[arch-commits] Commit in cacti/trunk (PKGBUILD cacti-1.2.16-CVE-2020-35701.patch)
David Runge
dvzrv at archlinux.org
Thu Jan 14 17:19:01 UTC 2021
Date: Thursday, January 14, 2021 @ 17:19:00
Author: dvzrv
Revision: 820838
upgpkg: cacti 1.2.16-2: Rebuild to fix CVE-2020-35701.
The patch is a backport of upstream's patch:
https://github.com/Cacti/cacti/commit/565e0604a53f4988dc5b544d01f4a631eaa80d82
Added:
cacti/trunk/cacti-1.2.16-CVE-2020-35701.patch
Modified:
cacti/trunk/PKGBUILD
-----------------------------------+
PKGBUILD | 7 ++++++-
cacti-1.2.16-CVE-2020-35701.patch | 22 ++++++++++++++++++++++
2 files changed, 28 insertions(+), 1 deletion(-)
Modified: PKGBUILD
===================================================================
--- PKGBUILD 2021-01-14 16:25:58 UTC (rev 820837)
+++ PKGBUILD 2021-01-14 17:19:00 UTC (rev 820838)
@@ -4,7 +4,7 @@
pkgname=cacti
pkgver=1.2.16
-pkgrel=1
+pkgrel=2
pkgdesc="Network graphing solution using RRDTool"
arch=('any')
url="https://www.cacti.net"
@@ -17,15 +17,18 @@
backup=('etc/webapps/cacti/.htaccess'
'etc/webapps/cacti/config.php')
source=("https://www.${pkgname}.net/downloads/${pkgname}-${pkgver}.tar.gz"
+ "${pkgname}-1.2.16-CVE-2020-35701.patch"
"${pkgname}.uwsgi"
"${pkgname}.sysusers"
"${pkgname}.tmpfiles")
install="${pkgname}.install"
sha512sums=('fe22acf4dea8ab6ec79825d66a84ad4c43fdce2815e7327536d182bc04400ed7b1d268209bbbca8b307c4779ee5bf7369a617ec1f052d8805757c2ca9b30cc35'
+ '8c193f52e5478e12f93152356bce085ed7468b1e19657ae92150bb1eee662020fc4f89d5b7aa507465b82b5224834fd78eaa4389e6007136e1fc7df6e7f115a6'
'a87241b12226fcad9e161d0f4cd344161015b5fa8e2f1f3af4431d22bd87aad8a4f9553226baed98d48376819e75266a50fd796b1c884b4e597ccf38a5e4de01'
'847e2b791de44d0790a2fdb81c77c8af9a66da9d44500f3f8a8d1c0f406d3a20082cc8fef1c6afe4de93ad989d35c79c9809abe14693a9ac6ea74d4696e3b6c1'
'e833e411f74e77773c32589ba83cb1b2f28ca9b35931626480ab7daa63420d47ecfc3061e6703323646b69e1d98536b6f3afdd36faa483fb13aac9b818af0c6e')
b2sums=('19939d0ff79c895b481aeb7ffec8331d8b9c10a6b7e0dbda6532e06ef0322f21cf02f4bf53a9522e1f672dd04b343f5550e2f34f08b3af2050e1f72465cffc43'
+ 'a64a7ef5de93c2906c9fa5c713bf87e451eeaed297efd67b514fa47fdf11262a39d96f8e1be8bfd7c04fa74d31f830f826bcfd3a71a8230ec7454e360f7540bd'
'd110c7659ad181e0823dd7a5f02cd43ecffdbc52e18e08fe40e31430631bf700237b343784873ca4b5d5b94ce11fae7a2f8db3ebd09dbb3f784367bdda14be32'
'2ec9956b690ab9244e31a58d295ab56b5d0df9fc9586c74edbd55c12d3383430b8a1a8a708d7d747abadb67eee42094562da510ddfc7797978c2683e7b86a252'
'0a532bbbd07b21da18ea21eec3f268510740069fb732e3d387f224b93f0539e3e968ba6332bf647ff62f2d98910abc33e35a3e82d335cf7d29a503609e22651f')
@@ -34,6 +37,8 @@
# adding default .htaccess
echo "Require all denied" > "${pkgname}-htaccess"
cd "${pkgname}-${pkgver}"
+ # fix CVE-2020-35701: https://bugs.archlinux.org/task/69300
+ patch -Np1 -i "../${pkgname}-1.2.16-CVE-2020-35701.patch"
# setting correct install path for spine
sed -e 's|/usr/local/spine/bin/spine|/usr/bin/spine|g' \
-i install/functions.php
Added: cacti-1.2.16-CVE-2020-35701.patch
===================================================================
--- cacti-1.2.16-CVE-2020-35701.patch (rev 0)
+++ cacti-1.2.16-CVE-2020-35701.patch 2021-01-14 17:19:00 UTC (rev 820838)
@@ -0,0 +1,22 @@
+diff --git a/data_debug.php b/data_debug.php
+index 1bbed6a0a..a7ffe0829 100644
+--- a/data_debug.php
++++ b/data_debug.php
+@@ -35,6 +35,8 @@
+
+ set_default_action();
+
++validate_request_vars();
++
+ switch (get_request_var('action')) {
+ case 'actions':
+ form_actions();
+@@ -123,8 +125,6 @@
+
+ break;
+ default:
+- validate_request_vars();
+-
+ $refresh = array(
+ 'seconds' => get_request_var('refresh'),
+ 'page' => 'data_debug.php?header=false',
More information about the arch-commits
mailing list