main/cacti: security fix for various CVEs

CVE-2014-2326
CVE-2014-2327
CVE-2014-2328
CVE-2014-2708
CVE-2014-2709
CVE-2014-4002

fixes #3126

(cherry picked from commit 151b7f5b135aace48e29a362401b4e4c4ac79e8f)

2 files changed, 146 insertions, 4 deletions

diff --git a/main/cacti/APKBUILD b/main/cacti/APKBUILD
index fe05a2afd6..3d6c18bb0d 100644
--- a/main/cacti/APKBUILD
+++ b/main/cacti/APKBUILD
@@ -1,14 +1,16 @@
 # Maintainer: Jeff Bilyk <jbilyk@gmail.com>
 pkgname=cacti
 pkgver=0.8.8b
-pkgrel=0
+pkgrel=1
 pkgdesc="Network monitoring tool based on RRDtool"
 url="http://www.cacti.net"
 arch="noarch"
 license="GPL"
 depends="mysql php php-mysql php-snmp rrdtool net-snmp php-sockets php-xml php-gd"
-makedepends=
-source="http://www.cacti.net/downloads/$pkgname-$pkgver.tar.gz"
+makedepends=""
+source="http://www.cacti.net/downloads/$pkgname-$pkgver.tar.gz
+	security.patch
+	"
 
 _builddir="$srcdir"/$pkgname-$pkgver
 
@@ -31,4 +33,5 @@ package() {
 	mv "$srcdir"/$pkgname-$pkgver/* "$pkgdir"/usr/share/webapps/cacti/ || return 1
 
