Bug 13930

Summary: cacti new security issues CVE-2014-502[567], CVE-2014-5261, and CVE-2014-5262
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: olchal, sysadmin-bugs
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/609034/
Whiteboard: has_procedure advisory mga4-32-ok mga4-64-ok
Source RPM: cacti-0.8.8b-3.1.mga4.src.rpm CVE:
Status comment:

Description David Walser 2014-08-18 19:43:25 CEST 
CVEs were assigned for two security issues fixed upstream in cacti:
http://openwall.com/lists/oss-security/2014/08/16/5

The upstream commit to fix them is linked in that message.

The correct RedHat bug link is actually:
https://bugzilla.redhat.com/show_bug.cgi?id=1129762

I would imagine Fedora will be fixing this soon.

Reproducible: 

Steps to Reproduce:
David Walser 2014-08-18 19:43:35 CEST

Whiteboard: (none) => MGA4TOO

Comment 1 David Walser 2014-08-20 19:44:32 CEST 
Debian has issued an advisory for this today (August 20):
https://www.debian.org/security/2014/dsa-3007

This also fixes three other new CVEs.

URL: (none) => http://lwn.net/Vulnerabilities/609034/
Summary: cacti new security issues CVE-2014-5261 and CVE-2014-5262 => cacti new security issues CVE-2014-502[567], CVE-2014-5261, and CVE-2014-5262

Comment 2 David Walser 2014-10-04 00:07:19 CEST 
Here's the RedHat bug links for these issues:
https://bugzilla.redhat.com/show_bug.cgi?id=1121466
https://bugzilla.redhat.com/show_bug.cgi?id=1129762

Patched packages uploaded for Mageia 4 and Cauldron.

Advisory:
========================

Updated cacti package fixes security vulnerabilities:

Multiple security issues (cross-site scripting, missing input sanitising and
SQL injection) have been discovered in Cacti, a web interface for graphing of
monitoring systems (CVE-2014-5025, CVE-2014-5026, CVE-2014-5261,
CVE-2014-5262).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5025
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5026
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5261
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5262
https://www.debian.org/security/2014/dsa-3007
========================

Updated packages in core/updates_testing:
========================
cacti-0.8.8b-3.2.mga4

from cacti-0.8.8b-3.2.mga4.src.rpm

Version: Cauldron => 4
Assignee: oe => qa-bugs
Whiteboard: MGA4TOO => (none)

Comment 3 claire robinson 2014-10-06 10:04:16 CEST 
Procedure: https://bugs.mageia.org/show_bug.cgi?id=13626#c4

Whiteboard: (none) => has_procedure

Comment 4 claire robinson 2014-10-06 17:24:14 CEST 
Testing complete mga4 64

Largely following the procedure. Cacti doesn't seem to allow a socket connection to mysql so edited /etc/my.cnf and commented 'skip-networking' by adding a # in front and then restarted mysqld service.

Used phpmyadmin to create mysql user/password & database cacti.

Imported the database.

# mysql -p cacti < /usr/share/cacti/sql/cacti.sql

Edited /usr/share/cacti/include/config.php to add the database details. Defaults to database cacti, user cactiuser, password cactiuser.

Opened http://localhost/cacti in a browser and clicked through the installation steps. then logged in as admin/admin and changed the default password as it forces you to do. Clicked the Graphs tab abd set the Custom drop down to Last half hour to view the graphs. It took a few mins (possibly 5) before they showed data when refreshed.

Whiteboard: has_procedure => has_procedure mga4-64-ok

Comment 5 claire robinson 2014-10-06 17:26:23 CEST 
Actually, the file to edit is not /usr/share/cacti/include/config.php but /etc/cacti.conf
Comment 6 olivier charles 2014-10-06 23:31:25 CEST 
Tried to test on Mageia4-32 following procedure in comment 3 and 4.

Managed to log in cacti (http://localhost/cacti), change password and complete configuration.

Never had a graph showing afterwards even after waiting several minutes. I guess I didn't manage to configure devices and/or graphs correctly

CC: (none) => olchal

Comment 7 claire robinson 2014-10-06 23:54:50 CEST 
it seems to poll every 5 minutes Olivie so leave it for a while and refresh the graphs. You can set the time span to 30 minutes too.
Comment 8 olivier charles 2014-10-07 17:32:35 CEST 
Left it for a long while (1 hour) and nothing showed.

Retraced the whole procedure and still didn't manage.

I don't know if it's related but in procedure shown here :
http://www.cacti.net/downloads/docs/html/unix_configure_cacti.html


 chown -R cactiuser rra/ log/ 

returned that I don't have any log/ directory.

I also tried to run snmpd.service after tweaking it but to no effect.

Sorry that one is too hard for me.
Comment 9 claire robinson 2014-10-09 14:08:20 CEST 
Testing complete mga4 32

Altered the polling and cron intervals in the console tab settings page. Used 'Clear' on the graphs page and refreshed it and the graphs showed. It seems a bit temperamental, I don't think you did anything wrong Olivier.

Whiteboard: has_procedure mga4-64-ok => has_procedure mga4-32-ok mga4-64-ok

Comment 10 claire robinson 2014-10-09 15:46:47 CEST 
Validating. Advisory uploaded.

Could sysadmin please push to 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: has_procedure mga4-32-ok mga4-64-ok => has_procedure advisory mga4-32-ok mga4-64-ok
CC: (none) => sysadmin-bugs

Comment 11 Mageia Robot 2014-10-09 16:06:45 CEST 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0403.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED