[Pkg-cacti-maint] Bug#941036: cacti: CVE-2019-16723
Salvatore Bonaccorso
carnil at debian.org
Sun Sep 29 07:45:40 BST 2019
Hi Paul,
On Sat, Sep 28, 2019 at 11:03:48PM +0200, Paul Gevers wrote:
> Hi Salvatore,
>
> On 28-09-2019 23:41, Salvatore Bonaccorso wrote:
> >> So I believe the affected code was only introduced then.
> >
> > I tried to get an idea here, but still I'm not sure 100%. Isn't for
> > instance the is_graph_allowed check missing in e.g. graph_xport.php,
> > so before accessing the graph_info, there is no check for if the user
> > is allowed to access the graph. For other parts this is done in
> > 0.8.8h.
> >
> > When in doupt, I rather would prefer to "wrongly" mark something as
> > affected rather than triage it as not-affected, and later to be turned
> > wrong.
> >
> > Although the CVE assignment is somehow specific to the graph_json.php
> > part, which is not present in 0.8.8h I'm raising still the above, as
> > upstream has at least decided to cover the other changes for
> > permission checks in the two related commits.
> >
> > Is upstream available to check and to confirm the stretch version is
> > not affected despite the potential missing permission checks there?
>
> I already noted on IRC the other day that I think the pre 1 code is
> affected as well. So I agree with your assessment.
Ack, thanks for confirming (and regarding the note on IRC, I guess I
just missed it).
Regards,
Salvatore
More information about the Pkg-cacti-maint
mailing list