[Pkg-cacti-maint] Bug#941036: cacti: CVE-2019-16723
Salvatore Bonaccorso
carnil at debian.org
Sat Sep 28 22:41:37 BST 2019
Hi Paul,
On Tue, Sep 24, 2019 at 09:02:58PM +0200, Paul Gevers wrote:
> Hi,
>
> Although not 100% sure yet, I seriously doubt that old stable is
> affected as version 1.0.0 has this:
>
> -feature: New Graph Permissions system designed to make permissions
> simple to manage
>
> So I believe the affected code was only introduced then.
I tried to get an idea here, but still I'm not sure 100%. Isn't for
instance the is_graph_allowed check missing in e.g. graph_xport.php,
so before accessing the graph_info, there is no check for if the user
is allowed to access the graph. For other parts this is done in
0.8.8h.
When in doupt, I rather would prefer to "wrongly" mark something as
affected rather than triage it as not-affected, and later to be turned
wrong.
Although the CVE assignment is somehow specific to the graph_json.php
part, which is not present in 0.8.8h I'm raising still the above, as
upstream has at least decided to cover the other changes for
permission checks in the two related commits.
Is upstream available to check and to confirm the stretch version is
not affected despite the potential missing permission checks there?
Regards,
Salvatore
More information about the Pkg-cacti-maint
mailing list