Bug 10579

Summary:	glpi new security issues fixed in 0.83.9, 0.83.91, and 0.84.2
Product:	Mageia	Reporter:	David Walser <luigiwalser>
Component:	Security	Assignee:	QA Team <qa-bugs>
Status:	RESOLVED FIXED	QA Contact:	Sec team <security>
Severity:	normal
Priority:	Normal	CC:	davidwhodgins, guillomovitch, oe, sysadmin-bugs, tmb
Version:	3	Keywords:	validated_update
Target Milestone:	---
Hardware:	i586
OS:	Linux
URL:	http://lwn.net/Vulnerabilities/557670/
Whiteboard:	MGA3-64-OK MGA3-32-OK
Source RPM:	glpi-0.83.8-1.mga3.src.rpm	CVE:
Status comment:
Bug Depends on:
Bug Blocks:	6762

Description David Walser 2013-06-21 03:42:25 CEST

Upstream has released 0.83.9, fixing a handful of bugs and a security issue:
http://www.glpi-project.org/spip.php?page=annonce&id_breve=297&lang=en

The security issue appears to be this upstream bug:
https://forge.indepnet.net/issues/4372

Reproducible: 

Steps to Reproduce:

David Walser 2013-06-21 03:42:33 CEST

Whiteboard: (none) => MGA3TOO, MGA2TOO

Comment 1 David Walser 2013-06-21 14:37:24 CEST

Fixed in Cauldron in glpi-0.83.9-1.mga4.

Version: Cauldron => 3
Whiteboard: MGA3TOO, MGA2TOO => MGA2TOO

Comment 2 Oden Eriksson 2013-06-25 17:31:04 CEST

glpi-0.83.91:

https://forge.indepnet.net/projects/glpi/versions/928
https://forge.indepnet.net/issues/4375

CC: (none) => oe

Comment 3 David Walser 2013-06-25 17:34:09 CEST

Thanks Oden.  Here's the release announcement:
http://www.glpi-project.org/spip.php?page=annonce&id_breve=300&lang=en

Changing version back to Cauldron.

Version: 3 => Cauldron
Summary: glpi new security issue fixed in 0.83.9 => glpi new security issues fixed in 0.83.9 and 0.83.91
Whiteboard: MGA2TOO => MGA3TOO, MGA2TOO

Comment 4 David Walser 2013-06-27 15:59:00 CEST

More info on the issue fixed in 0.83.91:
http://openwall.com/lists/oss-security/2013/06/27/4

Comment 5 David Walser 2013-06-27 18:44:56 CEST

More info on the issue fixed in 0.83.9:
http://openwall.com/lists/oss-security/2013/06/27/6

Comment 6 Oden Eriksson 2013-07-01 10:20:17 CEST

http://www.openwall.com/lists/oss-security/2013/06/30/10

> Multiple SQL injections have been reported in GLPI: 
> http://packetstormsecurity.com/files/122097/GLPI-0.83.8-SQL-Injection.html
>
>  (note that the original advisory was hosted at www.zeroscience.mk
> but it 404s as of the time of writing)

Please use CVE-2013-2226 for this issue.

> And a local file inclusion vulnerability was also reported: 
> http://packetstormsecurity.com/files/122087/GLPI-0.83.7-Parameter-Traversal-Arbitrary-File-Access.html

Please
> 
use CVE-2013-2227 for this issue.

--------------------------------------------------------------------------

http://www.openwall.com/lists/oss-security/2013/06/30/9

> When passing a non-existent empty serialized class (ex: class
> called "exploit" value "O%3A7%3A%22exploit%22%3A0%3A%7B%7D"), an
> error occurs, which is caught by the userErrorHandlerNormal
> function in toolbox.class.php.
> 
> When a PHP object gets unserialized, its __wakeup() function is 
> executed. When this object gets destroyed, its __destruct()
> function is executed (since PHP5). No such object exists throughout
> the GLPI codebase. However, it might exist in a third-party
> library, as demonstrated by Stefan Esser [2]. More information
> about this vulnerability class can be found at [1].
> 
> The unsafe use of unserialize() has been fixed throughout the
> codebase in commits 21169 [3] to 21180.
> 
> References: [1]
> https://www.owasp.org/index.php/PHP_Object_Injection [2] 
> http://www.suspekt.org/downloads/POC2009-ShockingNewsInPHPExploitation.p
>
> 
df part II
> [3] 
> https://forge.indepnet.net/projects/glpi/repository/revisions/21169/diff
>
> 
/branches/0.83-bugfixes/inc/ticket.class.php

Please use CVE-2013-2225 for this issue.

Comment 7 David Walser 2013-07-03 21:52:28 CEST

Fixed in glpi-0.83.9.1-1.mga4 for Cauldron.

