14933 – glpi new security issue CVE-2014-9258

Bug 14933 - glpi new security issue CVE-2014-9258

Summary: glpi new security issue CVE-2014-9258

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	4
Hardware:	i586 Linux

Priority:	Normal Severity: critical
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:	http://lwn.net/Vulnerabilities/628326/
Whiteboard:	advisory MGA4-32-OK MGA4-64-OK
Keywords:	validated_update

Depends on:
Blocks:	13789
	Show dependency tree / graph

Reported:	2015-01-02 19:45 CET by David Walser
Modified:	2015-01-09 17:44 CET (History)
CC List:	4 users (show)

See Also:
Source RPM:	glpi-0.84.8-1.mga5.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2015-01-02 19:45:04 CET

Fedora has issued an advisory on December 23:
https://lists.fedoraproject.org/pipermail/package-announce/2015-January/147296.html

This issue was fixed upstream in 0.85.1:
http://www.glpi-project.org/spip.php?page=annonce&id_breve=334&lang=en
https://forge.indepnet.net/issues/5147

Fedora has backported the patch to 0.84.x, which we also have in Mageia 4 and Cauldron:
http://pkgs.fedoraproject.org/cgit/glpi.git/plain/glpi-0.84-CVE-2014-9258.patch?h=f21&id=06e8e7fe81dbf4854d19c1d9a2023731e3b4420e

Additionally, a security issue was fixed upstream in 0.84.8, which we already have in Cauldron, but 0.84.3 in Mageia 4 would still be affected:
http://www.glpi-project.org/spip.php?page=annonce&id_breve=330&lang=en
https://forge.indepnet.net/issues/5101

Finally, we still have CVE-2014-5032 unfixed in Mageia 4 (Bug 13789).  We deferred fixing it when it was reported, but we can fix it now when we do an update for Mageia 4.

Reproducible: 

Steps to Reproduce:

David Walser 2015-01-02 19:45:41 CET

Version: 4 => Cauldron
Blocks: (none) => 13789
Whiteboard: (none) => MGA4TOO

Comment 1 David Walser 2015-01-05 17:22:46 CET

Fixed in glpi-0.84.8-2.mga5 in Cauldron.

Version: Cauldron => 4
Whiteboard: MGA4TOO => (none)

Comment 2 Guillaume Rousse 2015-01-06 10:10:41 CET

glpi-0.84.3-1.1.mga4, in update_testing, addresses CVE-2014-9258 and CVE-2014-5032.

Comment 3 David Walser 2015-01-06 18:06:57 CET

Thanks Guillaume.  What about the other issue?

It looks like it received CVE-2014-8360:
https://forge.indepnet.net/issues/5101
https://forge.indepnet.net/issues/5113

Comment 4 David Walser 2015-01-06 18:07:23 CET

Here's what I have for the advisory so far with just the two patches.

Advisory:
========================

Updated glpi packages fix security vulnerabilities:

Due to a bug in GLPI before 0.84.7, a user without access to cost information
can in fact see the information when selecting cost as a search criteria
(CVE-2014-5032).

SQL injection vulnerability in ajax/getDropdownValue.php in GLPI before 0.85.1
allows remote authenticated users to execute arbitrary SQL commands via the
condition parameter (CVE-2014-9258).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5032
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9258
http://www.glpi-project.org/spip.php?page=annonce&id_breve=326&lang=en
http://www.glpi-project.org/spip.php?page=annonce&id_breve=334&lang=en
https://lists.fedoraproject.org/pipermail/package-announce/2015-January/147296.html

Comment 5 David Walser 2015-01-07 01:18:33 CET

Patched package uploaded by Guillaume.  Thanks again!

Advisory:
========================

Updated glpi packages fix security vulnerabilities:

Due to a bug in GLPI before 0.84.7, a user without access to cost information
can in fact see the information when selecting cost as a search criteria
(CVE-2014-5032).

An issue in GLPI before 0.84.8 may allow arbitrary local files to be included
by PHP through an autoload function (CVE-2014-8360).

SQL injection vulnerability in ajax/getDropdownValue.php in GLPI before 0.85.1
allows remote authenticated users to execute arbitrary SQL commands via the
condition parameter (CVE-2014-9258).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5032
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8360
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9258
http://www.glpi-project.org/spip.php?page=annonce&id_breve=326&lang=en
http://www.glpi-project.org/spip.php?page=annonce&id_breve=330&lang=en
http://www.glpi-project.org/spip.php?page=annonce&id_breve=334&lang=en
http://tlk.tuxfamily.org/doku.php?id=writeup:cve-2014-8360
https://lists.fedoraproject.org/pipermail/package-announce/2015-January/147296.html

CC: (none) => guillomovitch
Assignee: guillomovitch => qa-bugs

Comment 6 David Walser 2015-01-07 01:20:07 CET

Whoops, forgot the package list.

Advisory:
========================

Updated glpi package fixes security vulnerabilities:

Due to a bug in GLPI before 0.84.7, a user without access to cost information
can in fact see the information when selecting cost as a search criteria
(CVE-2014-5032).

An issue in GLPI before 0.84.8 may allow arbitrary local files to be included
by PHP through an autoload function (CVE-2014-8360).

SQL injection vulnerability in ajax/getDropdownValue.php in GLPI before 0.85.1
allows remote authenticated users to execute arbitrary SQL commands via the
condition parameter (CVE-2014-9258).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5032
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8360
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9258
http://www.glpi-project.org/spip.php?page=annonce&id_breve=326&lang=en
http://www.glpi-project.org/spip.php?page=annonce&id_breve=330&lang=en
http://www.glpi-project.org/spip.php?page=annonce&id_breve=334&lang=en
http://tlk.tuxfamily.org/doku.php?id=writeup:cve-2014-8360
https://lists.fedoraproject.org/pipermail/package-announce/2015-January/147296.html
========================

Updated packages in core/updates_testing:
========================
glpi-0.84.3-1.2.mga4

from glpi-0.84.3-1.2.mga4.src.rpm

Comment 7 Herman Viaene 2015-01-07 11:02:13 CET

MGA4-64 on HP Probook 6555b KDE
No installation issues.
After installing and initializing mysql, I could run the glpi initialization without problems.
I will not test on MGA4-32 since that PC is too weak to run all this.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA4-64-OK

Comment 8 William Kenney 2015-01-08 17:45:49 CET

In VirtualBox, M4, KDE, 32-bit

Package(s) under test:
glpi

default install of glpi

[root@localhost wilcal]# urpmi glpi
Package glpi-0.84.3-1.mga4.noarch is already installed

glpi installs without issue. I can run the glpi initialization
without problems.

install glpi from updates_testing

[root@localhost wilcal]# urpmi glpi
Package glpi-0.84.3-1.2.mga4.noarch is already installed

glpi update installs without issue. System reboots back to a
working desktop without issue. Install/setup continues to operate.

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64

CC: (none) => wilcal.int

Comment 9 William Kenney 2015-01-08 17:46:44 CET

This update works fine.
Testing complete for mga4 32-bit & 64-bit
Validating the update.
Could someone from the sysadmin team push this to updates.
Thanks

Keywords: (none) => validated_update
Whiteboard: MGA4-64-OK => MGA4-32-OK MGA4-64-OK
CC: (none) => sysadmin-bugs

Comment 10 claire robinson 2015-01-09 16:24:04 CET

Comment 6 advisory uploaded.

Whiteboard: MGA4-32-OK MGA4-64-OK => advisory MGA4-32-OK MGA4-64-OK

Comment 11 Mageia Robot 2015-01-09 17:44:46 CET

An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0017.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.