 }
-md5sums="acb40deae073ca22e5c01a8e3ba389fb  cacti-0.8.8b.tar.gz"
+md5sums="acb40deae073ca22e5c01a8e3ba389fb  cacti-0.8.8b.tar.gz
+bd18f265cca1f9713f88296f0be1ef56  security.patch"
diff --git a/main/cacti/security.patch b/main/cacti/security.patch
new file mode 100644
index 0000000000..3891da8ae7
--- /dev/null
+++ b/main/cacti/security.patch
@@ -0,0 +1,139 @@
+diff -ruBbd cacti-0.8.8b/cdef.php cacti-0.8.8b.patched/cdef.php
+--- cacti-0.8.8b/cdef.php	2013-08-06 22:31:19.000000000 -0400
++++ cacti-0.8.8b.patched/cdef.php	2014-04-04 21:39:04.000000000 -0400
+@@ -431,7 +431,7 @@
+ 						<a class="linkEditMain" href="<?php print htmlspecialchars("cdef.php?action=item_edit&id=" . $cdef_item["id"] . "&cdef_id=" . $cdef["id"]);?>">Item #<?php print htmlspecialchars($i);?></a>
+ 					</td>
+ 					<td>
+-						<em><?php $cdef_item_type = $cdef_item["type"]; print $cdef_item_types[$cdef_item_type];?></em>: <strong><?php print get_cdef_item_name($cdef_item["id"]);?></strong>
++						<em><?php $cdef_item_type = $cdef_item["type"]; print $cdef_item_types[$cdef_item_type];?></em>: <strong><?php print htmlspecialchars(get_cdef_item_name($cdef_item["id"]));?></strong>
+ 					</td>
+ 					<td>
+ 						<a href="<?php print htmlspecialchars("cdef.php?action=item_movedown&id=" . $cdef_item["id"] . "&cdef_id=" . $cdef["id"]);?>"><img src="images/move_down.gif" border="0" alt="Move Down"></a>
+diff -ruBbd cacti-0.8.8b/graph_xport.php cacti-0.8.8b.patched/graph_xport.php
+--- cacti-0.8.8b/graph_xport.php	2013-08-06 22:31:19.000000000 -0400
++++ cacti-0.8.8b.patched/graph_xport.php	2014-04-04 21:39:04.000000000 -0400
+@@ -47,43 +47,48 @@
+ 
+ $graph_data_array = array();
+ 
++/* ================= input validation ================= */
++input_validate_input_number(get_request_var("local_graph_id"));
++input_validate_input_number(get_request_var("rra_id"));
++/* ==================================================== */
++
+ /* override: graph start time (unix time) */
+-if (!empty($_GET["graph_start"]) && $_GET["graph_start"] < 1600000000) {
+-	$graph_data_array["graph_start"] = $_GET["graph_start"];
++if (!empty($_GET["graph_start"]) && is_numeric($_GET["graph_start"] && $_GET["graph_start"] < 1600000000)) {
++	$graph_data_array["graph_start"] = get_request_var("graph_start");
+ }
+ 
+ /* override: graph end time (unix time) */
+-if (!empty($_GET["graph_end"]) && $_GET["graph_end"] < 1600000000) {
+-	$graph_data_array["graph_end"] = $_GET["graph_end"];
++if (!empty($_GET["graph_end"]) && is_numeric($_GET["graph_end"]) && $_GET["graph_end"] < 1600000000) {
++	$graph_data_array["graph_end"] = get_request_var("graph_end");
+ }
+ 
+ /* override: graph height (in pixels) */
+-if (!empty($_GET["graph_height"]) && $_GET["graph_height"] < 3000) {
+-	$graph_data_array["graph_height"] = $_GET["graph_height"];
++if (!empty($_GET["graph_height"]) && is_numeric($_GET["graph_height"]) && $_GET["graph_height"] < 3000) {
++	$graph_data_array["graph_height"] = get_request_var("graph_height");
+ }
+ 
+ /* override: graph width (in pixels) */
+-if (!empty($_GET["graph_width"]) && $_GET["graph_width"] < 3000) {
+-	$graph_data_array["graph_width"] = $_GET["graph_width"];
++if (!empty($_GET["graph_width"]) && is_numeric($_GET["graph_width"]) && $_GET["graph_width"] < 3000) {
++	$graph_data_array["graph_width"] = get_request_var("graph_width");
+ }
+ 
+ /* override: skip drawing the legend? */
+ if (!empty($_GET["graph_nolegend"])) {
+-	$graph_data_array["graph_nolegend"] = $_GET["graph_nolegend"];
++	$graph_data_array["graph_nolegend"] = get_request_var("graph_nolegend");
+ }
+ 
+ /* print RRDTool graph source? */
+ if (!empty($_GET["show_source"])) {
+-	$graph_data_array["print_source"] = $_GET["show_source"];
