Bug 27964 - glpi new security issues CVE-2020-5248, CVE-2020-1106[02], CVE-2020-11031, CVE-2020-15108, CVE-2020-1517[5-7], CVE-2020-15226, CVE-2020-26212 and CVE-2020-2766[23]
Summary: glpi new security issues CVE-2020-5248, CVE-2020-1106[02], CVE-2020-11031, CV...
Status: RESOLVED OLD
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: Guillaume Rousse
QA Contact: Sec team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-12-29 06:37 CET by Zombie Ryushu
Modified: 2021-07-01 18:27 CEST (History)
2 users (show)

See Also:
Source RPM: glpi-9.4.6-2.mga8.src.rpm
CVE: CVE-2020-27663
Status comment: Fixed upstream in 9.5.3


Attachments

Description Zombie Ryushu 2020-12-29 06:37:24 CET
In GLPI before 9.5.3, ajax/getDropdownValue.php has an Insecure Direct Object Reference (IDOR) vulnerability that allows an attacker to read data from any itemType (e.g., Ticket, Users, etc.).
Zombie Ryushu 2020-12-29 06:37:42 CET

Whiteboard: (none) => MGA7TOO
CVE: (none) => CVE-2020-27663

Comment 1 David Walser 2020-12-29 17:01:21 CET
Quite a few more issues than that that we've missed.  Release log:
https://github.com/glpi-project/glpi/releases

Upstream security advisories page lists these that we've missed.

Affecting only Mageia 7:
CVE-2020-5248 CVE-2020-1106[02]:
https://github.com/glpi-project/glpi/security/advisories/GHSA-j222-j9mf-h6j9
https://github.com/glpi-project/glpi/security/advisories/GHSA-cvvq-3fww-5v6f
https://github.com/glpi-project/glpi/security/advisories/GHSA-3xxh-f5p2-jg3h

Also affecting Cauldron:
CVE-2020-11031 CVE-2020-15108 CVE-2020-1517[5-7] CVE-2020-15226:
https://github.com/glpi-project/glpi/security/advisories/GHSA-7xwm-4vjr-jvqh
https://github.com/glpi-project/glpi/security/advisories/GHSA-qv6w-68gq-wx2v
https://github.com/glpi-project/glpi/security/advisories/GHSA-rm52-jx9h-rwcp
https://github.com/glpi-project/glpi/security/advisories/GHSA-x93w-64x9-58qw
https://github.com/glpi-project/glpi/security/advisories/GHSA-prvh-9m4h-4m79
https://github.com/glpi-project/glpi/security/advisories/GHSA-jwpv-7m4h-5gvc
https://github.com/glpi-project/glpi/security/advisories/GHSA-qmw3-87hr-5wgx
https://github.com/glpi-project/glpi/security/advisories/GHSA-wq38-gwxp-8p5p
https://github.com/glpi-project/glpi/security/advisories/GHSA-pqfv-4pvr-55r4

Status comment: (none) => Fixed upstream in 9.5.3
Summary: glpi security issue CVE-2020-27663 => glpi new security issues CVE-2020-5248, CVE-2020-1106[02], CVE-2020-11031, CVE-2020-15108, CVE-2020-1517[5-7], CVE-2020-15226, CVE-2020-26212 and CVE-2020-2766[23]
Severity: normal => major
Assignee: bugsquad => guillomovitch
URL: https://nvd.nist.gov/vuln/detail/CVE-2020-27663 => (none)

Comment 2 Nicolas Lécureuil 2020-12-30 20:11:10 CET
planned to be removed from cauldron.

Version: Cauldron => 7
CC: (none) => mageia
Whiteboard: MGA7TOO => (none)

Comment 3 David Walser 2020-12-31 15:57:09 CET
Package is still in Cauldron.

