Bug 23318 - glpi new security issue CVE-2018-13049
Summary: glpi new security issue CVE-2018-13049
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: MGA6-32-OK MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Reported: 2018-07-17 15:43 CEST by David Walser
Modified: 2018-08-10 16:39 CEST (History)
4 users (show)

See Also:
Source RPM: glpi-9.2.3-1.mga7.src.rpm
Status comment:


David Walser 2018-07-17 15:43:31 CEST

Whiteboard: (none) => MGA6TOO

Comment 1 Guillaume Rousse 2018-07-19 19:46:11 CEST
glpi-9.3.0-1.mga7 submitted in cauldron, and glpi-9.1.6-2.2.mga6 submitted in updates_testing.

Assignee: guillomovitch => qa-bugs

Comment 2 David Walser 2018-07-19 20:55:42 CEST

Updated glpi package fixes security vulnerability:

The constructSQL function in inc/search.class.php in GLPI 9.2.x through 9.3.0
allows SQL Injection, as demonstrated by triggering a crafted LIMIT clause to
front/computer.php (CVE-2018-13049).

David Walser 2018-07-19 21:12:06 CEST

Version: Cauldron => 6
Whiteboard: MGA6TOO => (none)

Comment 3 Herman Viaene 2018-07-27 15:36:00 CEST
Following bug 21331 found out that mysql database was already initialized from previous updates.
So pointing to http://localhost/glpi/ and logging in with the default glpi user gets me into the initial screen of the application.
So far for me, seems OK

Whiteboard: (none) => MGA6-32-OK
CC: (none) => herman.viaene

Comment 4 Len Lawrence 2018-08-09 15:21:32 CEST
Mageia 6, x86_64

Installing and configuring mysql and task-lamp required a couple of days
research following links and delving in notebooks before getting to the
starting point.  Had totally forgotten everything about mysql in less
than a year.  Checked the operation of glpi before the update and all
seemed to be in order. 

Updated glpi, restarted mysqld, and httpd to be on the safe side.

$ mysql -u root -p
Enter password: 
Welcome to the MariaDB monitor.  Commands end with ; or \g.

MariaDB [(none)]> use dbbglpi
Database changed

> grant all privileges on dbbglpi.* to glpi@localhost identified by 'glpi';
ERROR 1819 (HY000): Your password does not satisfy the current policy requirements
> flush privileges;
Query OK, 0 rows affected (0.00 sec)

Pointed firefox at http://localhost/glpi/ and accepted the default language (English) and agreed to T&C.  Selected upgrade and passed most of the tests.
Connection parameters were { MySQL, glpi, 'root' password }
Connection test failed - which is as far as it ever gets.  I have always
assumed that this is OK as far as it goes.

Giving this the OK, with some uncertainty.

CC: (none) => tarazed25
Whiteboard: MGA6-32-OK => MGA6-32-OK MGA6-64-OK

Len Lawrence 2018-08-09 21:41:00 CEST

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Thomas Backlund 2018-08-10 15:13:59 CEST

Keywords: (none) => advisory
CC: (none) => tmb

Comment 5 Mageia Robot 2018-08-10 16:39:51 CEST
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.