security update: sql injection patch

5 files changed, 156 insertions, 1 deletions

diff --git a/net-analyzer/cacti/ChangeLog b/net-analyzer/cacti/ChangeLog
index 9e7dc634826f..1863ca32ffa6 100644
--- a/net-analyzer/cacti/ChangeLog
+++ b/net-analyzer/cacti/ChangeLog
@@ -1,6 +1,12 @@
 # ChangeLog for net-analyzer/cacti
 # Copyright 2002-2004 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/net-analyzer/cacti/ChangeLog,v 1.27 2004/08/07 23:52:22 slarti Exp $
+# $Header: /var/cvsroot/gentoo-x86/net-analyzer/cacti/ChangeLog,v 1.28 2004/08/17 09:55:11 eldad Exp $
+
+*cacti-0.8.5a-r1 (17 Aug 2004)
+
+  17 Aug 2004; Eldad Zack <eldad@gentoo.org>
+  +files/cacti-0.8.5a-sql-injection.patch, +cacti-0.8.5a-r1.ebuild:
+  Security patch (SQL Injection): bumping to -r1 with x86 stable.
 
   08 Aug 2004; Tom Martin <slarti@gentoo.org> cacti-0.8.5a.ebuild:
   Typo in DESCRIPTION: frondend -> frontend. Bug 59717.
diff --git a/net-analyzer/cacti/Manifest b/net-analyzer/cacti/Manifest
index e5d7f3124cbc..c0817fe56399 100644
--- a/net-analyzer/cacti/Manifest
+++ b/net-analyzer/cacti/Manifest
@@ -1,4 +1,7 @@
+MD5 20fa3a06ca2b93ca3c13cd149cfcb4f1 cacti-0.8.5a-r1.ebuild 4534
 MD5 37f166bdab6b6aea120532c1f9fb87c4 cacti-0.8.5a.ebuild 4440
 MD5 0fcd46fbbf041e37678c5a6b4b1bd3b1 ChangeLog 3345
 MD5 9683bb7323c40d69b48d54ad0eb169ed metadata.xml 221
 MD5 44637d48edf68b76a472c70817449cd6 files/digest-cacti-0.8.5a 64
+MD5 9921205d0e13d5948104d5de2e58d3ee files/cacti-0.8.5a-sql-injection.patch 625
+MD5 44637d48edf68b76a472c70817449cd6 files/digest-cacti-0.8.5a-r1 64
diff --git a/net-analyzer/cacti/cacti-0.8.5a-r1.ebuild b/net-analyzer/cacti/cacti-0.8.5a-r1.ebuild
new file mode 100644
index 000000000000..7d968974077a
--- /dev/null
+++ b/net-analyzer/cacti/cacti-0.8.5a-r1.ebuild
@@ -0,0 +1,133 @@
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/net-analyzer/cacti/cacti-0.8.5a-r1.ebuild,v 1.1 2004/08/17 09:55:11 eldad Exp $
+
+inherit eutils webapp-apache
+
+DESCRIPTION="Cacti is a complete frontend to rrdtool"
+HOMEPAGE="http://www.raxnet.net/products/cacti/"
+SRC_URI="http://www.raxnet.net/downloads/${PN}/${P}.tar.gz"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="x86 ~ppc sparc ~alpha ~amd64"
+IUSE="snmp mysql"
+
+DEPEND=""
+RDEPEND="net-www/apache
+	snmp? ( virtual/snmp )
+	net-analyzer/rrdtool
+	mysql? ( dev-db/mysql )
+	dev-php/php
+	dev-php/mod_php"
+
+pkg_setup() {
+	webapp-detect || NO_WEBSERVER=1
+	webapp-pkg_setup "${NO_WEBSERVER}"
+	einfo "Installing into ${ROOT}${HTTPD_ROOT}."
+}
+
+src_unpack() {
+	unpack ${A}
+	cd ${S}
+
+	epatch ${FILESDIR}/cacti-0.8.5a-sql-injection.patch
+}
+
+src_install() {
+	webapp-mkdirs
+
+	local DocumentRoot=${HTTPD_ROOT}
+	local destdir=${DocumentRoot}/${PN}
+	dodir ${destdir}
+
+	dohtml docs/{INSTALL,UPGRADE}.htm
+	dodoc docs/{CHANGELOG,CONTRIB}
+	dodoc LICENSE
+
+	#rm docs/{INSTALL,UPGRADE,INSTALL-WIN32}.htm
+	rm docs/{README,CHANGELOG,CONTRIB}
+	rm LICENSE README
+
+	#mv docs/manual .
+	rm -rf docs
+	rm -rf cactid
+
+	edos2unix `find -type f -name '*.php'`
+	#chown -R ${HTTPD_USER}.${HTTPD_GROUP} *
+	cp -r . ${D}/${HTTPD_ROOT}/${PN}
+	cd ${D}/${HTTPD_ROOT}
+	chown -R ${HTTPD_USER}:${HTTPD_GROUP} ${PN}
+}
+
+pkg_postinst() {
+	# check to see if we have a previous version installed
+	ver_installed="$(ls -d /var/db/pkg/net-analyzer/cacti* | sed 's:.*cacti-::')"
+	if [[ ${ver_installed} != ${PV} ]]
+	then
+		einfo
+		einfo "The cacti has been installed to ${INSTALL_DEST}"
+		einfo
+		einfo "Before cacti works you must upgrade the cacti database:"
+		einfo "1. Backup the old cacti database:"
+		einfo "  shell> mysqlhotcopy --suffix=_old cacti"
+		einfo "2. Drop the old cacti database:"
+		einfo "  shell> mysqladmin -p drop cacti"
+		einfo "3. Create the new cacti database"
+		einfo "  shell> mysqladmin --user=root create cacti"