Whiteboard: (none) => MGA7TOO
Version: 7 => Cauldron

Comment 4 Nicolas Lécureuil 2020-12-31 16:22:29 CET
removed now :-)

Whiteboard: MGA7TOO => (none)
Version: Cauldron => 7

Comment 5 Zombie Ryushu 2020-12-31 19:31:19 CET
Why are you removing stuff that still works?!
Comment 6 David Walser 2020-12-31 19:37:58 CET
The maintainer isn't interesting in continuing to maintain it going forward.  Also, generally speaking, as web apps continue to suffer serious vulnerabilities and need to be updated quickly and more of them offer self-updating capability, it is making less sense to package them as RPMs.
Comment 7 Guillaume Rousse 2021-01-09 11:17:00 CET
@Zombie: feel free to volunteer for taking over maintainership, but it's a pain in the ass. Basically, constraints imposed by distribution packaging standards, such as debundling dependencies, and providing security updates without changing version, doesn't mix well with web application ecosystem. Given than those applications are also relatively easy to install for end users, comparatively with compiled applications, there isn't enough added value to invest time anymore.
Comment 8 Guillaume Rousse 2021-01-16 11:13:46 CET
I'm closing this issue as WONTFIX. Anyone is free to reopen it, but only if he intend to fix the issue himself.

Status: NEW => RESOLVED
Resolution: (none) => WONTFIX

Comment 9 Zombie Ryushu 2021-01-16 12:14:50 CET
I cannot commit updates to Mageia, only the Rosa build cluster. Which I can link you to whatever Rosa's resolution is, would that be alright?
Comment 10 Guillaume Rousse 2021-01-16 13:02:47 CET
We don't need whatever solution, we need a solution compatible with our update policy, which means patches for version 9.4.6.
Comment 11 Nicolas Lécureuil 2021-01-16 13:37:22 CET
trying to look. I will look if we can just update to latest 9.4.6 ( updating to 9.5 is not possible without a lot of work )
Comment 12 Nicolas Lécureuil 2021-01-16 13:48:30 CET
the main issue is that updating to 9.4.6 is simple. But for ex https://github.com/glpi-project/glpi/security/advisories/GHSA-7xwm-4vjr-jvqh make use of a new library ( this explain well why we drop it ).
Comment 13 Guillaume Rousse 2021-01-16 17:30:32 CET
My mistake, I've been confused by the information in the ticket. I'll take care of pushing 9.4.6 as security update for mageia 7.

Pushing 9.5.x is not just a lot of work, it is also a violation of update policy, as it involves a database schema change.

Resolution: WONTFIX => (none)
Status: RESOLVED => REOPENED

Comment 14 David Walser 2021-01-16 19:06:16 CET
We'll just have to clone the bug and fix what we can.  Some issues are only fixed in 9.5.3, so we'd need patches if we're ever going to fix those, but some are fixed in 9.4.6.
Comment 15 Guillaume Rousse 2021-01-17 23:35:03 CET
glpi-9.4.6-1.1.mga7 just submitted in updates_testing
Comment 16 David Walser 2021-01-18 00:52:30 CET
Thanks.  It won't really matter here, but for future reference, the subrel should be removed when upgrading to a new version.
Comment 18 David Walser 2021-06-29 01:35:28 CEST
(In reply to David Walser from comment #17)
> We could fix a few more issues before issuing an update.  These advisories
> all link patches that can be applied:
> https://github.com/glpi-project/glpi/security/advisories/GHSA-qv6w-68gq-wx2v
> https://github.com/glpi-project/glpi/security/advisories/GHSA-qmw3-87hr-5wgx

9.4.6 isn't affected by those two.

> https://github.com/glpi-project/glpi/security/advisories/GHSA-wq38-gwxp-8p5p

Would take significant work to backport.

> https://github.com/glpi-project/glpi/security/advisories/GHSA-pqfv-4pvr-55r4

Appears to already be fixed in 9.4.6.

We do have an update to 9.4.6 already built, but I'm not sure it's worth pushing at this point.  Feel free to assign to QA if you disagree.

CC: (none) => luigiwalser

Comment 19 David Walser 2021-07-01 18:27:19 CEST
https://blog.mageia.org/en/2021/06/08/mageia-7-will-reach-end-of-support-on-30th-of-june-the-king-is-dead-long-live-the-king/

Status: REOPENED => RESOLVED
Resolution: (none) => OLD


Note You need to log in before you can comment on or make changes to this bug.