Debian Bug report logs -
#561339
CVE-2009-4112: arbitrary command execution
Reported by: Steffen Joeris <steffen.joeris@skolelinux.de>
Date: Wed, 16 Dec 2009 11:42:02 UTC
Severity: normal
Tags: confirmed, security
Fixed in version cacti/1.2.0~beta2+ds1-1
Done: Paul Gevers <elbrus@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Sean Finney <seanius@debian.org>:
Bug#561339; Package cacti.
(Wed, 16 Dec 2009 11:42:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Steffen Joeris <steffen.joeris@skolelinux.de>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Sean Finney <seanius@debian.org>.
(Wed, 16 Dec 2009 11:42:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: cacti
Severity: grave
Tags: security
Hi Sean
the following CVE (Common Vulnerabilities & Exposures) id was
published for cacti.
CVE-2009-4112[0]:
| Cacti 0.8.7e and earlier allows remote authenticated administrators to
| gain privileges by modifying the "Data Input Method" for the "Linux -
| Get Memory Usage" setting to contain arbitrary commands.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
As discussed with upstream, please make sure that there is a whitelist
policy in place for squeeze.
Cheers
Steffen
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4112
http://security-tracker.debian.org/tracker/CVE-2009-4112
Severity set to 'important' from 'grave'
Request was from Moritz Muehlenhoff <jmm@debian.org>
to control@bugs.debian.org.
(Mon, 28 Dec 2009 13:48:06 GMT) (full text, mbox, link).
Added tag(s) patch.
Request was from Patrick Schoenfeld <schoenfeld@debian.org>
to control@bugs.debian.org.
(Thu, 07 Jan 2010 12:51:07 GMT) (full text, mbox, link).
Removed tag(s) patch.
Request was from Sean Finney <seanius@debian.org>
to control@bugs.debian.org.
(Sun, 24 Jan 2010 18:36:03 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Sean Finney <seanius@debian.org>:
Bug#561339; Package cacti.
(Sun, 25 Jul 2010 17:36:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Sean Finney <seanius@debian.org>.
(Sun, 25 Jul 2010 17:36:03 GMT) (full text, mbox, link).
Message #16 received at 561339@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
severity 561339 normal
thanks
Hi Sean and Steffen,
I am downgrading this bug due to the nature of this problem.
While it is true that you can get e.g. a shell on a system because
of this issue I see no privilege escalation here, no existing
restrictions are bypassed in any way. The admin is expected to be
able to define such Data Input Methods.
While I agree that it may make sense to fix this with a whitelist approach I
don't see this as a grave issue because a) it's limited to authenticated
*admins* and b) is not bypassing any restrictions in place. This issue
basically exists with every kind of software that allows an administrator
to specify certain commands in order to get some desired values.
Cheers
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]
Severity set to 'normal' from 'important'
Request was from Nico Golde <nion@debian.org>
to control@bugs.debian.org.
(Sun, 25 Jul 2010 17:36:05 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Sean Finney <seanius@debian.org>:
Bug#561339; Package cacti.
(Tue, 03 Aug 2010 17:09:04 GMT) (full text, mbox, link).
Acknowledgement sent
to sean finney <seanius@debian.org>:
Extra info received and forwarded to list. Copy sent to Sean Finney <seanius@debian.org>.
(Tue, 03 Aug 2010 17:09:04 GMT) (full text, mbox, link).
Message #23 received at 561339@bugs.debian.org (full text, mbox, reply):
hi nico,
On Sun, Jul 25, 2010 at 07:36:29PM +0200, Nico Golde wrote:
> severity 561339 normal
for the record i completely agree with your rationale, this kinda
explains my lack of action on the report :)
sean
Added tag(s) confirmed.
Request was from Paul Gevers <elbrus@debian.org>
to control@bugs.debian.org.
(Sun, 02 Aug 2015 14:39:25 GMT) (full text, mbox, link).
Reply sent
to Paul Gevers <elbrus@debian.org>:
You have taken responsibility.
(Sun, 28 Oct 2018 16:09:09 GMT) (full text, mbox, link).
Notification sent
to Steffen Joeris <steffen.joeris@skolelinux.de>:
Bug acknowledged by developer.
(Sun, 28 Oct 2018 16:09:09 GMT) (full text, mbox, link).
