[Bug 914746] Re: cacti SNMP verbose query PHP error

Sat Jul 14 07:40:54 UTC 2012

Please find attached the debdiff for lucid-proposed.

I confirm as stated earlier that both natty and oneiric don't suffer
from this bug for two reasons. One, the regression was really introduced
in patch CVE-2010-1645.patch which was only in lucid, and second,
because the important part of the solution is already incorporated in
the 0.8.7.g version of cacti. Therefor I mark the natty and oneiric
tasks as invalid.

Assigning the sponsors again.

** Patch added: "Debdiff for lucid"
   https://bugs.launchpad.net/ubuntu/+source/cacti/+bug/914746/+attachment/3222971/+files/cacti_0.8.7e-2ubuntu0.2_0.8.7e-2ubuntu0.3.debdiff

** Changed in: cacti (Ubuntu Lucid)
       Status: Incomplete => Confirmed

** Changed in: cacti (Ubuntu Natty)
       Status: Incomplete => Invalid

** Changed in: cacti (Ubuntu Oneiric)
       Status: Incomplete => Invalid

** Changed in: cacti (Ubuntu Lucid)
       Status: Confirmed => In Progress

** Changed in: cacti (Ubuntu Natty)
     Assignee: Paul Gevers (paul-climbing) => (unassigned)

** Changed in: cacti (Ubuntu Oneiric)
     Assignee: Paul Gevers (paul-climbing) => (unassigned)

** Changed in: cacti (Ubuntu Lucid)
     Assignee: Paul Gevers (paul-climbing) => (unassigned)

** Patch removed: "Checked lucid patch"
   https://bugs.launchpad.net/ubuntu/+source/cacti/+bug/914746/+attachment/3216082/+files/LP914746_regression_lucid_string_offset_in_data_query.patch

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/914746

Title:
  cacti SNMP verbose query PHP error

Status in Cacti, the complete rrdtool-based graphing solution:
  New
Status in “cacti” package in Ubuntu:
  Fix Released
Status in “cacti” source package in Lucid:
  In Progress
Status in “cacti” source package in Natty:
  Invalid
Status in “cacti” source package in Oneiric:
  Invalid
Status in “cacti” package in Debian:
  Fix Released

Bug description:
  [IMPACT]
   * If you try to turn on "SNMP - Interface Statistics" on a host with SNMP facilities turned off, the current behavior of cacti is that it generates a php error instead of catching the empty result. As this behavior is basically strange user behavior, the impact is small, although multiple people report the issue. I don't think this warrants an SRU, but still my patch fixes the issue by testing for empty results (as is intended by the code) and thus allowing the php code to return normally (although still not telling you what went wrong).

  [TESTCASE]

   * With cacti installed and configured, go to the /cacti/host.php page (via the "devices" link on every cacti page) and select a device (e.g. localhost)
   * Make sure that in the SNMP Options section the SNMP Version is set to "Not In Use"
   * In the "Associated Data Queries" part, select "SNMP - Interface Statistics" in the "Add data query" drop down selection box and press "Add".
   * The next screen is blank.
   * In the apache error.log you will find:
     PHP Fatal error:  Cannot use string offset as an array in /usr/share/cacti/site/lib/data_query.php on line 183, referer: http://localhost/cacti/host.php?action=edit&id=1
   * After the patch the result will be return to the host.php file, but it will show the added "SNMP - Interface Statistics" with "Success [0 Items, 0 Rows]"

  [Regression Potential]

   * I don't know how adding a check for emptyness of a variable that
  should not be empty can cause regression. Maybe somebody else can come
  up with one?

  [Other Info]

    * As mentioned before, I am not sure this issue warrants a SRU.
    * Only lucid (-updates) is effected by this bug, other Ubuntu releases don't experience it.

  [original report]
  when adding an SNMP - Interface statistics data query, and clicking on the 'verbose list' link, I get a 500 internal error, and the following line in the apache log file:

  PHP Fatal error:  Cannot use string offset as an array in
  /usr/share/cacti/site/lib/data_query.php on line 183, referer:
  http://localhost/cacti/host.php?action=edit&id=1

  this prevents me from having network interface statistics followed by
  cacti.

  additional info:

  # lsb_release -rd
  Description:	Ubuntu 10.04.3 LTS
  Release:	10.04

  # apt-cache policy cacti
  cacti:
    Installed: 0.8.7e-2ubuntu0.2
    Candidate: 0.8.7e-2ubuntu0.2
    Version table:
   *** 0.8.7e-2ubuntu0.2 0
          500 http://mirror.us.leaseweb.net/ubuntu/ lucid-updates/universe Packages
          500 http://security.ubuntu.com/ubuntu/ lucid-security/universe Packages
          100 /var/lib/dpkg/status
       0.8.7e-2 0
          500 http://mirror.us.leaseweb.net/ubuntu/ lucid/universe Packages

  # apt-cache policy php5
  php5:
    Installed: 5.3.2-1ubuntu4.11
    Candidate: 5.3.2-1ubuntu4.11
    Version table:
   *** 5.3.2-1ubuntu4.11 0
          500 http://mirror.us.leaseweb.net/ubuntu/ lucid-updates/main Packages
          500 http://security.ubuntu.com/ubuntu/ lucid-security/main Packages
          100 /var/lib/dpkg/status
       5.3.2-1ubuntu4 0
          500 http://mirror.us.leaseweb.net/ubuntu/ lucid/main Packages

To manage notifications about this bug go to:
https://bugs.launchpad.net/cacti/+bug/914746/+subscriptions