Upstream has released 0.83.9, fixing a handful of bugs and a security issue: http://www.glpi-project.org/spip.php?page=annonce&id_breve=297&lang=en The security issue appears to be this upstream bug: https://forge.indepnet.net/issues/4372 Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA3TOO, MGA2TOO
Fixed in Cauldron in glpi-0.83.9-1.mga4.
Version: Cauldron => 3Whiteboard: MGA3TOO, MGA2TOO => MGA2TOO
glpi-0.83.91: https://forge.indepnet.net/projects/glpi/versions/928 https://forge.indepnet.net/issues/4375
CC: (none) => oe
Thanks Oden. Here's the release announcement: http://www.glpi-project.org/spip.php?page=annonce&id_breve=300&lang=en Changing version back to Cauldron.
Version: 3 => CauldronSummary: glpi new security issue fixed in 0.83.9 => glpi new security issues fixed in 0.83.9 and 0.83.91Whiteboard: MGA2TOO => MGA3TOO, MGA2TOO
More info on the issue fixed in 0.83.91: http://openwall.com/lists/oss-security/2013/06/27/4
More info on the issue fixed in 0.83.9: http://openwall.com/lists/oss-security/2013/06/27/6
http://www.openwall.com/lists/oss-security/2013/06/30/10 > Multiple SQL injections have been reported in GLPI: > http://packetstormsecurity.com/files/122097/GLPI-0.83.8-SQL-Injection.html > > (note that the original advisory was hosted at www.zeroscience.mk > but it 404s as of the time of writing) Please use CVE-2013-2226 for this issue. > And a local file inclusion vulnerability was also reported: > http://packetstormsecurity.com/files/122087/GLPI-0.83.7-Parameter-Traversal-Arbitrary-File-Access.html Please > use CVE-2013-2227 for this issue. -------------------------------------------------------------------------- http://www.openwall.com/lists/oss-security/2013/06/30/9 > When passing a non-existent empty serialized class (ex: class > called "exploit" value "O%3A7%3A%22exploit%22%3A0%3A%7B%7D"), an > error occurs, which is caught by the userErrorHandlerNormal > function in toolbox.class.php. > > When a PHP object gets unserialized, its __wakeup() function is > executed. When this object gets destroyed, its __destruct() > function is executed (since PHP5). No such object exists throughout > the GLPI codebase. However, it might exist in a third-party > library, as demonstrated by Stefan Esser [2]. More information > about this vulnerability class can be found at [1]. > > The unsafe use of unserialize() has been fixed throughout the > codebase in commits 21169 [3] to 21180. > > References: [1] > https://www.owasp.org/index.php/PHP_Object_Injection [2] > http://www.suspekt.org/downloads/POC2009-ShockingNewsInPHPExploitation.p > > df part II > [3] > https://forge.indepnet.net/projects/glpi/repository/revisions/21169/diff > > /branches/0.83-bugfixes/inc/ticket.class.php Please use CVE-2013-2225 for this issue.
Fixed in glpi-0.83.9.1-1.mga4 for Cauldron.
Fedora has issued an advisory for this on June 20: https://lists.fedoraproject.org/pipermail/package-announce/2013-July/110621.html
URL: (none) => http://lwn.net/Vulnerabilities/557670/
Upstream has released 0.84.2 today (September 12): http://www.glpi-project.org/spip.php?page=annonce&id_breve=308&lang=en As you can see from the ChangeLog: https://forge.indepnet.net/projects/glpi/versions/954 It fixes CVE-2013-5696: https://forge.indepnet.net/issues/4480
Summary: glpi new security issues fixed in 0.83.9 and 0.83.91 => glpi new security issues fixed in 0.83.9, 0.83.91, and 0.84.2
I just submitted glpi-0.83.9.91-1.1.mga3 in update testing, with additional patches fixing last issue (CVE-2013-5696).
Thanks Guillaume! I'm having a hard time coming up with text for the advisory, based on the information available. I believe we have CVE-2013-2226 (fixed in 0.83.9): https://forge.indepnet.net/issues/4372 http://packetstormsecurity.com/files/122097/GLPI-0.83.8-SQL-Injection.html as well as CVE-2013-2225 (fixed in 0.83.91): https://forge.indepnet.net/issues/4375 http://openwall.com/lists/oss-security/2013/06/30/9 It looks like CVE-2013-2227, also mentioned in that ticket, only affects 0.83.7. Finally, we have CVE-2013-5696 (fixed in 0.84.2 or with the patch we have): https://forge.indepnet.net/issues/4480 Advisory: ======================== Updated glpi package fixes security vulnerabilities: Multiple security vulnerabilities due to improper sanitation of user input in GLPI before versions 0.83.9 (CVE-2013-2226), 0.83.91 (CVE-2013-2225), and 0.84.2 (CVE-2013-5696). This update provides GLPI version 0.83.91, with a patch from GLPI 0.84.2, to fix these issues. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2225 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2226 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5696 https://forge.indepnet.net/issues/4372 https://forge.indepnet.net/issues/4375 https://forge.indepnet.net/issues/4480 http://www.glpi-project.org/spip.php?page=annonce&id_breve=297&lang=en http://www.glpi-project.org/spip.php?page=annonce&id_breve=300&lang=en http://www.glpi-project.org/spip.php?page=annonce&id_breve=308&lang=en https://lists.fedoraproject.org/pipermail/package-announce/2013-July/110621.html ======================== Updated packages in core/updates_testing: ======================== glpi-0.83.91-1.1.mga3 from glpi-0.83.91-1.1.mga3.src.rpm
CC: (none) => guillomovitchAssignee: guillomovitch => qa-bugs
The whiteboard has MGA2TOO. Is the mga2 build being worked on, or should that be removed?
CC: (none) => davidwhodginsWhiteboard: MGA2TOO => MGA2TOO feedback
Blocks: (none) => 6762
Oh yeah, sorry about that. We aren't supporting this package on Mageia 2 anymore.
Whiteboard: MGA2TOO feedback => (none)
Testing complete on Mageia 3 i586 and x86_64, and advisory committed to svn. Someone from the sysadmin team please push 10579.adv to updates.
Keywords: (none) => validated_updateWhiteboard: (none) => MGA3-64-OK MGA3-32-OKCC: (none) => sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2013-0288.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED
No patches available upstream for the GLPI version from mageia 2 (0.80), meaning no update for this distribution, at least from me.
LWN reference for CVE-2013-5696: http://lwn.net/Vulnerabilities/567696/ BTW, a Debian developer on the oss-security list has complained about this CVE, claiming that it covers three separate unrelated security issues: http://openwall.com/lists/oss-security/2013/09/20/2 So this CVE might get split. Which issue or issues does our patch fix?