Version: Cauldron => 3
Whiteboard: MGA3TOO, MGA2TOO => MGA2TOO

Comment 8 David Walser 2013-07-04 22:26:22 CEST

Fedora has issued an advisory for this on June 20:
https://lists.fedoraproject.org/pipermail/package-announce/2013-July/110621.html

URL: (none) => http://lwn.net/Vulnerabilities/557670/

Comment 9 David Walser 2013-09-13 03:32:40 CEST

Upstream has released 0.84.2 today (September 12):
http://www.glpi-project.org/spip.php?page=annonce&id_breve=308&lang=en

As you can see from the ChangeLog:
https://forge.indepnet.net/projects/glpi/versions/954

It fixes CVE-2013-5696:
https://forge.indepnet.net/issues/4480

Summary: glpi new security issues fixed in 0.83.9 and 0.83.91 => glpi new security issues fixed in 0.83.9, 0.83.91, and 0.84.2

Comment 10 Guillaume Rousse 2013-09-19 20:07:31 CEST

I just submitted glpi-0.83.9.91-1.1.mga3 in update testing, with additional patches fixing last issue (CVE-2013-5696).

Comment 11 David Walser 2013-09-19 21:08:09 CEST

Thanks Guillaume!

I'm having a hard time coming up with text for the advisory, based on the information available.

I believe we have CVE-2013-2226 (fixed in 0.83.9):
https://forge.indepnet.net/issues/4372
http://packetstormsecurity.com/files/122097/GLPI-0.83.8-SQL-Injection.html

as well as CVE-2013-2225 (fixed in 0.83.91):
https://forge.indepnet.net/issues/4375
http://openwall.com/lists/oss-security/2013/06/30/9

It looks like CVE-2013-2227, also mentioned in that ticket, only affects 0.83.7.

Finally, we have CVE-2013-5696 (fixed in 0.84.2 or with the patch we have):
https://forge.indepnet.net/issues/4480

Advisory:
========================

Updated glpi package fixes security vulnerabilities:

Multiple security vulnerabilities due to improper sanitation of user input
in GLPI before versions 0.83.9 (CVE-2013-2226), 0.83.91 (CVE-2013-2225),
and 0.84.2 (CVE-2013-5696).

This update provides GLPI version 0.83.91, with a patch from GLPI 0.84.2,
to fix these issues.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2225
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2226
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5696
https://forge.indepnet.net/issues/4372
https://forge.indepnet.net/issues/4375
https://forge.indepnet.net/issues/4480
http://www.glpi-project.org/spip.php?page=annonce&id_breve=297&lang=en
http://www.glpi-project.org/spip.php?page=annonce&id_breve=300&lang=en
http://www.glpi-project.org/spip.php?page=annonce&id_breve=308&lang=en
https://lists.fedoraproject.org/pipermail/package-announce/2013-July/110621.html
========================

Updated packages in core/updates_testing:
========================
glpi-0.83.91-1.1.mga3

from glpi-0.83.91-1.1.mga3.src.rpm

CC: (none) => guillomovitch
Assignee: guillomovitch => qa-bugs

Comment 12 Dave Hodgins 2013-09-19 22:19:22 CEST

The whiteboard has MGA2TOO.  Is the mga2 build being worked on, or should
that be removed?

CC: (none) => davidwhodgins
Whiteboard: MGA2TOO => MGA2TOO feedback

David Walser 2013-09-19 22:35:33 CEST

Blocks: (none) => 6762

Comment 13 David Walser 2013-09-19 22:35:59 CEST

Oh yeah, sorry about that.  We aren't supporting this package on Mageia 2 anymore.

Whiteboard: MGA2TOO feedback => (none)

Comment 14 Dave Hodgins 2013-09-19 22:53:45 CEST

Testing complete on Mageia 3 i586 and x86_64, and advisory committed to svn.

Someone from the sysadmin team please push 10579.adv to updates.

Keywords: (none) => validated_update
Whiteboard: (none) => MGA3-64-OK MGA3-32-OK
CC: (none) => sysadmin-bugs

Comment 15 Thomas Backlund 2013-09-20 07:47:57 CEST

Update pushed:
http://advisories.mageia.org/MGASA-2013-0288.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED

Comment 16 Guillaume Rousse 2013-09-20 17:33:31 CEST

No patches available upstream for the GLPI version from mageia 2 (0.80), meaning no update for this distribution, at least from me.

Comment 17 David Walser 2013-09-20 21:00:19 CEST

LWN reference for CVE-2013-5696:
http://lwn.net/Vulnerabilities/567696/

BTW, a Debian developer on the oss-security list has complained about this CVE, claiming that it covers three separate unrelated security issues:
http://openwall.com/lists/oss-security/2013/09/20/2

So this CVE might get split.  Which issue or issues does our patch fix?