rpms/cacti/FC-3 dec06-vulnerability-poller-0.8.6i.patch, NONE, 1.1 dec06-vulnerability-scripts-0.8.6i.patch, NONE, 1.1 import_template_argument_space_removal.patch, NONE, 1.1 poller_output_remainder.patch, NONE, 1.1 cacti.spec, 1.6, 1.7
Michael Patrick McGrath (mmcgrath)
fedora-extras-commits at redhat.com
Fri Jan 12 16:31:51 UTC 2007
- Previous message (by thread): rpms/openarena/devel openarena.spec,1.2,1.3
- Next message (by thread): rpms/cacti/FC-4 dec06-vulnerability-poller-0.8.6i.patch, NONE, 1.1 dec06-vulnerability-scripts-0.8.6i.patch, NONE, 1.1 import_template_argument_space_removal.patch, NONE, 1.1 poller_output_remainder.patch, NONE, 1.1 cacti.spec, 1.6, 1.7
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: mmcgrath
Update of /cvs/extras/rpms/cacti/FC-3
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv11029/FC-3
Modified Files:
cacti.spec
Added Files:
dec06-vulnerability-poller-0.8.6i.patch
dec06-vulnerability-scripts-0.8.6i.patch
import_template_argument_space_removal.patch
poller_output_remainder.patch
Log Message:
added patches and new specfile as it relates to 222410
dec06-vulnerability-poller-0.8.6i.patch:
--- NEW FILE dec06-vulnerability-poller-0.8.6i.patch ---
diff -ruBbd cacti-0.8.6i/cmd.php cacti-0.8.6i-patch/cmd.php
--- cacti-0.8.6i/cmd.php 2006-10-09 00:06:00.000000000 -0400
+++ cacti-0.8.6i-patch/cmd.php 2007-01-01 12:27:15.328125000 -0500
@@ -26,7 +26,7 @@
*/
/* do NOT run this script through a web browser */
-if (!isset($_SERVER["argv"][0])) {
+if (!isset($_SERVER["argv"][0]) || isset($_SERVER['REQUEST_METHOD']) || isset($_SERVER['REMOTE_ADDR'])) {
die("<br><strong>This script is only meant to run at the command line.</strong>");
}
@@ -70,6 +71,10 @@
$print_data_to_stdout = false;
if ($_SERVER["argc"] == "3") {
if ($_SERVER["argv"][1] <= $_SERVER["argv"][2]) {
+ /* address potential exploits */
+ input_validate_input_number($_SERVER["argv"][1]);
+ input_validate_input_number($_SERVER["argv"][2]);
+
$hosts = db_fetch_assoc("select * from host where (disabled = '' and " .
"id >= " .
$_SERVER["argv"][1] .
diff -ruBbd cacti-0.8.6i/copy_cacti_user.php cacti-0.8.6i-patch/copy_cacti_user.php
--- cacti-0.8.6i/copy_cacti_user.php 2006-10-09 00:06:00.000000000 -0400
+++ cacti-0.8.6i-patch/copy_cacti_user.php 2007-01-01 12:27:15.312500000 -0500
@@ -25,9 +25,10 @@
*/
/* do NOT run this script through a web browser */
-if (! isset($_SERVER["argv"][0])) {
- die("This script is only meant to run at the command line.\n");
+if (!isset($_SERVER["argv"][0]) || isset($_SERVER['REQUEST_METHOD']) || isset($_SERVER['REMOTE_ADDR'])) {
+ die("<br><strong>This script is only meant to run at the command line.</strong>");
}
+
if (empty($_SERVER["argv"][2])) {
die("\nSyntax:\n php copy_cacti_user.php <template user> <new user>\n\n");
}
diff -ruBbd cacti-0.8.6i/include/html/inc_timespan_settings.php cacti-0.8.6i-patch/include/html/inc_timespan_settings.php
--- cacti-0.8.6i/include/html/inc_timespan_settings.php 2006-10-09 00:05:58.000000000 -0400
+++ cacti-0.8.6i-patch/include/html/inc_timespan_settings.php 2007-01-02 11:55:45.953125000 -0500
@@ -24,6 +24,20 @@
