[Pkg-monitoring-maintainers] Bug#683584: security update ready for squeeze (3.1.8)

[Salvatore Bonaccorso]

Hi

On Sat, Jan 19, 2013 at 08:36:08PM +0100, Yves-Alexis Perez wrote:
> On sam., 2013-01-19 at 10:09 +0100, Salvatore Bonaccorso wrote:
> > By passing g= argument, it is possible to traverse the path and load
> > another file and execute code from it.
> > 
> > Attached is the debdiff against 3.1.7-1 in squeeze.
> 
> 
> Part of the diff (the is_numeric() parts mainly) seems missing. Is it
> intended?

Yes. I downloaded both 3.1.7 and 3.1.8 source tarballs and looked at
the diff. web/graph.php contain only following changes:

----cut---------cut---------cut---------cut---------cut---------cut-----
filterdiff -i '*web/graph.php' ganglia_3.1.7_3.1.8.diff 
--- ganglia-3.1.7/web/graph.php 2010-02-17 12:05:39.000000000 +0100
+++ ganglia-3.1.8/web/graph.php 2012-08-15 19:12:12.000000000 +0200
@@ -1,5 +1,5 @@
 <?php
-/* $Id: graph.php 2183 2010-01-07 16:09:55Z d_pocock $ */
+/* $Id$ */
 include_once "./eval_config.php";
 include_once "./get_context.php";
 include_once "./functions.php";
@@ -122,7 +122,7 @@
 
 $graph_file = "$graphdir/$graph.php";
 
-if ( is_readable($graph_file) ) {
+if ( is_readable($graph_file) and realpath($graphdir) === dirname(realpath($graph_file)) ) {
     include_once($graph_file);
 
     $graph_function = "graph_${graph}";
----cut---------cut---------cut---------cut---------cut---------cut-----

If I see it correctly the corresponding code is not present in 3.1.7,
and the above are the only changes done in web/graph.php between 3.1.7
and 3.1.8.

Regards,
Salvatore