[Pkg-cacti-maint] Bug#941036: cacti: CVE-2019-16723
Paul Gevers
elbrus at debian.org
Sat Sep 28 22:03:48 BST 2019
Hi Salvatore,
On 28-09-2019 23:41, Salvatore Bonaccorso wrote:
>> So I believe the affected code was only introduced then.
>
> I tried to get an idea here, but still I'm not sure 100%. Isn't for
> instance the is_graph_allowed check missing in e.g. graph_xport.php,
> so before accessing the graph_info, there is no check for if the user
> is allowed to access the graph. For other parts this is done in
> 0.8.8h.
>
> When in doupt, I rather would prefer to "wrongly" mark something as
> affected rather than triage it as not-affected, and later to be turned
> wrong.
>
> Although the CVE assignment is somehow specific to the graph_json.php
> part, which is not present in 0.8.8h I'm raising still the above, as
> upstream has at least decided to cover the other changes for
> permission checks in the two related commits.
>
> Is upstream available to check and to confirm the stretch version is
> not affected despite the potential missing permission checks there?
I already noted on IRC the other day that I think the pre 1 code is
affected as well. So I agree with your assessment.
Paul
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-cacti-maint/attachments/20190928/5cc2d3bd/attachment.sig>
More information about the Pkg-cacti-maint
mailing list