+-------------------------------------------------------------------------+
*/
+/* ================= input validation ================= */
+input_validate_input_number(get_request_var_request("predefined_timespan"));
+/* ==================================================== */
+
+/* clean up date1 string */
+if (isset($_REQUEST["date1"])) {
+ $_REQUEST["date1"] = sanitize_search_string(get_request_var("date1"));
+}
+
+/* clean up date2 string */
+if (isset($_REQUEST["date2"])) {
+ $_REQUEST["date2"] = sanitize_search_string(get_request_var("date2"));
+}
+
/* initialize the timespan array */
$timespan = array();
diff -ruBbd cacti-0.8.6i/poller.php cacti-0.8.6i-patch/poller.php
--- cacti-0.8.6i/poller.php 2006-10-09 00:06:00.000000000 -0400
+++ cacti-0.8.6i-patch/poller.php 2007-01-01 12:27:15.328125000 -0500
@@ -26,7 +26,7 @@
*/
/* do NOT run this script through a web browser */
-if (!isset($_SERVER["argv"][0])) {
+if (!isset($_SERVER["argv"][0]) || isset($_SERVER['REQUEST_METHOD']) || isset($_SERVER['REMOTE_ADDR'])) {
die("<br><strong>This script is only meant to run at the command line.</strong>");
}
diff -ruBbd cacti-0.8.6i/poller_commands.php cacti-0.8.6i-patch/poller_commands.php
--- cacti-0.8.6i/poller_commands.php 2006-10-09 00:06:00.000000000 -0400
+++ cacti-0.8.6i-patch/poller_commands.php 2007-01-01 12:27:15.328125000 -0500
@@ -27,7 +27,7 @@
define("MAX_RECACHE_RUNTIME", 296);
/* do NOT run this script through a web browser */
-if (!isset($_SERVER["argv"][0])) {
+if (!isset($_SERVER["argv"][0]) || isset($_SERVER['REQUEST_METHOD']) || isset($_SERVER['REMOTE_ADDR'])) {
die("<br><strong>This script is only meant to run at the command line.</strong>");
}
diff -ruBbd cacti-0.8.6i/poller_export.php cacti-0.8.6i-patch/poller_export.php
--- cacti-0.8.6i/poller_export.php 2006-10-09 00:06:00.000000000 -0400
+++ cacti-0.8.6i-patch/poller_export.php 2007-01-01 12:27:15.328125000 -0500
@@ -25,7 +25,7 @@
*/
/* do NOT run this script through a web browser */
-if (!isset($_SERVER["argv"][0])) {
+if (!isset($_SERVER["argv"][0]) || isset($_SERVER['REQUEST_METHOD']) || isset($_SERVER['REMOTE_ADDR'])) {
die("<br><strong>This script is only meant to run at the command line.</strong>");
}
diff -ruBbd cacti-0.8.6i/poller_reindex_hosts.php cacti-0.8.6i-patch/poller_reindex_hosts.php
--- cacti-0.8.6i/poller_reindex_hosts.php 2006-10-09 00:06:00.000000000 -0400
+++ cacti-0.8.6i-patch/poller_reindex_hosts.php 2007-01-01 12:27:15.328125000 -0500
@@ -25,7 +25,7 @@
*/
/* do NOT run this script through a web browser */
-if (!isset($_SERVER["argv"][0])) {
+if (!isset($_SERVER["argv"][0]) || isset($_SERVER['REQUEST_METHOD']) || isset($_SERVER['REMOTE_ADDR'])) {
die("<br><strong>This script is only meant to run at the command line.</strong>");
}
diff -ruBbd cacti-0.8.6i/rebuild_poller_cache.php cacti-0.8.6i-patch/rebuild_poller_cache.php
--- cacti-0.8.6i/rebuild_poller_cache.php 2006-10-09 00:06:00.000000000 -0400
+++ cacti-0.8.6i-patch/rebuild_poller_cache.php 2007-01-01 12:27:15.312500000 -0500
@@ -25,7 +25,7 @@
*/
/* do NOT run this script through a web browser */
-if (!isset($_SERVER["argv"][0])) {
