified Remote Command Execution Vulnerability
+
+--- graph_xport.php.orig	2013-08-06 22:31:19.000000000 -0400
++++ graph_xport.php		2014-04-04 21:39:04.000000000 -0400
+@@ -47,43 +47,48 @@
+ 
+ $graph_data_array = array();
+ 
++/* ================= input validation ================= */
++input_validate_input_number(get_request_var("local_graph_id"));
++input_validate_input_number(get_request_var("rra_id"));
++/* ==================================================== */
++
+ /* override: graph start time (unix time) */
+-if (!empty($_GET["graph_start"]) && $_GET["graph_start"] < 1600000000) {
+-	$graph_data_array["graph_start"] = $_GET["graph_start"];
++if (!empty($_GET["graph_start"]) && is_numeric($_GET["graph_start"] && $_GET["graph_start"] < 1600000000)) {
++	$graph_data_array["graph_start"] = get_request_var("graph_start");
+ }
+ 
+ /* override: graph end time (unix time) */
+-if (!empty($_GET["graph_end"]) && $_GET["graph_end"] < 1600000000) {
+-	$graph_data_array["graph_end"] = $_GET["graph_end"];
++if (!empty($_GET["graph_end"]) && is_numeric($_GET["graph_end"]) && $_GET["graph_end"] < 1600000000) {
++	$graph_data_array["graph_end"] = get_request_var("graph_end");
+ }
+ 
+ /* override: graph height (in pixels) */
+-if (!empty($_GET["graph_height"]) && $_GET["graph_height"] < 3000) {
+-	$graph_data_array["graph_height"] = $_GET["graph_height"];
++if (!empty($_GET["graph_height"]) && is_numeric($_GET["graph_height"]) && $_GET["graph_height"] < 3000) {
++	$graph_data_array["graph_height"] = get_request_var("graph_height");
+ }
+ 
+ /* override: graph width (in pixels) */
+-if (!empty($_GET["graph_width"]) && $_GET["graph_width"] < 3000) {
+-	$graph_data_array["graph_width"] = $_GET["graph_width"];
++if (!empty($_GET["graph_width"]) && is_numeric($_GET["graph_width"]) && $_GET["graph_width"] < 3000) {
++	$graph_data_array["graph_width"] = get_request_var("graph_width");
+ }
+ 
+ /* override: skip drawing the legend? */
+ if (!empty($_GET["graph_nolegend"])) {
+-	$graph_data_array["graph_nolegend"] = $_GET["graph_nolegend"];
++	$graph_data_array["graph_nolegend"] = get_request_var("graph_nolegend");
+ }
+ 
+ /* print RRDTool graph source? */
+ if (!empty($_GET["show_source"])) {
+-	$graph_data_array["print_source"] = $_GET["show_source"];
++	$graph_data_array["print_source"] = get_request_var("show_source");
+ }
+ 
+-$graph_info = db_fetch_row("SELECT * FROM graph_templates_graph WHERE local_graph_id='" . $_REQUEST["local_graph_id"] . "'");
++$graph_info = db_fetch_row("SELECT * FROM graph_templates_graph WHERE local_graph_id='" . get_request_var("local_graph_id") . "'");
+ 
+ /* for bandwidth, NThPercentile */
+ $xport_meta = array();
+ 
+ /* Get graph export */
+-$xport_array = @rrdtool_function_xport($_GET["local_graph_id"], $_GET["rra_id"], $graph_data_array, $xport_meta);
++$xport_array = @rrdtool_function_xport($_GET["local_graph_id"], get_request_var("rra_id"), $graph_data_array, $xport_meta);
+ 
+ /* Make graph title the suggested file name */
+ if (is_array($xport_array["meta"])) {
diff --git a/net/cacti/patches/patch-lib_graph_export.php b/net/cacti/patches/patch-lib_graph_export.php
new file mode 100644
index 00000000000..71ce4fb9c15
--- /dev/null
+++ b/net/cacti/patches/patch-lib_graph_export.php
@@ -0,0 +1,28 @@
+$NetBSD: patch-lib_graph_export.php,v 1.1 2014/08/23 12:50:25 adam Exp $
+
+Fixes for:
+CVE-2014-2326 Unspecified HTML Injection Vulnerability