++	$graph_data_array["print_source"] = get_request_var("show_source");
+ }
+ 
+-$graph_info = db_fetch_row("SELECT * FROM graph_templates_graph WHERE local_graph_id='" . $_REQUEST["local_graph_id"] . "'");
++$graph_info = db_fetch_row("SELECT * FROM graph_templates_graph WHERE local_graph_id='" . get_request_var("local_graph_id") . "'");
+ 
+ /* for bandwidth, NThPercentile */
+ $xport_meta = array();
+ 
+ /* Get graph export */
+-$xport_array = @rrdtool_function_xport($_GET["local_graph_id"], $_GET["rra_id"], $graph_data_array, $xport_meta);
++$xport_array = @rrdtool_function_xport($_GET["local_graph_id"], get_request_var("rra_id"), $graph_data_array, $xport_meta);
+ 
+ /* Make graph title the suggested file name */
+ if (is_array($xport_array["meta"])) {
+diff -ruBbd cacti-0.8.8b/lib/graph_export.php cacti-0.8.8b.patched/lib/graph_export.php
+--- cacti-0.8.8b/lib/graph_export.php	2013-08-06 22:31:19.000000000 -0400
++++ cacti-0.8.8b.patched/lib/graph_export.php	2014-04-04 21:39:05.000000000 -0400
+@@ -339,7 +339,7 @@
+ 	chdir($stExportDir);
+ 
+ 	/* set the initial command structure */
+-	$stExecute = 'ncftpput -R -V -r 1 -u '.$aFtpExport['username'].' -p '.$aFtpExport['password'];
++	$stExecute = 'ncftpput -R -V -r 1 -u ' . cacti_escapeshellarg($aFtpExport['username']) . ' -p ' . cacti_escapeshellarg($aFtpExport['password']);
+ 
+ 	/* if the user requested passive mode, use it */
+ 	if ($aFtpExport['passive']) {
+@@ -347,7 +347,7 @@
+ 	}
+ 
+ 	/* setup the port, server, remote directory and all files */
+-	$stExecute .= ' -P ' . $aFtpExport['port'] . ' ' . $aFtpExport['server'] . ' ' . $aFtpExport['remotedir'] . ".";
++	$stExecute .= ' -P ' . cacti_escapeshellarg($aFtpExport['port']) . ' ' . cacti_escapeshellarg($aFtpExport['server']) . ' ' . cacti_escapeshellarg($aFtpExport['remotedir']) . ".";
+ 
+ 	/* run the command */
+ 	$iExecuteReturns = 0;
+diff -ruBbd cacti-0.8.8b/lib/rrd.php cacti-0.8.8b.patched/lib/rrd.php
+--- cacti-0.8.8b/lib/rrd.php	2013-08-06 22:31:18.000000000 -0400
++++ cacti-0.8.8b.patched/lib/rrd.php	2014-04-04 21:39:04.000000000 -0400
+@@ -865,13 +865,13 @@
+ 	/* basic graph options */
+ 	$graph_opts .=
+ 		"--imgformat=" . $image_types{$graph["image_format_id"]} . RRD_NL .
+-		"--start=$graph_start" . RRD_NL .
+-		"--end=$graph_end" . RRD_NL .
++		"--start=" . cacti_escapeshellarg($graph_start) . RRD_NL .
++		"--end=" . cacti_escapeshellarg($graph_end) . RRD_NL .
+ 		"--title=" . cacti_escapeshellarg($graph["title_cache"]) . RRD_NL .
+ 		"$rigid" .
+-		"--base=" . $graph["base_value"] . RRD_NL .
+-		"--height=$graph_height" . RRD_NL .
+-		"--width=$graph_width" . RRD_NL .
++		"--base=" . cacti_escapeshellarg($graph["base_value"]) . RRD_NL .
++		"--height=" . cacti_escapeshellarg($graph_height) . RRD_NL .
++		"--width=" . cacti_escapeshellarg($graph_width) . RRD_NL .
+ 		"$scale" .
+ 		"$unit_value" .
+ 		"$unit_exponent_value" .
+@@ -1606,8 +1606,8 @@
+ 
+ 	/* basic export options */
+ 	$xport_opts =
+-		"--start=$xport_start" . RRD_NL .
+-		"--end=$xport_end" . RRD_NL .
++		"--start=" . cacti_escapeshellarg($xport_start) . RRD_NL .
++		"--end=" . cacti_escapeshellarg($xport_end) . RRD_NL .
+ 		"--maxrows=10000" . RRD_NL;
+ 
+ 	$xport_defs = "";
+@@ -1997,7 +1997,7 @@
+ 			$stacked_columns["col" . $j] = ($graph_item_types{$xport_item["graph_type_id"]} == "STACK") ? 1 : 0;
+ 			$j++;
+ 
+-			$txt_xport_items .= "XPORT:" . $data_source_name . ":" . str_replace(":", "", cacti_escapeshellarg($legend_name)) ;
++			$txt_xport_items .= "XPORT:" . cacti_escapeshellarg($data_source_name) . ":" . str_replace(":", "", cacti_escapeshellarg($legend_name)) ;
+ 		}else{
+ 			$need_rrd_nl = FALSE;
+ 		}