Mageia Bugzilla – Bug 10579
glpi new security issues fixed in 0.83.9, 0.83.91, and 0.84.2
Last modified: 2013-09-20 21:00:19 CEST
Upstream has released 0.83.9, fixing a handful of bugs and a security issue:
The security issue appears to be this upstream bug:
Steps to Reproduce:
Fixed in Cauldron in glpi-0.83.9-1.mga4.
Thanks Oden. Here's the release announcement:
Changing version back to Cauldron.
More info on the issue fixed in 0.83.91:
More info on the issue fixed in 0.83.9:
> Multiple SQL injections have been reported in GLPI:
> (note that the original advisory was hosted at www.zeroscience.mk
> but it 404s as of the time of writing)
Please use CVE-2013-2226 for this issue.
> And a local file inclusion vulnerability was also reported:
use CVE-2013-2227 for this issue.
> When passing a non-existent empty serialized class (ex: class
> called "exploit" value "O%3A7%3A%22exploit%22%3A0%3A%7B%7D"), an
> error occurs, which is caught by the userErrorHandlerNormal
> function in toolbox.class.php.
> When a PHP object gets unserialized, its __wakeup() function is
> executed. When this object gets destroyed, its __destruct()
> function is executed (since PHP5). No such object exists throughout
> the GLPI codebase. However, it might exist in a third-party
> library, as demonstrated by Stefan Esser . More information
> about this vulnerability class can be found at .
> The unsafe use of unserialize() has been fixed throughout the
> codebase in commits 21169  to 21180.
> References: 
> https://www.owasp.org/index.php/PHP_Object_Injection 
df part II
Please use CVE-2013-2225 for this issue.
Fixed in glpi-0.83.9.1-1.mga4 for Cauldron.
Fedora has issued an advisory for this on June 20:
Upstream has released 0.84.2 today (September 12):
As you can see from the ChangeLog:
It fixes CVE-2013-5696:
I just submitted glpi-0.83.9.91-1.1.mga3 in update testing, with additional patches fixing last issue (CVE-2013-5696).
I'm having a hard time coming up with text for the advisory, based on the information available.
I believe we have CVE-2013-2226 (fixed in 0.83.9):
as well as CVE-2013-2225 (fixed in 0.83.91):
It looks like CVE-2013-2227, also mentioned in that ticket, only affects 0.83.7.
Finally, we have CVE-2013-5696 (fixed in 0.84.2 or with the patch we have):
Updated glpi package fixes security vulnerabilities:
Multiple security vulnerabilities due to improper sanitation of user input
in GLPI before versions 0.83.9 (CVE-2013-2226), 0.83.91 (CVE-2013-2225),
and 0.84.2 (CVE-2013-5696).
This update provides GLPI version 0.83.91, with a patch from GLPI 0.84.2,
to fix these issues.
Updated packages in core/updates_testing:
The whiteboard has MGA2TOO. Is the mga2 build being worked on, or should
that be removed?
Oh yeah, sorry about that. We aren't supporting this package on Mageia 2 anymore.
Testing complete on Mageia 3 i586 and x86_64, and advisory committed to svn.
Someone from the sysadmin team please push 10579.adv to updates.
No patches available upstream for the GLPI version from mageia 2 (0.80), meaning no update for this distribution, at least from me.
LWN reference for CVE-2013-5696:
BTW, a Debian developer on the oss-security list has complained about this CVE, claiming that it covers three separate unrelated security issues:
So this CVE might get split. Which issue or issues does our patch fix?