main/cacti: security fix for CVE-2014-5025,CVE-2014-5026

fixes #3256

2 files changed, 157 insertions, 2 deletions

diff --git a/main/cacti/APKBUILD b/main/cacti/APKBUILD
index 3d6c18bb0d..cb0b159189 100644
--- a/main/cacti/APKBUILD
+++ b/main/cacti/APKBUILD
@@ -1,7 +1,7 @@
 # Maintainer: Jeff Bilyk <jbilyk@gmail.com>
 pkgname=cacti
 pkgver=0.8.8b
-pkgrel=1
+pkgrel=2
 pkgdesc="Network monitoring tool based on RRDtool"
 url="http://www.cacti.net"
 arch="noarch"
@@ -10,6 +10,7 @@ depends="mysql php php-mysql php-snmp rrdtool net-snmp php-sockets php-xml php-g
 makedepends=""
 source="http://www.cacti.net/downloads/$pkgname-$pkgver.tar.gz
 	security.patch
+	CVE-2014-5025,5026.patch
 	"
 
 _builddir="$srcdir"/$pkgname-$pkgver
@@ -34,4 +35,5 @@ package() {
 
 }
 md5sums="acb40deae073ca22e5c01a8e3ba389fb  cacti-0.8.8b.tar.gz
-bd18f265cca1f9713f88296f0be1ef56  security.patch"
+bd18f265cca1f9713f88296f0be1ef56  security.patch
+04770edd7e55021e10ad7d50b0ffa2e9  CVE-2014-5025,5026.patch"
diff --git a/main/cacti/CVE-2014-5025,5026.patch b/main/cacti/CVE-2014-5025,5026.patch
new file mode 100644
index 0000000000..3292e6cb0f
--- /dev/null
+++ b/main/cacti/CVE-2014-5025,5026.patch
@@ -0,0 +1,153 @@
+Description: Several names/titles were not sanities which allowes a
+ privileged user to inject XSS code.
+Bugs: http://bugs.cacti.net/view.php?id=2456
+Author: Paul Gevers <elbrus@debian.org>
+
+--- a/data_sources.php
++++ b/data_sources.php
+@@ -427,7 +427,7 @@
+ 			input_validate_input_number($matches[1]);
+ 			/* ==================================================== */
+ 
+-			$ds_list .= "<li>" . get_data_source_title($matches[1]) . "<br>";
++			$ds_list .= "<li>" . htmlspecialchars(get_data_source_title($matches[1])) . "<br>";
+ 			$ds_array[$i] = $matches[1];
+ 
+ 			$i++;
+@@ -1359,7 +1359,7 @@
+ 			$poller_interval    = ((isset($poller_intervals[$data_source["local_data_id"]])) ? $poller_intervals[$data_source["local_data_id"]] : 0);
+ 
+ 			form_alternate_row_color($colors["alternate"], $colors["light"], $i, 'line' . $data_source["local_data_id"]); $i++;
+-			form_selectable_cell("<a class='linkEditMain' href='" . htmlspecialchars("data_sources.php?action=ds_edit&id=" . $data_source["local_data_id"]) . "' title='" . $data_source["name_cache"] . "'>" . ((get_request_var_request("filter") != "") ? preg_replace("/(" . preg_quote(get_request_var_request("filter"), "/") . ")/i", "<span style='background-color: #F8D93D;'>\\1</span>", title_trim(htmlspecialchars($data_source["name_cache"]), read_config_option("max_title_data_source"))) : title_trim(htmlspecialchars($data_source["name_cache"]), read_config_option("max_title_data_source"))) . "</a>", $data_source["local_data_id"]);
++			form_selectable_cell("<a class='linkEditMain' href='" . htmlspecialchars("data_sources.php?action=ds_edit&id=" . $data_source["local_data_id"]) . "' title='" . htmlspecialchars($data_source["name_cache"], ENT_QUOTES) . "'>" . ((get_request_var_request("filter") != "") ? preg_replace("/(" . preg_quote(get_request_var_request("filter"), "/") . ")/i", "<span style='background-color: #F8D93D;'>\\1</span>", title_trim(htmlspecialchars($data_source["name_cache"]), read_config_option("max_title_data_source"))) : title_trim(htmlspecialchars($data_source["name_cache"]), read_config_option("max_title_data_source"))) . "</a>", $data_source["local_data_id"]);
+ 			form_selectable_cell($data_source['local_data_id'], $data_source['local_data_id']);
+ 			form_selectable_cell($data_input_name, $data_source["local_data_id"]);
+ 			form_selectable_cell(get_poller_interval($poller_interval), $data_source["local_data_id"]);
+--- a/cdef.php
++++ b/cdef.php
+@@ -194,7 +194,7 @@
+ 			input_validate_input_number($matches[1]);
+ 			/* ==================================================== */
+ 
+-			$cdef_list .= "<li>" . db_fetch_cell("select name from cdef where id=" . $matches[1]) . "<br>";