+if (!isset($_SERVER["argv"][0]) || isset($_SERVER['REQUEST_METHOD']) || isset($_SERVER['REMOTE_ADDR'])) {
die("<br><strong>This script is only meant to run at the command line.</strong>");
}
diff -ruBbd cacti-0.8.6i/script_server.php cacti-0.8.6i-patch/script_server.php
--- cacti-0.8.6i/script_server.php 2006-10-09 00:06:00.000000000 -0400
+++ cacti-0.8.6i-patch/script_server.php 2007-01-01 12:27:15.312500000 -0500
@@ -26,9 +26,8 @@
$no_http_headers = true;
/* do NOT run this script through a web browser */
-if (!isset($_SERVER["argv"][0])) {
+if (!isset($_SERVER["argv"][0]) || isset($_SERVER['REQUEST_METHOD']) || isset($_SERVER['REMOTE_ADDR'])) {
die("<br><strong>This script is only meant to run at the command line.</strong>");
- exit(-1);
}
/* define STDOUT/STDIN file descriptors if not running under CLI */
dec06-vulnerability-scripts-0.8.6i.patch:
--- NEW FILE dec06-vulnerability-scripts-0.8.6i.patch ---
diff -ruBbd cacti-0.8.6i/scripts/query_host_cpu.php cacti-0.8.6i-patch/scripts/query_host_cpu.php
--- cacti-0.8.6i/scripts/query_host_cpu.php 2006-10-09 00:06:00.000000000 -0400
+++ cacti-0.8.6i-patch/scripts/query_host_cpu.php 2007-01-01 12:50:55.781250000 -0500
@@ -1,6 +1,12 @@
<?php
+/* do NOT run this script through a web browser */
+if (!isset($_SERVER["argv"][0]) || isset($_SERVER['REQUEST_METHOD']) || isset($_SERVER['REMOTE_ADDR'])) {
+ die("<br><strong>This script is only meant to run at the command line.</strong>");
+}
+
$no_http_headers = true;
+
include(dirname(__FILE__) . "/../include/config.php");
include(dirname(__FILE__) . "/../lib/snmp.php");
diff -ruBbd cacti-0.8.6i/scripts/query_host_partitions.php cacti-0.8.6i-patch/scripts/query_host_partitions.php
--- cacti-0.8.6i/scripts/query_host_partitions.php 2006-10-09 00:06:00.000000000 -0400
+++ cacti-0.8.6i-patch/scripts/query_host_partitions.php 2007-01-01 12:50:55.781250000 -0500
@@ -1,6 +1,12 @@
<?php
+/* do NOT run this script through a web browser */
+if (!isset($_SERVER["argv"][0]) || isset($_SERVER['REQUEST_METHOD']) || isset($_SERVER['REMOTE_ADDR'])) {
+ die("<br><strong>This script is only meant to run at the command line.</strong>");
+}
+
$no_http_headers = true;
+
include(dirname(__FILE__) . "/../include/config.php");
include(dirname(__FILE__) . "/../lib/snmp.php");
diff -ruBbd cacti-0.8.6i/scripts/sql.php cacti-0.8.6i-patch/scripts/sql.php
--- cacti-0.8.6i/scripts/sql.php 2006-10-09 00:06:00.000000000 -0400
+++ cacti-0.8.6i-patch/scripts/sql.php 2007-01-01 12:50:55.781250000 -0500
@@ -1,6 +1,12 @@
<?
+/* do NOT run this script through a web browser */
+if (!isset($_SERVER["argv"][0]) || isset($_SERVER['REQUEST_METHOD']) || isset($_SERVER['REMOTE_ADDR'])) {
+ die("<br><strong>This script is only meant to run at the command line.</strong>");
+}
+
$no_http_headers = true;
+
include(dirname(__FILE__) . "/../include/config.php");
if ($database_password == "") {
diff -ruBbd cacti-0.8.6i/scripts/ss_fping.php cacti-0.8.6i-patch/scripts/ss_fping.php
--- cacti-0.8.6i/scripts/ss_fping.php 2006-10-09 00:06:00.000000000 -0400
+++ cacti-0.8.6i-patch/scripts/ss_fping.php 2007-01-01 12:50:55.796875000 -0500
@@ -1,7 +1,11 @@
<?php
#!/usr/bin/php -q
-//STANDARD SCRIPT SERVER HEADER!!!
