cacti: CVE-2016-2313: Authentication using web authentication as a user not in the cacti database allows complete access

Debian Bug report logs - #814353
cacti: CVE-2016-2313: Authentication using web authentication as a user not in the cacti database allows complete access

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: cacti: CVE-2016-2313: Authentication using web authentication as a user not in the cacti database allows complete access

Date: Wed, 10 Feb 2016 19:05:09 +0100

Source: cacti
Version: 0.8.8f+ds1-4
Severity: important
Tags: security upstream patch
Forwarded: http://bugs.cacti.net/view.php?id=2656

Hi,

the following vulnerability was published for cacti.

CVE-2016-2313[0]:
|Authentication using web authentication as a user not in the cacti
|database allows complete access

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2016-2313
[1] http://bugs.cacti.net/view.php?id=2656
[2] http://svn.cacti.net/viewvc?view=rev&revision=7770

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #10 received at 814353@bugs.debian.org (full text, mbox, reply):

From: Paul Gevers <elbrus@debian.org>

To: <814353@bugs.debian.org>, Debian Security <security@debian.org>

Subject: Re: Bug#814353: cacti: CVE-2016-2313: Authentication using web authentication as a user not in the cacti database allows complete access

Date: Wed, 10 Feb 2016 19:18:04 +0100

[Message part 1 (text/plain, inline)]

Hi Salvatore,

On 10-02-16 19:05, Salvatore Bonaccorso wrote:
> CVE-2016-2313[0]:
> |Authentication using web authentication as a user not in the cacti
> |database allows complete access
> 
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

As I already mentioned in your ref [1], I don't believe this is in
general true. It is my believe that the reporter opened the access
actively and just forgot about it. Unfortunately, neither the reporter
nor upstream responded to my request. Because there is lots of code that
actually is meant for the situation where there is no user in the cacti
database yet, I believe that "fixing" this CVE is causing (serious?)
regression for some users, while fixing no real issue. How to handle
this situation?

> [1] http://bugs.cacti.net/view.php?id=2656
> [2] http://svn.cacti.net/viewvc?view=rev&revision=7770

Paul

[signature.asc (application/pgp-signature, attachment)]

Message #15 received at 814353@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Paul Gevers <elbrus@debian.org>

Cc: 814353@bugs.debian.org, Debian Security <security@debian.org>

Subject: Re: Bug#814353: cacti: CVE-2016-2313: Authentication using web authentication as a user not in the cacti database allows complete access

Date: Sat, 13 Feb 2016 10:47:30 +0100

Hi Paul,

On Wed, Feb 10, 2016 at 07:18:04PM +0100, Paul Gevers wrote:
> Hi Salvatore,
> 
> On 10-02-16 19:05, Salvatore Bonaccorso wrote:
> > CVE-2016-2313[0]:
> > |Authentication using web authentication as a user not in the cacti
> > |database allows complete access
> > 
> > If you fix the vulnerability please also make sure to include the
> > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> 
> As I already mentioned in your ref [1], I don't believe this is in
> general true. It is my believe that the reporter opened the access
> actively and just forgot about it. Unfortunately, neither the reporter
> nor upstream responded to my request. Because there is lots of code that
> actually is meant for the situation where there is no user in the cacti
> database yet, I believe that "fixing" this CVE is causing (serious?)
> regression for some users, while fixing no real issue. How to handle
> this situation?

So it looks that e.g. OpenSuSE has decided to release updates for
that, see e.g. https://www.suse.com/security/cve/CVE-2016-2313.html

Could you bring your observations to the thread on the oss-security
mailinglist, where the CVE was assigned?

We for now can wait before backporting the fix to jessie and wheezy,
and first have it exposed in unstable as well via the upcoming cacti
version containing the change (will be 0.8.8g).

