Comment 1 Jason Unovitch 2015-07-19 23:50:22 UTC

Created attachment 158992 [details]
security/vuxml for < cacti-0.8.8e

Log:

Document Cacti Multiple XSS and SQL injection vulnerabilities

PR:		201702
Security:	CVE-2015-4634
Security:	0bfda05f-2e6f-11e5-a4a5-002590263bf5

Validation:

> make validate
/bin/sh /usr/ports/security/vuxml/files/tidy.sh "/usr/ports/security/vuxml/files/tidy.xsl" "/usr/ports/security/vuxml/vuln.xml" > "/usr/ports/security/vuxml/vuln.xml.tidy"
>>> Validating...
/usr/local/bin/xmllint --valid --noout /usr/ports/security/vuxml/vuln.xml
>>> Successful.
Checking if tidy differs...
... seems okay
Checking for space/tab...
... seems okay
/usr/local/bin/python2.7 /usr/ports/security/vuxml/files/extra-validation.py /usr/ports/security/vuxml/vuln.xml

> env PKG_DBDIR=/usr/ports/security/vuxml pkg audit cacti-0.8.8d
cacti-0.8.8d is vulnerable:
cacti -- Multiple XSS and SQL injection vulnerabilities
CVE: CVE-2015-4634
WWW: https://vuxml.FreeBSD.org/freebsd/0bfda05f-2e6f-11e5-a4a5-002590263bf5.html

1 problem(s) in the installed packages found.

> env PKG_DBDIR=/usr/ports/security/vuxml pkg audit cacti-0.8.8e
0 problem(s) in the installed packages found.

Comment 2 Jason Unovitch 2015-07-19 23:51:31 UTC

Note:
Per http://seclists.org/oss-sec/2015/q3/150 it appears additional CVE's were requested for the individual SQL injection vulnerabilities.  The entry may have to be revised pending the assignment.

Comment 3 Jason Unovitch 2015-07-20 00:15:01 UTC

Created attachment 158993 [details]
security/vuxml for < cacti-0.8.8e

** fix formatting error **

Log:

Document Cacti Multiple XSS and SQL injection vulnerabilities

PR:		201702
Security:	CVE-2015-4634
Security:	0bfda05f-2e6f-11e5-a4a5-002590263bf5

Created attachment 158998 [details]
Update to 0.8.8e

Patch to update to 0.8.8e to resolve security issues (and a few other bugs)

Poudriere testport logs available at:

http://poudriere.dan.tm/poudriere/data/latest-per-pkg/cacti/0.8.8e/

(9+10 i386+amd64)

I've included a patch to upgrade to 0.8.8e and set the merge-quarterly request flag as it's a security related patch.

Created attachment 159015 [details]
Update to 0.8.8f (security + bugfix release)

This updates to 0.8.8f which fixes security issues and a few bugs (including some introduced in 0.8.8e whilst trying to fix it!)

Poudriere testport logs for cacti 0.8.8f:

http://poudriere.dan.tm/poudriere/data/latest-per-pkg/cacti/0.8.8f/

Comment 8 commit-hook 2015-07-20 14:35:50 UTC

A commit references this bug:

Author: feld
Date: Mon Jul 20 14:35:40 UTC 2015
New revision: 392572
URL: https://svnweb.freebsd.org/changeset/ports/392572

Log:
  Document Cacti Multiple XSS and SQL injection vulnerabilities

  PR:		201702
  Security:	CVE-2015-4634
  Security:	0bfda05f-2e6f-11e5-a4a5-002590263bf5

Changes:
  head/security/vuxml/vuln.xml

Comment 9 commit-hook 2015-07-20 14:45:54 UTC

A commit references this bug:

Author: feld
Date: Mon Jul 20 14:45:46 UTC 2015
New revision: 392573
URL: https://svnweb.freebsd.org/changeset/ports/392573

Log:
  Update to 0.8.8f to resolve security and bug issues

  PR:		201702
  Security:	CVE-2015-4634
  Security:	0bfda05f-2e6f-11e5-a4a5-002590263bf5

Changes:
  head/net-mgmt/cacti/Makefile
  head/net-mgmt/cacti/distinfo
  head/net-mgmt/cacti/pkg-plist

Comment 10 commit-hook 2015-07-20 14:47:56 UTC

A commit references this bug:

Author: feld
Date: Mon Jul 20 14:47:40 UTC 2015
New revision: 392574
URL: https://svnweb.freebsd.org/changeset/ports/392574