++			$cdef_list .= "<li>" . htmlspecialchars(db_fetch_cell("select name from cdef where id=" . $matches[1])) . "<br>";
+ 			$cdef_array[$i] = $matches[1];
+ 
+ 			$i++;
+--- a/tree.php
++++ b/tree.php
+@@ -354,7 +354,7 @@
+ 		}
+ 
+ 		include("./include/top_header.php");
+-		form_confirm("Are You Sure?", $text, htmlspecialchars("tree.php?action=edit&id=" . $_GET["tree_id"]), htmlspecialchars("tree.php?action=item_remove&id=" . $_GET["id"] . "&tree_id=" . $_GET["tree_id"]));
++		form_confirm("Are You Sure?", htmlspecialchars($text, ENT_QUOTES), htmlspecialchars("tree.php?action=edit&id=" . $_GET["tree_id"]), htmlspecialchars("tree.php?action=item_remove&id=" . $_GET["id"] . "&tree_id=" . $_GET["tree_id"]));
+ 		include("./include/bottom_footer.php");
+ 		exit;
+ 	}
+@@ -383,7 +383,7 @@
+ 
+ 	if ((read_config_option("deletion_verification") == "on") && (!isset($_GET["confirm"]))) {
+ 		include("./include/top_header.php");
+-		form_confirm("Are You Sure?", "Are you sure you want to delete the tree <strong>'" . db_fetch_cell("select name from graph_tree where id=" . $_GET["id"]) . "'</strong>?", htmlspecialchars("tree.php"), htmlspecialchars("tree.php?action=remove&id=" . $_GET["id"]));
++		form_confirm("Are You Sure?", "Are you sure you want to delete the tree <strong>'" . htmlspecialchars(db_fetch_cell("select name from graph_tree where id=" . $_GET["id"]), ENT_QUOTES) . "'</strong>?", htmlspecialchars("tree.php"), htmlspecialchars("tree.php?action=remove&id=" . $_GET["id"]));
+ 		include("./include/bottom_footer.php");
+ 		exit;
+ 	}
+--- a/data_input.php
++++ b/data_input.php
+@@ -185,7 +185,7 @@
+ 			input_validate_input_number($matches[1]);
+ 			/* ==================================================== */
+ 
+-			$di_list .= "<li>" . db_fetch_cell("SELECT name FROM data_input WHERE id='" . $matches[1] . "'") . "</li>";
++			$di_list .= "<li>" . htmlspecialchars(db_fetch_cell("SELECT name FROM data_input WHERE id='" . $matches[1] . "'")) . "</li>";
+ 			$di_array[$i] = $matches[1];
+ 
+ 			$i++;
+@@ -246,7 +246,7 @@
+ 
+ 	if ((read_config_option("deletion_verification") == "on") && (!isset($_GET["confirm"]))) {
+ 		include("./include/top_header.php");
+-		form_confirm("Are You Sure?", "Are you sure you want to delete the field <strong>'" . db_fetch_cell("select name from data_input_fields where id=" . $_GET["id"]) . "'</strong>?", htmlspecialchars("data_input.php?action=edit&id=" . $_GET["data_input_id"]), htmlspecialchars("data_input.php?action=field_remove&id=" . $_GET["id"] . "&data_input_id=" . $_GET["data_input_id"]));
++		form_confirm("Are You Sure?", "Are you sure you want to delete the field <strong>'" . htmlspecialchars(db_fetch_cell("select name from data_input_fields where id=" . $_GET["id"]), ENT_QUOTES) . "'</strong>?", htmlspecialchars("data_input.php?action=edit&id=" . $_GET["data_input_id"]), htmlspecialchars("data_input.php?action=field_remove&id=" . $_GET["id"] . "&data_input_id=" . $_GET["data_input_id"]));
+ 		include("./include/bottom_footer.php");
+ 		exit;
+ 	}
+--- a/graphs.php
++++ b/graphs.php
+@@ -387,7 +387,7 @@
+ 			input_validate_input_number($matches[1]);
+ 			/* ==================================================== */
+ 
+-			$graph_list .= "<li>" . get_graph_title($matches[1]) . "</li>";
++			$graph_list .= "<li>" . htmlspecialchars(get_graph_title($matches[1])) . "</li>";
+ 			$graph_array[$i] = $matches[1];
+ 
+ 			$i++;
+--- a/host_templates.php
++++ b/host_templates.php
+@@ -156,7 +156,7 @@
+ 			input_validate_input_number($matches[1]);
+ 			/* ==================================================== */
+ 
+-			$host_list .= "<li>" . db_fetch_cell("select name from host_template where id=" . $matches[1]) . "<br>";
++			$host_list .= "<li>" . htmlspecialchars(db_fetch_cell("select name from host_template where id=" . $matches[1])) . "<br>";
