Bug 23318

Summary: glpi new security issue CVE-2018-13049
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: herman.viaene, sysadmin-bugs, tarazed25, tmb
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6-32-OK MGA6-64-OK
Source RPM: glpi-9.2.3-1.mga7.src.rpm CVE:
Status comment:

David Walser 2018-07-17 15:43:31 CEST

Whiteboard: (none) => MGA6TOO

Comment 1 Guillaume Rousse 2018-07-19 19:46:11 CEST 
glpi-9.3.0-1.mga7 submitted in cauldron, and glpi-9.1.6-2.2.mga6 submitted in updates_testing.

Assignee: guillomovitch => qa-bugs

Comment 2 David Walser 2018-07-19 20:55:42 CEST 
Advisory:
========================

Updated glpi package fixes security vulnerability:

The constructSQL function in inc/search.class.php in GLPI 9.2.x through 9.3.0
allows SQL Injection, as demonstrated by triggering a crafted LIMIT clause to
front/computer.php (CVE-2018-13049).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13049
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/45ZBDWBMNJVPQ6FZVBLDLZRLJNSTTEWL/
David Walser 2018-07-19 21:12:06 CEST

Version: Cauldron => 6
Whiteboard: MGA6TOO => (none)

Comment 3 Herman Viaene 2018-07-27 15:36:00 CEST 
Following bug 21331 found out that mysql database was already initialized from previous updates.
So pointing to http://localhost/glpi/ and logging in with the default glpi user gets me into the initial screen of the application.
So far for me, seems OK

Whiteboard: (none) => MGA6-32-OK
CC: (none) => herman.viaene

Comment 4 Len Lawrence 2018-08-09 15:21:32 CEST 
Mageia 6, x86_64

Installing and configuring mysql and task-lamp required a couple of days
research following links and delving in notebooks before getting to the
starting point.  Had totally forgotten everything about mysql in less
than a year.  Checked the operation of glpi before the update and all
seemed to be in order. 

Updated glpi, restarted mysqld, and httpd to be on the safe side.

$ mysql -u root -p
Enter password: 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
[...]

MariaDB [(none)]> use dbbglpi
Database changed

> grant all privileges on dbbglpi.* to glpi@localhost identified by 'glpi';
ERROR 1819 (HY000): Your password does not satisfy the current policy requirements
> flush privileges;
Query OK, 0 rows affected (0.00 sec)

Pointed firefox at http://localhost/glpi/ and accepted the default language (English) and agreed to T&C.  Selected upgrade and passed most of the tests.
Connection parameters were { MySQL, glpi, 'root' password }
Connection test failed - which is as far as it ever gets.  I have always
assumed that this is OK as far as it goes.

Giving this the OK, with some uncertainty.

CC: (none) => tarazed25
Whiteboard: MGA6-32-OK => MGA6-32-OK MGA6-64-OK

Len Lawrence 2018-08-09 21:41:00 CEST

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Thomas Backlund 2018-08-10 15:13:59 CEST

Keywords: (none) => advisory
CC: (none) => tmb

Comment 5 Mageia Robot 2018-08-10 16:39:51 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0330.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED