[Pkg-monitoring-maintainers] Bug#683584: security update ready for squeeze (3.1.8)

Daniel Pocock daniel at pocock.com.au
Sat Jan 19 20:12:13 UTC 2013 


On 19/01/13 21:01, Salvatore Bonaccorso wrote:
> Hi
> 
> On Sat, Jan 19, 2013 at 08:36:08PM +0100, Yves-Alexis Perez wrote:
>> On sam., 2013-01-19 at 10:09 +0100, Salvatore Bonaccorso wrote:
>>> By passing g= argument, it is possible to traverse the path and load
>>> another file and execute code from it.
>>>
>>> Attached is the debdiff against 3.1.7-1 in squeeze.
>>
>>
>> Part of the diff (the is_numeric() parts mainly) seems missing. Is it
>> intended?
> 
> Yes. I downloaded both 3.1.7 and 3.1.8 source tarballs and looked at
> the diff. web/graph.php contain only following changes:
> 
> ----cut---------cut---------cut---------cut---------cut---------cut-----
> filterdiff -i '*web/graph.php' ganglia_3.1.7_3.1.8.diff 
> --- ganglia-3.1.7/web/graph.php 2010-02-17 12:05:39.000000000 +0100
> +++ ganglia-3.1.8/web/graph.php 2012-08-15 19:12:12.000000000 +0200
> @@ -1,5 +1,5 @@
>  <?php
> -/* $Id: graph.php 2183 2010-01-07 16:09:55Z d_pocock $ */
> +/* $Id$ */
>  include_once "./eval_config.php";
>  include_once "./get_context.php";
>  include_once "./functions.php";
> @@ -122,7 +122,7 @@
>  
>  $graph_file = "$graphdir/$graph.php";
>  
> -if ( is_readable($graph_file) ) {
> +if ( is_readable($graph_file) and realpath($graphdir) === dirname(realpath($graph_file)) ) {
>      include_once($graph_file);
>  
>      $graph_function = "graph_${graph}";
> ----cut---------cut---------cut---------cut---------cut---------cut-----
> 
> If I see it correctly the corresponding code is not present in 3.1.7,
> and the above are the only changes done in web/graph.php between 3.1.7
> and 3.1.8.
> 

Please keep in mind, the version in wheezy has the new ganglia web/*
code, which is a massive overhaul with more functionality and
potentially more things to change when there is an issue

The version in squeeze is the legacy Ganglia web code

For wheezy + 1, the web code is an independent upstream release and
independent source package

Anyhow, please let me know when it needs further action from myself, or
I'm just as happy for somebody else to build and NMU, please just
remember to tag it in git

Here is my usual workflow (abbreviated):

git clone git+ssh://git.debian.org/git/pkg-monitoring/ganglia.git
cd ganglia
git checkout squeeze
vi debian/changelog
git add debian/changelog && git commit -m 'Update changelog, etc'
dpkg-buildpackage -rfakeroot
dput ../
git tag -s -m 'Tag v3.1.8-2' squeeze/3.1.8-2
git push origin squeeze

Regards,

Daniel

More information about the Pkg-monitoring-maintainers mailing list