Regards,
Salvatore

Message #22 received at 814353-close@bugs.debian.org (full text, mbox, reply):

From: Paul Gevers <elbrus@debian.org>

To: 814353-close@bugs.debian.org

Subject: Bug#814353: fixed in cacti 0.8.8g+ds1-1

Date: Fri, 26 Feb 2016 22:43:24 +0000

Source: cacti
Source-Version: 0.8.8g+ds1-1

We believe that the bug you reported is fixed in the latest version of
cacti, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 814353@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Paul Gevers <elbrus@debian.org> (supplier of updated cacti package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 26 Feb 2016 13:50:34 +0100
Source: cacti
Binary: cacti
Architecture: source
Version: 0.8.8g+ds1-1
Distribution: unstable
Urgency: medium
Maintainer: Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>
Changed-By: Paul Gevers <elbrus@debian.org>
Description:
 cacti      - web interface for graphing of monitoring systems
Closes: 814353
Changes:
 cacti (0.8.8g+ds1-1) unstable; urgency=medium
 .
   * New upstream release
     - CVE-2016-2313 (closes: #814353)
     - Drop included patches
   * Update d/copyright with new years
   * Enable installation on MariaDB by forcing the collation to latin1
   * Add mariadb-server to list of recommends
   * Update Vcs-* fields to https
Checksums-Sha1:
 8268afe0bc166533e4bc56158df421909d3b8040 1587 cacti_0.8.8g+ds1-1.dsc
 f030a88d8dc1979cf5551e16cd2fc28c89f79706 2235970 cacti_0.8.8g+ds1.orig.tar.gz
 70c3a2d4ad4f523f0dbd9643a11335421948c7cf 46132 cacti_0.8.8g+ds1-1.debian.tar.xz
Checksums-Sha256:
 cb47f8acd12607bee7d345bd2c077c5c7e8f989c05efc89f97c390d9b811d70a 1587 cacti_0.8.8g+ds1-1.dsc
 77c95d88c4c7e5155701300f0831ec1f108819485647ac7635167917fadbd3bc 2235970 cacti_0.8.8g+ds1.orig.tar.gz
 5764c55c2cce1a6866dba07dcc7471c67920f953b1d85c096630abdb490f6dd3 46132 cacti_0.8.8g+ds1-1.debian.tar.xz
Files:
 b20db808db87ce220711a073dc43e270 1587 web extra cacti_0.8.8g+ds1-1.dsc
 1d8cf574eeb6e9bc9a82a8ad59cd01f4 2235970 web extra cacti_0.8.8g+ds1.orig.tar.gz
 43bb726f382855ffe88d46b4c2b8b6db 46132 web extra cacti_0.8.8g+ds1-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBCAAGBQJW0KqJAAoJEJxcmesFvXUKks4H/0A8Wbn5U6UEvgvlqvanVsyS
IuDxD4YCubISgTuLHk3hkiLbtGOSryZCLSL1NEPIJ++AT9LNf1lIWh4h9+eZoqn5
CkzZSW82FXqcegNW2KXVviG30btV4CZ72Au3DsXdY8HAtDdc6m+H/EHtU88SrrZT
MWymDx8qfSx6C8RmIpJuh4oTE1e/ul8kexwEPbiDDJf4LKff3h431ykiteyxdhHS
DI119kUufJ4dZjEmYb3UhgwP3OFqCIL6hueQrwgYsaCknI/g32Prw7W2V+Any2tq
xc02oRdp0yHHwG2Bdo8TXWv5Y5OkYoxhqM7+AU3RS7PJHNzY1o+yrQEyLNoQukM=
=c5vk
-----END PGP SIGNATURE-----

Message #27 received at 814353@bugs.debian.org (full text, mbox, reply):

From: Paul Gevers <elbrus@debian.org>

To: 814353@bugs.debian.org

Cc: Debian Security <security@debian.org>

Subject: Re: Bug#814353: cacti: CVE-2016-2313: Authentication using web authentication as a user not in the cacti database allows complete access

Date: Sun, 6 Mar 2016 20:54:21 +0100

[Message part 1 (text/plain, inline)]

Hi all,

On 10-02-16 19:18, Paul Gevers wrote:
> As I already mentioned in your ref [1], I don't believe this is in
> general true. It is my believe that the reporter opened the access
> actively and just forgot about it. Unfortunately, neither the reporter
> nor upstream responded to my request.

Upstream finally responded to my concerns and agrees. They already
(apparently) fixed this properly in their development branch. See
comment 0007083 in the upstream bug report¹.

I suspect he is talking about this commit:
https://github.com/Cacti/cacti/commit/6e5f3be49b3f52e30c88ec75a576f89bb72c4e52

If we are going to fix this issue in older Debian versions, I propose to
use the final result of that patch instead of the original.

Paul

¹ http://bugs.cacti.net/view.php?id=2656

[signature.asc (application/pgp-signature, attachment)]

Send a report that this bug log contains spam.