Bug 13789

Summary: glpi new security issue CVE-2014-5032
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: Guillaume Rousse <guillomovitch>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: oe
Version: 4   
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/629242/
Whiteboard:
Source RPM: glpi-0.84.6-1.mga5.src.rpm CVE:
Status comment:
Bug Depends on: 14933    
Bug Blocks:    

Description David Walser 2014-07-23 00:44:50 CEST 
A CVE has been assigned for a security issue fixed in GLPI 0.84.7:
http://openwall.com/lists/oss-security/2014/07/22/15

The upstream bug, upstream commit to fix the issue, and release announcement for GLPI 0.84.7 are all linked in the message above.

Reproducible: 

Steps to Reproduce:
David Walser 2014-07-23 00:44:58 CEST

Whiteboard: (none) => MGA4TOO, MGA3TOO

Comment 1 Oden Eriksson 2014-07-31 12:57:36 CEST 
https://bugzilla.redhat.com/show_bug.cgi?id=1122067#c2

CC: (none) => oe

Comment 2 David Walser 2014-07-31 14:05:59 CEST 
(In reply to Oden Eriksson from comment #1)
> https://bugzilla.redhat.com/show_bug.cgi?id=1122067#c2

So we have 0.84.x in Mageia 3 and up, so they are all affected.
Comment 3 Oden Eriksson 2014-07-31 15:20:11 CEST 
mga3 has glpi-0.83.91-1.1.mga3
Comment 4 Guillaume Rousse 2014-07-31 15:30:18 CEST 
That's just a minor information leak, for a very specific information category, that would only affect people with fine grained access control. Not worth an update for me.
Comment 5 David Walser 2014-07-31 15:56:28 CEST 
(In reply to Oden Eriksson from comment #3)
> mga3 has glpi-0.83.91-1.1.mga3

Oops, I forgot my laptop is running mga4 for a minute there :o)

Whiteboard: MGA4TOO, MGA3TOO => MGA4TOO

Comment 6 David Walser 2014-07-31 16:00:53 CEST 
Fixed in Cauldron in glpi-0.84.7-1.mga5 by Oden.

Version: Cauldron => 4
Whiteboard: MGA4TOO => (none)

David Walser 2015-01-02 19:45:41 CET

Depends on: (none) => 14933

Comment 7 David Walser 2015-01-09 17:57:30 CET 
Fixed in http://advisories.mageia.org/MGASA-2015-0017.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2015-01-12 19:18:03 CET

URL: (none) => http://lwn.net/Vulnerabilities/629242/