[Pkg-cacti-maint] Bug#941036: cacti: CVE-2019-16723

Hugo Lefeuvre hle at debian.org
Wed Oct 16 13:23:47 BST 2019 

Hi Salvatore, Paul,

I had a look at this issue in jessie, stretch and buster. I concluded that
jessie and stretch are not affected. I have reproduced the issue in buster.

# Quick breakdown:

Graphs are retrieved using rrdtool_function_graph() from lib/rrd.php, this
is true for jessie onwards.

rrdtool_function_graph() has a check for permissions, which is in fact very
similar to the ones introduced in 7a6a17252 and c7cf4a26e.

Before cf73ae1a9f65b5a27d7f9d10c8e14835c3a76326[0] this check in
rrdtool_function_graph() was always executed. After this commit the check
is only executed when $user > 0.

Note: 0 is the default value for $user:

    [lib/rrd.php:1179][1]

    function rrdtool_function_graph($local_graph_id, $rra_id, $graph_data_array,
        $rrdtool_pipe = '', &$xport_meta = array(), $user = 0) {
    ...

However graph_image.php, graph_json.php and rrdtool_function_xport() call
rrdtool_function_graph() without passing $user:

    [graph_image.php:132][2]

    $output = rrdtool_function_graph(get_request_var('local_graph_id'), $rra_id, $graph_data_array);

Hence, permissions are never checked after this commit. I don't think this
is the intended affect.

Now, let's try something: take 1.2.2+ds1-2+deb10u1, the version in buster
which is affected and simply revert cf73ae1a9f65b5a27d7f9d10:

--- a/lib/rrd.php       2019-10-16 13:24:08.590183640 +0200
+++ b/lib/rrd.php       2019-10-16 13:24:34.302046280 +0200
@@ -1171,11 +1171,11 @@

        /* before we do anything; make sure the user has permission to view this graph,
        if not then get out */
-       if ($user > 0) {
+       //if ($user > 0) {
                if (!is_graph_allowed($local_graph_id, $user)) {
                        return 'GRAPH ACCESS DENIED';
                }
-       }
+       //}

        if (getenv('LANG') == '') {
                putenv('LANG=' . str_replace('-', '_', CACTI_LOCALE) . '.UTF-8');

Try to reproduce: this is sufficient to "fix" the issue and appears to
confirm previous analysis.

Any comments?

cheers,
Hugo

[0] https://github.com/Cacti/cacti/commit/cf73ae1a9f65b5a27d7f9d10c8e14835c3a76326
[1] https://github.com/Cacti/cacti/blob/develop/lib/rrd.php#L1179
[2] https://github.com/Cacti/cacti/blob/develop/graph_image.php#L132

-- 
                Hugo Lefeuvre (hle)    |    www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-cacti-maint/attachments/20191016/ef77dcce/attachment.sig>

More information about the Pkg-cacti-maint mailing list