+CVE-2014-2328 Unspecified Remote Command Execution Vulnerability
+CVE-2014-2708 Unspecified SQL Injection Vulnerability
+CVE-2014-2709 Unspecified Remote Command Execution Vulnerability
+
+--- lib/graph_export.php.orig	2013-08-06 22:31:19.000000000 -0400
++++ lib/graph_export.php	2014-04-04 21:39:05.000000000 -0400
+@@ -339,7 +339,7 @@
+ 	chdir($stExportDir);
+ 
+ 	/* set the initial command structure */
+-	$stExecute = 'ncftpput -R -V -r 1 -u '.$aFtpExport['username'].' -p '.$aFtpExport['password'];
++	$stExecute = 'ncftpput -R -V -r 1 -u ' . cacti_escapeshellarg($aFtpExport['username']) . ' -p ' . cacti_escapeshellarg($aFtpExport['password']);
+ 
+ 	/* if the user requested passive mode, use it */
+ 	if ($aFtpExport['passive']) {
+@@ -347,7 +347,7 @@
+ 	}
+ 
+ 	/* setup the port, server, remote directory and all files */
+-	$stExecute .= ' -P ' . $aFtpExport['port'] . ' ' . $aFtpExport['server'] . ' ' . $aFtpExport['remotedir'] . ".";
++	$stExecute .= ' -P ' . cacti_escapeshellarg($aFtpExport['port']) . ' ' . cacti_escapeshellarg($aFtpExport['server']) . ' ' . cacti_escapeshellarg($aFtpExport['remotedir']) . ".";
+ 
+ 	/* run the command */
+ 	$iExecuteReturns = 0;
diff --git a/net/cacti/patches/patch-lib_rrd.php b/net/cacti/patches/patch-lib_rrd.php
new file mode 100644
index 00000000000..5b2781bb6b4
--- /dev/null
+++ b/net/cacti/patches/patch-lib_rrd.php
@@ -0,0 +1,49 @@
+$NetBSD: patch-lib_rrd.php,v 1.1 2014/08/23 12:50:25 adam Exp $
+
+Fixes for:
+CVE-2014-2326 Unspecified HTML Injection Vulnerability
+CVE-2014-2328 Unspecified Remote Command Execution Vulnerability
+CVE-2014-2708 Unspecified SQL Injection Vulnerability
+CVE-2014-2709 Unspecified Remote Command Execution Vulnerability
+
+--- lib/rrd.php.orig	2013-08-06 22:31:18.000000000 -0400
++++ lib/rrd.php		2014-04-04 21:39:04.000000000 -0400
+@@ -865,13 +865,13 @@
+ 	/* basic graph options */
+ 	$graph_opts .=
+ 		"--imgformat=" . $image_types{$graph["image_format_id"]} . RRD_NL .
+-		"--start=$graph_start" . RRD_NL .
+-		"--end=$graph_end" . RRD_NL .
++		"--start=" . cacti_escapeshellarg($graph_start) . RRD_NL .
++		"--end=" . cacti_escapeshellarg($graph_end) . RRD_NL .
+ 		"--title=" . cacti_escapeshellarg($graph["title_cache"]) . RRD_NL .
+ 		"$rigid" .
+-		"--base=" . $graph["base_value"] . RRD_NL .
+-		"--height=$graph_height" . RRD_NL .
+-		"--width=$graph_width" . RRD_NL .
++		"--base=" . cacti_escapeshellarg($graph["base_value"]) . RRD_NL .
++		"--height=" . cacti_escapeshellarg($graph_height) . RRD_NL .
++		"--width=" . cacti_escapeshellarg($graph_width) . RRD_NL .
+ 		"$scale" .
+ 		"$unit_value" .
+ 		"$unit_exponent_value" .
+@@ -1606,8 +1606,8 @@
+ 
+ 	/* basic export options */
+ 	$xport_opts =
+-		"--start=$xport_start" . RRD_NL .
+-		"--end=$xport_end" . RRD_NL .
++		"--start=" . cacti_escapeshellarg($xport_start) . RRD_NL .
++		"--end=" . cacti_escapeshellarg($xport_end) . RRD_NL .
+ 		"--maxrows=10000" . RRD_NL;
+ 
+ 	$xport_defs = "";
+@@ -1997,7 +1997,7 @@
+ 			$stacked_columns["col" . $j] = ($graph_item_types{$xport_item["graph_type_id"]} == "STACK") ? 1 : 0;
+ 			$j++;
+ 
+-			$txt_xport_items .= "XPORT:" . $data_source_name . ":" . str_replace(":", "", cacti_escapeshellarg($legend_name)) ;
++			$txt_xport_items .= "XPORT:" . cacti_escapeshellarg($data_source_name) . ":" . str_replace(":", "", cacti_escapeshellarg($legend_name)) ;
+ 		}else{
+ 			$need_rrd_nl = FALSE;
+ 		}