Log:
  MFH: r392573

  Update to 0.8.8f to resolve security and bug issues

  PR:		201702
  Security:	CVE-2015-4634
  Security:	0bfda05f-2e6f-11e5-a4a5-002590263bf5
  Approved by:	ports-secteam (with hat)

Changes:
_U  branches/2015Q3/
  branches/2015Q3/net-mgmt/cacti/Makefile
  branches/2015Q3/net-mgmt/cacti/distinfo
  branches/2015Q3/net-mgmt/cacti/pkg-plist

Comment 11 Mark Felder 2015-07-20 14:48:35 UTC

committed, thanks!

Comment 12 Jason Unovitch 2015-07-21 23:56:20 UTC

Created attachment 159053 [details]
cacti-0.8.8f_1.patch

https://forums.freebsd.org/threads/problem-with-cacti-upgrading.52458/

Dan,
The thread above was reported in the forums.  Apparently there is a typo in the migration code in 0.8.8f and this is causing issues when starting the service after an update.  Obviously that file doesn't exist.

install/index.php 
@@ -468,7 +468,7 @@ if ($step == "4") {
                        include ("0_8_8d_to_0_8_8e.php");
                        upgrade_to_0_8_8e();
                }elseif ($cacti_versions[$i] == "0.8.8f") {
-                       include ("0_8_8f_to_0_8_8f.php");
+                       include ("0_8_8e_to_0_8_8f.php");
                        upgrade_to_0_8_8f();
                }
        }

Mark,
Can we get this applied and MFH'd?

Upstream Bug Reference:
http://bugs.cacti.net/view.php?id=2605

Comment 13 Jason Unovitch 2015-07-22 00:06:15 UTC

Reset to open based on runtime issues with 0.8.8f caused by a typo introduced upstream.

Comment 14 Jason Unovitch 2015-07-22 00:19:21 UTC

Created attachment 159054 [details]
cacti-0.8.8f_1.patch

Disregard initial patch. The comment in the forum thread about fetching the file and not finding the bad code made me look a little closer. The SHA256 doesn't match ports anymore but the fact that I had the distfile and the fact that one of the fallback mirrors had the bad distfile hid this.
 
According to http://www.cacti.net/downloads/
cacti-0.8.8f.tar.gz	20-Jul-2015 09:43 	2.5M

It looks like this was caught and fixed after the 19 July release and they re-rolled the distfile.  I see 2ea92407c11bf13302558a5bc9e1f3a57bd14a1d9ded48c505ec495762f76738 as the hash.  Patch attached fixes the issue by updating to the new 0.8.8f distfile and bumping PORTREVISION.

Comment 15 Jason Unovitch 2015-07-22 00:52:56 UTC

Tagging depends on bug 201747. Dan it appears you caught the issue and have the same exact patch in that bug.  Both can be closed when this is applied.  Sorry for the excess noise.

Comment 16 commit-hook 2015-07-22 02:52:33 UTC

A commit references this bug:

Author: feld
Date: Wed Jul 22 02:51:51 UTC 2015
New revision: 392656
URL: https://svnweb.freebsd.org/changeset/ports/392656

Log:
  Upstream re-rolled distfile.
  Bump PORTREVISION to address it.

  PR:		201702
  MFH:		2015Q3

Changes:
  head/net-mgmt/cacti/Makefile
  head/net-mgmt/cacti/distinfo

Comment 17 commit-hook 2015-07-22 02:53:35 UTC

A commit references this bug:

Author: feld
Date: Wed Jul 22 02:52:48 UTC 2015
New revision: 392657
URL: https://svnweb.freebsd.org/changeset/ports/392657

Log:
  MFH: r392656

  Upstream re-rolled distfile.
  Bump PORTREVISION to address it.

  PR:		201702
  Approved by:	ports-secteam (with hat)

Changes:
_U  branches/2015Q3/
  branches/2015Q3/net-mgmt/cacti/Makefile
  branches/2015Q3/net-mgmt/cacti/distinfo

Comment 18 Mark Felder 2015-07-22 02:54:06 UTC

I'll try to contact upstream to address this issue and hopefully prevent it from happening again in the future.

Thanks for your patience and for reporting this so quickly. My apologies for the delay.

Comment 19 Kubilay Kocak 2015-07-22 06:43:48 UTC

Classify post-resolution