Message #30 received at 561339-close@bugs.debian.org (full text, mbox, reply):
Source: cacti
Source-Version: 1.2.0~beta2+ds1-1
We believe that the bug you reported is fixed in the latest version of
cacti, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 561339@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Paul Gevers <elbrus@debian.org> (supplier of updated cacti package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 28 Oct 2018 16:00:51 +0100
Source: cacti
Binary: cacti
Architecture: source
Version: 1.2.0~beta2+ds1-1
Distribution: experimental
Urgency: medium
Maintainer: Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>
Changed-By: Paul Gevers <elbrus@debian.org>
Description:
cacti - web interface for graphing of monitoring systems
Closes: 561339 903238
Changes:
cacti (1.2.0~beta2+ds1-1) experimental; urgency=medium
.
* New upstream release 1.2.0-beta1
* CVE-2009-4112: remote authenticated administrators can gain
privileges; circumvented via optional whitelisting (Closes: #561339)
* Refresh patches
* Drop most of
enable-system-jqueryui-by-putting-cacti-changes-in-main.css.patch
* Bump Standards to 4.2.1
* Bump debhelper compat level
* [tests] Add mysql-server test back but with
skip-not-installable. Debian has mariadb-server as
default-mysql-server so we definitely want to test that. Ubuntu has
mysql-server, so we also want to test that, but that isn't in
testing. (Closes: #903238)
* Drop recursive chown from postins (thanks lintian)
* Add perl-path.patch to make sh-bang in perl scripts compliant with
policy (thanks lintian)
* Add font-awesome-path.patch as the path to the css is slightly
different in the system version
* Add fix-update-for-beta-versions.patch to ensure updating works
* Adapt documentation building as upstream reworked it completely
Checksums-Sha1:
2c0a9d7841c3448a4b2b5259eeaa929dd8eccfe6 2152 cacti_1.2.0~beta2+ds1-1.dsc
ab6fbdd7a857da97e278f1d89e65a0d55275cba0 4161168 cacti_1.2.0~beta2+ds1.orig-docs-source.tar.gz
aa448ec41b5517b85bbe05eec4beb63722da3ae6 4185048 cacti_1.2.0~beta2+ds1.orig.tar.gz
99cd7edf3304c48dd4ae0be84f616ace23375c6b 52920 cacti_1.2.0~beta2+ds1-1.debian.tar.xz
Checksums-Sha256:
60676a146e80eae62588ddcd906f86f51a1457968ceb959fe5a6c2aeb9616100 2152 cacti_1.2.0~beta2+ds1-1.dsc
54e2c07d72b51f8a63a2da516783cceda5997d0f571a61a9f002190127d2cc89 4161168 cacti_1.2.0~beta2+ds1.orig-docs-source.tar.gz
938e32b8a40caf369dc365c01281a51d2f927241eb1fb4db850f03828cae8847 4185048 cacti_1.2.0~beta2+ds1.orig.tar.gz
581673d9c075f8ed46cc3894b26b8e25a4ac7b8dab78ef1fb1a753883ff88732 52920 cacti_1.2.0~beta2+ds1-1.debian.tar.xz
Files:
ed51ae07d31cf9f18b91bd280ee9d235 2152 web optional cacti_1.2.0~beta2+ds1-1.dsc
30e4988930d401b24693fa8ba862de73 4161168 web optional cacti_1.2.0~beta2+ds1.orig-docs-source.tar.gz
c92c523912624d7c14b2b2e1ddf3b7c7 4185048 web optional cacti_1.2.0~beta2+ds1.orig.tar.gz
7f1441859db6079547fac87a506f6778 52920 web optional cacti_1.2.0~beta2+ds1-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEEWLZtSHNr6TsFLeZynFyZ6wW9dQoFAlvVz+QACgkQnFyZ6wW9
dQpqFgf/SXT44DXKTunmwrbxE1TCWJxDFSrsG+pqTR5szA1EDCi7gBXjgsTuBEQu
4g0vuIviON3uq8zv+plo0LB404rqPI+ST+i9RK9afc9okS7NPYt3NwU/0x4e+tb8
e+34URECV1Z8jGiknTm/y/wOcv3diAH071Ss5+crafo3KHWF6MQmD3MK6Wgr63Ny
Gpc+Ml09h0wh48D0uGfajLfB9SCfrbiNxfmYSk4x1EDjn3XSx1/VTvmtaSYrJLep
inj1ukjCUY9+etSbJFeBLOJJzoMVMdCo6u/N5cZjcvzdfRinGTC3JYp2WAgtpX8h
fyoJIduC41THhvuAy/a1Xpr58NwXpg==
=CgyN
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 30 Dec 2018 07:27:13 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:47:15 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon