[Pkg-cacti-maint] Bug#881110: cacti: CVE-2017-16641: arbitrary execution of os commands via path_rrdtool parameter in an action=save request

[Salvatore Bonaccorso]

Hi Paul,

Sorry for the delayed reply.

On Fri, Nov 10, 2017 at 09:26:17PM +0100, Paul Gevers wrote:
> Control: severity -1 important
> Control: tags -1 pending
> 
> Hi all,
> 
> On 07-11-17 22:17, Salvatore Bonaccorso wrote:
> > Severity: grave
> > CVE-2017-16641[0]:
> > | lib/rrd.php in Cacti 1.1.27 allows remote authenticated administrators
> > | to execute arbitrary OS commands via the path_rrdtool parameter in an
> > | action=save request to settings.php.
> 
> Although this is true, and this parameter is not meant to be used like
> this, the cacti *admin* has always had this possibility via the "Data
> Input Method" freedom, which caused CVE-2009-4112 / bug 561339 to be
> raised. I just confirmed that I could indeed still do the via that
> (trivial) route.
> 
> So just to be clear (and I don't particularly like it), the power of the
> cacti *admin* has been long known and has been accepted as unfixed for
> multiple Debian releases. Therefor I lower the severity of this bug.
> 
> Unfortunately the upstream patch for this bug does not simply apply to
> pre 1.x versions of cacti. I am not comfortable (yet) with creating a
> patch for those versions, and due to CVE-2009-4112, I don't think it is
> worth fixing this in stable and older.

Ok! Your arguing makes sense to me, and I went ahead to mark the
issue as no-dsa for stretch and jessie. Still if upstream provides
help in adressing any of those two issues would be great to se fixes
at some point e.g. via a point release or picked up in a DSA as well.

Regards,
Salvatore