[packages/cacti] - up to 1.2.9; fixes CVE-2020-7106, CVE-2020-7237

arekm arekm at pld-linux.org
Wed Feb 12 11:23:05 CET 2020 

commit 7a13808f24fa60940d143ee090ec615e50575b41
Author: Arkadiusz Miśkiewicz <arekm at maven.pl>
Date:   Wed Feb 12 11:22:56 2020 +0100

    - up to 1.2.9; fixes CVE-2020-7106, CVE-2020-7237

 cacti-config.patch | 9 ++++++---
 cacti.spec         | 6 ++++--
 2 files changed, 10 insertions(+), 5 deletions(-)
---
diff --git a/cacti.spec b/cacti.spec
index 6c1ef5c..ea84a15 100644
--- a/cacti.spec
+++ b/cacti.spec
@@ -3,12 +3,12 @@
 Summary:	Cacti is a PHP frontend for rrdtool
 Summary(pl.UTF-8):	Cacti - frontend w PHP do rrdtoola
 Name:		cacti
-Version:	1.2.8
+Version:	1.2.9
 Release:	1
 License:	GPL v2
 Group:		Applications/WWW
 Source0:	http://www.cacti.net/downloads/%{name}-%{version}.tar.gz
-# Source0-md5:	822e317918956246398cfc891dff66bc
+# Source0-md5:	1561dac3fddc4385389fe64b5a7c7067
 Source2:	%{name}.crontab
 Source3:	%{name}-apache.conf
 Source4:	%{name}-lighttpd.conf
@@ -171,6 +171,8 @@ cp -p %{SOURCE5} sql
     /bin.php/!i#!%{_bindir}/php
 }' scripts/*.php  cli/*.php
 
+%{__sed} -i -e 's,#!/usr/bin/env php,#!/usr/bin/php,' include/vendor/cldr-to-gettext-plural-rules/bin/export-plural-rules
+
 chmod a+rx scripts/*.php cli/*.php
 
 find '(' -name '*~' -o -name '*.orig' ')' -print0 | xargs -0 -r -l512 rm -f
diff --git a/cacti-config.patch b/cacti-config.patch
index 49feed2..791d897 100644
--- a/cacti-config.patch
+++ b/cacti-config.patch
@@ -1,17 +1,20 @@
 --- cacti-0.8.7b/include/global.php	2008-10-05 04:38:29.740276226 +0300
 +++ cacti-0.8.7g/include/global.php	2010-12-13 12:10:44.312310245 +0200
-@@ -64,10 +64,7 @@ $url_path = '/cacti/';
- /* allow upto 5000 items to be selected */
+@@ -83,13 +83,7 @@ $disable_log_rotation = false;
  ini_set('max_input_vars', '5000');
+ $config = array();
  
 -/* Include configuration, or use the defaults */
 -if (file_exists(dirname(__FILE__) . '/config.php')) {
+-	if (!is_readable(dirname(__FILE__) . '/config.php')) {
+-		die('Configuration file include/config.php is present, but unreadable.' . PHP_EOL);
+-	}
 -	include(dirname(__FILE__) . '/config.php');
 -}
 +require '/etc/webapps/cacti/config.php';
  
  if (isset($config['cacti_version'])) {
- 	die('Invalid include/config.php file detected.');
+ 	die('Invalid include/config.php file detected.' . PHP_EOL);
 @@ -139,7 +139,8 @@ if ($config['cacti_server_os'] == 'win32
  	$config['library_path'] = preg_replace("/(.*[\/])include/", "\\1lib", dirname(__FILE__));
  }
================================================================

---- gitweb:

http://git.pld-linux.org/gitweb.cgi/packages/cacti.git/commitdiff/7a13808f24fa60940d143ee090ec615e50575b41

More information about the pld-cvs-commit mailing list