+/* do NOT run this script through a web browser */
+if (!isset($_SERVER["argv"][0]) || isset($_SERVER['REQUEST_METHOD']) || isset($_SERVER['REMOTE_ADDR'])) {
+ die("<br><strong>This script is only meant to run at the command line.</strong>");
+}
+
$no_http_headers = true;
/* display No errors */
diff -ruBbd cacti-0.8.6i/scripts/ss_host_cpu.php cacti-0.8.6i-patch/scripts/ss_host_cpu.php
--- cacti-0.8.6i/scripts/ss_host_cpu.php 2006-10-09 00:06:00.000000000 -0400
+++ cacti-0.8.6i-patch/scripts/ss_host_cpu.php 2007-01-01 12:50:55.796875000 -0500
@@ -1,4 +1,10 @@
<?php
+
+/* do NOT run this script through a web browser */
+if (!isset($_SERVER["argv"][0]) || isset($_SERVER['REQUEST_METHOD']) || isset($_SERVER['REMOTE_ADDR'])) {
+ die("<br><strong>This script is only meant to run at the command line.</strong>");
+}
+
$no_http_headers = true;
/* display No errors */
diff -ruBbd cacti-0.8.6i/scripts/ss_host_disk.php cacti-0.8.6i-patch/scripts/ss_host_disk.php
--- cacti-0.8.6i/scripts/ss_host_disk.php 2006-10-09 00:06:00.000000000 -0400
+++ cacti-0.8.6i-patch/scripts/ss_host_disk.php 2007-01-01 12:50:55.796875000 -0500
@@ -1,4 +1,10 @@
<?php
+
+/* do NOT run this script through a web browser */
+if (!isset($_SERVER["argv"][0]) || isset($_SERVER['REQUEST_METHOD']) || isset($_SERVER['REMOTE_ADDR'])) {
+ die("<br><strong>This script is only meant to run at the command line.</strong>");
+}
+
$no_http_headers = true;
/* display No errors */
diff -ruBbd cacti-0.8.6i/scripts/ss_sql.php cacti-0.8.6i-patch/scripts/ss_sql.php
--- cacti-0.8.6i/scripts/ss_sql.php 2006-10-09 00:06:00.000000000 -0400
+++ cacti-0.8.6i-patch/scripts/ss_sql.php 2007-01-01 12:50:55.781250000 -0500
@@ -1,5 +1,10 @@
<?php
+/* do NOT run this script through a web browser */
+if (!isset($_SERVER["argv"][0]) || isset($_SERVER['REQUEST_METHOD']) || isset($_SERVER['REMOTE_ADDR'])) {
+ die("<br><strong>This script is only meant to run at the command line.</strong>");
+}
+
$no_http_headers = true;
/* display ALL errors */
import_template_argument_space_removal.patch:
--- NEW FILE import_template_argument_space_removal.patch ---
--- cacti-0.8.6i/lib/import.php 2006-10-09 00:06:00.000000000 -0400
+++ cacti-0.8.6i-patch/lib/import.php 2007-01-02 08:17:09.593750000 -0500
@@ -687,6 +687,11 @@
while (list($field_name, $field_array) = each($fields_data_input_edit)) {
/* make sure this field exists in the xml array first */
if (isset($xml_array[$field_name])) {
+ /* fix issue with data input method importing and white spaces */
+ if ($field_name == "input_string") {
+ $xml_array[$field_name] = str_replace("><", "> <", $xml_array[$field_name]);
+ }
+
$save[$field_name] = addslashes(xml_character_decode($xml_array[$field_name]));
}
}
poller_output_remainder.patch:
--- NEW FILE poller_output_remainder.patch ---
diff -ruBbd cacti-0.8.6i/lib/poller.php cacti-0.8.6i-patched/lib/poller.php
--- cacti-0.8.6i/lib/poller.php 2006-10-08 23:06:01.000000000 -0400
+++ cacti-0.8.6i-patched/lib/poller.php 2006-11-21 23:41:02.000000000 -0500
@@ -213,7 +213,7 @@
/* process_poller_output - grabs data from the 'poller_output' table and feeds the *completed*
results to RRDTool for processing
@arg $rrdtool_pipe - the array of pipes containing the file descriptor for rrdtool */