+ 			$host_array[$i] = $matches[1];
+ 
+ 			$i++;
+--- a/data_templates.php
++++ b/data_templates.php
+@@ -305,7 +305,7 @@
+ 			input_validate_input_number($matches[1]);
+ 			/* ==================================================== */
+ 
+-			$ds_list .= "<li>" . db_fetch_cell("select name from data_template where id=" . $matches[1]) . "<br>";
++			$ds_list .= "<li>" . htmlspecialchars(db_fetch_cell("select name from data_template where id=" . $matches[1])) . "<br>";
+ 			$ds_array[$i] = $matches[1];
+ 
+ 			$i++;
+--- a/graph_templates.php
++++ b/graph_templates.php
+@@ -216,7 +216,7 @@
+ 			input_validate_input_number($matches[1]);
+ 			/* ==================================================== */
+ 
+-			$graph_list .= "<li>" . db_fetch_cell("select name from graph_templates where id=" . $matches[1]) . "<br>";
++			$graph_list .= "<li>" . htmlspecialchars(db_fetch_cell("select name from graph_templates where id=" . $matches[1])) . "<br>";
+ 			$graph_array[$i] = $matches[1];
+ 
+ 			$i++;
+--- a/user_admin.php
++++ b/user_admin.php
+@@ -175,7 +175,7 @@
+ 			/* ==================================================== */
+ 
+ 			if (get_request_var_post("drp_action") != "2") {
+-				$user_list .= "<li>" . db_fetch_cell("SELECT username FROM user_auth WHERE id=" . $matches[1]) . "<br>";
++			  $user_list .= "<li>" . htmlspecialchars(db_fetch_cell("SELECT username FROM user_auth WHERE id=" . $matches[1])) . "<br>";
+ 			}
+ 			$user_array[$i] = $matches[1];
+ 
+--- a/graph_templates_inputs.php
++++ b/graph_templates_inputs.php
+@@ -134,7 +134,7 @@
+ 
+ 	if ((read_config_option("deletion_verification") == "on") && (!isset($_GET["confirm"]))) {
+ 		include("./include/top_header.php");
+-		form_confirm("Are You Sure?", "Are you sure you want to delete the input item <strong>'" . db_fetch_cell("select name from graph_template_input where id=" . $_GET["id"]) . "'</strong>? NOTE: Deleting this item will NOT affect graphs that use this template.", htmlspecialchars("graph_templates.php?action=template_edit&id=" . $_GET["graph_template_id"]), htmlspecialchars("graph_templates_inputs.php?action=input_remove&id=" . $_GET["id"] . "&graph_template_id=" . $_GET["graph_template_id"]));
++		form_confirm("Are You Sure?", "Are you sure you want to delete the input item <strong>'" . htmlspecialchars(db_fetch_cell("select name from graph_template_input where id=" . $_GET["id"]), ENT_QUOTES) . "'</strong>? NOTE: Deleting this item will NOT affect graphs that use this template.", htmlspecialchars("graph_templates.php?action=template_edit&id=" . $_GET["graph_template_id"]), htmlspecialchars("graph_templates_inputs.php?action=input_remove&id=" . $_GET["id"] . "&graph_template_id=" . $_GET["graph_template_id"]));
+ 		include("./include/bottom_footer.php");
+ 		exit;
+ 	}
+--- a/data_queries.php
++++ b/data_queries.php
+@@ -340,7 +340,7 @@
+ 
+ 	if ((read_config_option("deletion_verification") == "on") && (!isset($_GET["confirm"]))) {
+ 		include("./include/top_header.php");
+-		form_confirm("Are You Sure?", "Are you sure you want to delete the Data Query Graph <strong>'" . db_fetch_cell("select name from snmp_query_graph where id=" . $_GET["id"]) . "'</strong>?", htmlspecialchars("data_queries.php?action=edit&id=" . $_GET["snmp_query_id"]), htmlspecialchars("data_queries.php?action=item_remove&id=" . $_GET["id"] . "&snmp_query_id=" . $_GET["snmp_query_id"]));
++		form_confirm("Are You Sure?", "Are you sure you want to delete the Data Query Graph <strong>'" . htmlspecialchars(db_fetch_cell("select name from snmp_query_graph where id=" . $_GET["id"]), ENT_QUOTES) . "'</strong>?", htmlspecialchars("data_queries.php?action=edit&id=" . $_GET["snmp_query_id"]), htmlspecialchars("data_queries.php?action=item_remove&id=" . $_GET["id"] . "&snmp_query_id=" . $_GET["snmp_query_id"]));
+ 		include("./include/bottom_footer.php");
+ 		exit;
+ 	}