+		einfo "4. Import the default cacti database:"
+		einfo "  shell> mysql cacti < ${INSTALL_DEST}/cacti.sql"
+		einfo "5. Edit ${INSTALL_DEST}/include/config.php."
+		einfo " + Modify the MySQL user, password and database for your"
+		einfo "   cacti configuration."
+		einfo "		\$database_default = \"cacti\";"
+		einfo "		\$database_hostname = \"localhost\";"
+		einfo "		\$database_username = \"cactiuser\";"
+		einfo "		\$database_password = \"cacti\";"
+		einfo "6. Add this line to your /etc/crontab file:"
+		einfo "   */5 * * * * ${HTTPD_USER} php ${HTTPD_ROOT}${PN}/cmd.php > /dev/null 2>&1"
+		einfo "7. Point your web browser to:  http://your-server/cacti/"
+		einfo " Select \"Upgrade\"."
+		einfo " Make sure to fill in all of the path variables carefully and"
+		einfo " correctly on the following screen."
+		einfo
+		einfo "FINALLY, you must have these settings in your php.ini:"
+		einfo " register_globals = On"
+		einfo " register_argc_argv = On"
+		einfo
+		einfo "Test your upgraded installation.  When all is fine you can"
+		einfo "drop the cacti_old database like so:"
+		einfo "  shell> mysqladmin -p drop cacti_old"
+		einfo
+	else
+		einfo
+		einfo "The cacti has been copied to ${INSTALL_DEST}"
+		einfo
+		einfo "Before cacti works you must:"
+		einfo "1. Create the new cacti database"
+		einfo "  shell> mysqladmin --user=root create cacti"
+		einfo "2. Import the default cacti database:"
+		einfo "  shell> mysql cacti < ${INSTALL_DEST}/cacti.sql"
+		einfo "3. Optional: Create a MySQL username and password for cacti."
+		einfo "  shell> mysql --user=root mysql"
+		einfo "  mysql> GRANT ALL ON cacti.* TO cactiuser@localhost IDENTIFIED BY 'somepassword';"
+		einfo "  mysql> flush privileges;"
+		einfo "4. Edit ${INSTALL_DEST}/include/config.php."
+		einfo " + Modify the MySQL user, password and database for your"
+		einfo "   cacti configuration."
+		einfo "		\$database_default = \"cacti\";"
+		einfo "		\$database_hostname = \"localhost\";"
+		einfo "		\$database_username = \"cactiuser\";"
+		einfo "		\$database_password = \"cacti\";"
+		einfo "5. Add this line to your /etc/crontab file:"
+		einfo "   */5 * * * * ${HTTPD_USER} php ${HTTPD_ROOT}${PN}/cmd.php > /dev/null 2>&1"
+		einfo "6. Point your web browser to:  http://your-server/cacti/"
+		einfo " Make sure to fill in all of the path variables carefully and"
+		einfo " correctly on the following screen."
+		einfo
+		einfo "FINALLY, you must have these settings in your php.ini:"
+		einfo " register_globals = On"
+		einfo " register_argc_argv = On"
+		einfo
+	fi
+}
diff --git a/net-analyzer/cacti/files/cacti-0.8.5a-sql-injection.patch b/net-analyzer/cacti/files/cacti-0.8.5a-sql-injection.patch
new file mode 100644
index 000000000000..ae87c954315f
--- /dev/null
+++ b/net-analyzer/cacti/files/cacti-0.8.5a-sql-injection.patch
@@ -0,0 +1,12 @@
+--- /var/www/localhost/htdocs/cacti/auth_login.php	2004-08-17 11:24:40.000000000 +0300
++++ auth_login.php	2004-08-17 12:33:52.271029872 +0300
+@@ -29,9 +29,6 @@
+ 
+ switch ($_REQUEST["action"]) {
+ case 'login':
+-	/* --- UPDATE old password with new md5 password value */
+-	db_execute("update user_auth set password = '" . md5($_POST["password"]) . "' where username='" . $_POST["username"] . "' and password = PASSWORD('" . $_POST["password"] . "')");
+-
+ 	/* --- start ldap section --- */
+ 	$ldap_auth = false;
+ 	if ((read_config_option("ldap_enabled") == "on") && ($_POST["realm"] == "ldap") && (strlen($_POST["password"]))){
diff --git a/net-analyzer/cacti/files/digest-cacti-0.8.5a-r1 b/net-analyzer/cacti/files/digest-cacti-0.8.5a-r1
new file mode 100644
index 000000000000..7a5183477ccd
--- /dev/null
+++ b/net-analyzer/cacti/files/digest-cacti-0.8.5a-r1
@@ -0,0 +1 @@
+MD5 2b9ef4194664d65b86cdcc9a0f126609 cacti-0.8.5a.tar.gz 986785