-function process_poller_output($rrdtool_pipe) {
+function process_poller_output($rrdtool_pipe, $remainder = FALSE) {
global $config;
include_once($config["library_path"] . "/rrd.php");
@@ -221,6 +221,12 @@
/* let's count the number of rrd files we processed */
$rrds_processed = 0;
+ if ($remainder) {
+ $limit = "";
+ }else{
+ $limit = "LIMIT 10000";
+ }
+
/* create/update the rrd files */
$results = db_fetch_assoc("select
poller_output.output,
@@ -231,7 +237,7 @@
poller_item.rrd_num
from (poller_output,poller_item)
where (poller_output.local_data_id=poller_item.local_data_id and poller_output.rrd_name=poller_item.rrd_name)
- limit 10000");
+ $limit");
if (sizeof($results) > 0) {
/* create an array keyed off of each .rrd file */
diff -ruBbd cacti-0.8.6i/poller.php cacti-0.8.6i-patched/poller.php
--- cacti-0.8.6i/poller.php 2006-10-08 23:06:01.000000000 -0400
+++ cacti-0.8.6i-patched/poller.php 2006-11-12 11:49:05.000000000 -0500
@@ -166,7 +166,7 @@
$polling_items = db_fetch_assoc("select poller_id,end_time from poller_time where poller_id = 0");
if (sizeof($polling_items) == $process_file_number) {
- $rrds_processed = $rrds_processed + process_poller_output($rrdtool_pipe);
+ $rrds_processed = $rrds_processed + process_poller_output($rrdtool_pipe, TRUE);
/* take time and log performance data */
list($micro,$seconds) = split(" ", microtime());
Index: cacti.spec
===================================================================
RCS file: /cvs/extras/rpms/cacti/FC-3/cacti.spec,v
retrieving revision 1.6
retrieving revision 1.7
diff -u -r1.6 -r1.7
--- cacti.spec 9 Nov 2006 22:55:59 -0000 1.6
+++ cacti.spec 12 Jan 2007 16:31:21 -0000 1.7
@@ -1,6 +1,6 @@
Name: cacti
Version: 0.8.6i
-Release: 4%{?dist}
+Release: 5%{?dist}
Summary: An rrd based graphing tool
Group: Applications/System
@@ -12,6 +12,10 @@
Source3: cacti.README.Fedora
Patch1: cacti-0.8.6h-dbcfg.patch
+Patch2: http://www.cacti.net/downloads/patches/0.8.6i/import_template_argument_space_removal.patch
+Patch3: http://www.cacti.net/downloads/patches/0.8.6i/dec06-vulnerability-scripts-0.8.6i.patch
+Patch4: http://www.cacti.net/downloads/patches/0.8.6i/dec06-vulnerability-poller-0.8.6i.patch
+Patch5: http://www.cacti.net/downloads/patches/0.8.6i/poller_output_remainder.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -32,6 +36,10 @@
%prep
%setup -q
%patch1 -p0
+%patch2 -p1
+%patch3 -p1
+%patch4 -p1
+%patch5 -p1
echo "#*/5 * * * * cacti %{_bindir}/php %{_datadir}/%{name}/poller.php > /dev/null 2>&1" >cacti.cron
@@ -103,6 +111,10 @@
%attr(0644,root,root) %{_localstatedir}/lib/%{name}/lib
%changelog
+* Fri Jan 12 2007 Mike McGrath <imlinux at gmail.com> - 0.8.6i-5
+- Added 4 upstream patches
+- Fix for BZ 222410
+
* Thu Nov 09 2006 Mike McGrath <imlinux at gmail.com> - 0.8.6i-4
- Patch now includes <?php BG# 214914
- Previous message (by thread): rpms/openarena/devel openarena.spec,1.2,1.3
- Next message (by thread): rpms/cacti/FC-4 dec06-vulnerability-poller-0.8.6i.patch, NONE, 1.1 dec06-vulnerability-scripts-0.8.6i.patch, NONE, 1.1 import_template_argument_space_removal.patch, NONE, 1.1 poller_output_remainder.patch, NONE, 1.1 cacti.spec, 1.6, 1.7
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list