Bug 10579 - glpi new security issues fixed in 0.83.9, 0.83.91, and 0.84.2
: glpi new security issues fixed in 0.83.9, 0.83.91, and 0.84.2
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 3
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/557670/
: MGA3-64-OK MGA3-32-OK
: validated_update
:
: 6762
  Show dependency treegraph
 
Reported: 2013-06-21 03:42 CEST by David Walser
Modified: 2013-09-20 21:00 CEST (History)
5 users (show)

See Also:
Source RPM: glpi-0.83.8-1.mga3.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2013-06-21 03:42:25 CEST
Upstream has released 0.83.9, fixing a handful of bugs and a security issue:
http://www.glpi-project.org/spip.php?page=annonce&id_breve=297&lang=en

The security issue appears to be this upstream bug:
https://forge.indepnet.net/issues/4372

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2013-06-21 14:37:24 CEST
Fixed in Cauldron in glpi-0.83.9-1.mga4.
Comment 3 David Walser 2013-06-25 17:34:09 CEST
Thanks Oden.  Here's the release announcement:
http://www.glpi-project.org/spip.php?page=annonce&id_breve=300&lang=en

Changing version back to Cauldron.
Comment 4 David Walser 2013-06-27 15:59:00 CEST
More info on the issue fixed in 0.83.91:
http://openwall.com/lists/oss-security/2013/06/27/4
Comment 5 David Walser 2013-06-27 18:44:56 CEST
More info on the issue fixed in 0.83.9:
http://openwall.com/lists/oss-security/2013/06/27/6
Comment 6 Oden Eriksson 2013-07-01 10:20:17 CEST
http://www.openwall.com/lists/oss-security/2013/06/30/10

> Multiple SQL injections have been reported in GLPI: 
> http://packetstormsecurity.com/files/122097/GLPI-0.83.8-SQL-Injection.html
>
>  (note that the original advisory was hosted at www.zeroscience.mk
> but it 404s as of the time of writing)

Please use CVE-2013-2226 for this issue.

> And a local file inclusion vulnerability was also reported: 
> http://packetstormsecurity.com/files/122087/GLPI-0.83.7-Parameter-Traversal-Arbitrary-File-Access.html

Please
> 
use CVE-2013-2227 for this issue.

--------------------------------------------------------------------------

http://www.openwall.com/lists/oss-security/2013/06/30/9

> When passing a non-existent empty serialized class (ex: class
> called "exploit" value "O%3A7%3A%22exploit%22%3A0%3A%7B%7D"), an
> error occurs, which is caught by the userErrorHandlerNormal
> function in toolbox.class.php.
> 
> When a PHP object gets unserialized, its __wakeup() function is 
> executed. When this object gets destroyed, its __destruct()
> function is executed (since PHP5). No such object exists throughout
> the GLPI codebase. However, it might exist in a third-party
> library, as demonstrated by Stefan Esser [2]. More information
> about this vulnerability class can be found at [1].
> 
> The unsafe use of unserialize() has been fixed throughout the
> codebase in commits 21169 [3] to 21180.
> 
> References: [1]
> https://www.owasp.org/index.php/PHP_Object_Injection [2] 
> http://www.suspekt.org/downloads/POC2009-ShockingNewsInPHPExploitation.p
>
> 
df part II
> [3] 
> https://forge.indepnet.net/projects/glpi/repository/revisions/21169/diff
>
> 
/branches/0.83-bugfixes/inc/ticket.class.php

Please use CVE-2013-2225 for this issue.
Comment 7 David Walser 2013-07-03 21:52:28 CEST
Fixed in glpi-0.83.9.1-1.mga4 for Cauldron.
Comment 8 David Walser 2013-07-04 22:26:22 CEST
Fedora has issued an advisory for this on June 20:
https://lists.fedoraproject.org/pipermail/package-announce/2013-July/110621.html
Comment 9 David Walser 2013-09-13 03:32:40 CEST
Upstream has released 0.84.2 today (September 12):
http://www.glpi-project.org/spip.php?page=annonce&id_breve=308&lang=en

As you can see from the ChangeLog:
https://forge.indepnet.net/projects/glpi/versions/954

It fixes CVE-2013-5696:
https://forge.indepnet.net/issues/4480
Comment 10 Guillaume Rousse 2013-09-19 20:07:31 CEST
I just submitted glpi-0.83.9.91-1.1.mga3 in update testing, with additional patches fixing last issue (CVE-2013-5696).
Comment 11 David Walser 2013-09-19 21:08:09 CEST
Thanks Guillaume!

I'm having a hard time coming up with text for the advisory, based on the information available.

I believe we have CVE-2013-2226 (fixed in 0.83.9):
https://forge.indepnet.net/issues/4372
http://packetstormsecurity.com/files/122097/GLPI-0.83.8-SQL-Injection.html

as well as CVE-2013-2225 (fixed in 0.83.91):
https://forge.indepnet.net/issues/4375
http://openwall.com/lists/oss-security/2013/06/30/9

It looks like CVE-2013-2227, also mentioned in that ticket, only affects 0.83.7.

Finally, we have CVE-2013-5696 (fixed in 0.84.2 or with the patch we have):
https://forge.indepnet.net/issues/4480

Advisory:
========================

Updated glpi package fixes security vulnerabilities:

Multiple security vulnerabilities due to improper sanitation of user input
in GLPI before versions 0.83.9 (CVE-2013-2226), 0.83.91 (CVE-2013-2225),
and 0.84.2 (CVE-2013-5696).

This update provides GLPI version 0.83.91, with a patch from GLPI 0.84.2,
to fix these issues.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2225
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2226
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5696
https://forge.indepnet.net/issues/4372
https://forge.indepnet.net/issues/4375
https://forge.indepnet.net/issues/4480
http://www.glpi-project.org/spip.php?page=annonce&id_breve=297&lang=en
http://www.glpi-project.org/spip.php?page=annonce&id_breve=300&lang=en
http://www.glpi-project.org/spip.php?page=annonce&id_breve=308&lang=en
https://lists.fedoraproject.org/pipermail/package-announce/2013-July/110621.html
========================

Updated packages in core/updates_testing:
========================
glpi-0.83.91-1.1.mga3

from glpi-0.83.91-1.1.mga3.src.rpm
Comment 12 Dave Hodgins 2013-09-19 22:19:22 CEST
The whiteboard has MGA2TOO.  Is the mga2 build being worked on, or should
that be removed?
Comment 13 David Walser 2013-09-19 22:35:59 CEST
Oh yeah, sorry about that.  We aren't supporting this package on Mageia 2 anymore.
Comment 14 Dave Hodgins 2013-09-19 22:53:45 CEST
Testing complete on Mageia 3 i586 and x86_64, and advisory committed to svn.

Someone from the sysadmin team please push 10579.adv to updates.
Comment 15 Thomas Backlund 2013-09-20 07:47:57 CEST
Update pushed:
http://advisories.mageia.org/MGASA-2013-0288.html
Comment 16 Guillaume Rousse 2013-09-20 17:33:31 CEST
No patches available upstream for the GLPI version from mageia 2 (0.80), meaning no update for this distribution, at least from me.
Comment 17 David Walser 2013-09-20 21:00:19 CEST
LWN reference for CVE-2013-5696:
http://lwn.net/Vulnerabilities/567696/

BTW, a Debian developer on the oss-security list has complained about this CVE, claiming that it covers three separate unrelated security issues:
http://openwall.com/lists/oss-security/2013/09/20/2

So this CVE might get split.  Which issue or issues does our patch fix?

Note You need to log in before you can comment on or make changes to this bug.