Bug 6762 - glpi new security issue fixed in 0.83.3 (CVE-2012-4002 and CVE-2012-4003)
Summary: glpi new security issue fixed in 0.83.3 (CVE-2012-4002 and CVE-2012-4003)
Status: RESOLVED WONTFIX
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 2
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: Guillaume Rousse
QA Contact:
URL: http://www.glpi-project.org/spip.php?...
Whiteboard:
Keywords:
Depends on: 7126 10579
Blocks:
  Show dependency treegraph
 
Reported: 2012-07-12 02:26 CEST by David Walser
Modified: 2013-09-19 22:35 CEST (History)
2 users (show)

See Also:
Source RPM: glpi-0.80.7-2.mga2.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2012-07-12 02:26:34 CEST
The release announcement and ChangeLog both reference a security issue fixed:
https://forge.indepnet.net/projects/glpi/versions/771

So it appears to be the XSS issues in this bug (with links to revisions to fix):
https://forge.indepnet.net/issues/3705

Not 100% how many older versions are affected or if CVEs have been requested.
David Walser 2012-07-12 02:26:46 CEST

CC: (none) => guillomovitch

Comment 1 David Walser 2012-07-13 15:32:46 CEST
OK, apparently the two "CSRF prevention" bugs are security issues also:
https://forge.indepnet.net/issues/3704
https://forge.indepnet.net/issues/3707

CVEs have been assigned:
http://seclists.org/oss-sec/2012/q3/73

Bug 3705 is CVE-2012-4003.  Bugs 3704 and 3707 are CVE-2012-4002.

Summary: glpi new security issue fixed in 0.83.3 => glpi new security issue fixed in 0.83.3 (CVE-2012-4002 and CVE-2012-4003)

David Walser 2012-08-09 04:10:21 CEST

Assignee: bugsquad => guillomovitch

Comment 3 Guillaume Rousse 2012-08-10 09:48:53 CEST
I've updated GLPI earlier from 0.80.7 to 0.83.4 this week, as well as all distributed plugins. I can't find any information about the exact version affected, but as everything relates to 0.83 only, I'd presume we were actually not vulnerable.

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 4 David Walser 2012-08-10 14:37:14 CEST
This is only fixed in Cauldron.

Status: RESOLVED => REOPENED
Resolution: FIXED => (none)
Whiteboard: (none) => MGA2TOO, MGA1TOO

Comment 5 David Walser 2012-08-10 14:38:18 CEST
If you're sure only 0.83 is affected, we can close this again.
Comment 6 Guillaume Rousse 2012-08-12 16:22:58 CEST
After enquiring with upstream, 0.80 is affected, but unsupported, meaning no available patches...

I had a look at the changes involved to evaluate the work need to port the fixes myself. The fixes for XSS vulnerability (2012-4003) are quite localized, but the ones for the XSRF vulnerability (2012-4002) are far more invasive. I just submitted a 0.80.7-2.1.mga2 package in updates_testing, fixing the first issue. Unless someone else volonteers to also fix the second issue, it seems that is the maximum achievable here.
Comment 7 David Walser 2012-08-12 16:55:13 CEST
(In reply to comment #6)
> After enquiring with upstream, 0.80 is affected, but unsupported, meaning no
> available patches...

Nice.  Do we know if 0.78 (Mageia 1) is affected?

> I had a look at the changes involved to evaluate the work need to port the
> fixes myself. The fixes for XSS vulnerability (2012-4003) are quite localized,
> but the ones for the XSRF vulnerability (2012-4002) are far more invasive. I
> just submitted a 0.80.7-2.1.mga2 package in updates_testing, fixing the first
> issue.

Thanks.

> Unless someone else volonteers to also fix the second issue, it seems
> that is the maximum achievable here.

As far as I know, you're the only developer we have that's interested in this package.  Maybe another distro will backport a fix at some point.

So, the plugin updates Fedora issued were for compatibility with the CSRF fix, so if we're not fixing that, we don't have to worry about those at this time.
Comment 8 David Walser 2012-08-15 20:47:16 CEST
Mandriva has issued an advisory for this (for MES5) today:
http://www.mandriva.com/en/support/security/advisories/?dis=mes5&name=MDVSA-2012:132

They decided to just update to the newest versions.
Comment 9 Guillaume Rousse 2012-08-20 21:11:59 CEST
GLPI 0.78 is probably affected as well. I just submitted glpi-0.78.2-2.3.mga1 with a backported patch to updates_testing.

What did mandriva is a bit dangereous: first, they ship major version as security update, forcing database schema upgrade, second, they ship incompatible plugin versions, such as fusioninventory plugin...
David Walser 2012-08-20 21:45:31 CEST

Depends on: (none) => 7126

Comment 10 David Walser 2012-08-20 21:46:47 CEST
Thanks Guillaume.  I have opened Bug 7126 to get this XSS fix to QA.  I'll leave this bug open just in case someone backports a fix for the CSRF issues.
David Walser 2012-11-02 19:00:06 CET

Version: Cauldron => 2
Whiteboard: MGA2TOO, MGA1TOO => MGA1TOO

David Walser 2012-12-21 14:27:50 CET

CC: (none) => oe

Comment 11 Guillaume Rousse 2013-02-06 19:54:45 CET
MGA1 isn't supported anymore, right ? So I'm closing this bug.

Status: REOPENED => RESOLVED
Resolution: (none) => FIXED

Comment 12 David Walser 2013-02-06 21:31:17 CET
This bug is for Mageia 2.

Mageia 1 removed from whiteboard due to EOL.

Status: RESOLVED => REOPENED
Resolution: FIXED => (none)
Whiteboard: MGA1TOO => (none)

Comment 13 Guillaume Rousse 2013-02-23 13:55:31 CET
Bugs 7126 and 7157 have been closed, I'm closing this ticket.

Status: REOPENED => RESOLVED
Resolution: (none) => FIXED

Comment 14 David Walser 2013-02-23 14:32:47 CET
As I said in Comment 10, we have not fixed the CSRF issues (CVE-2012-4002) for Mageia 2, which is why this is still open.

Status: RESOLVED => REOPENED
Resolution: FIXED => (none)

Comment 15 Guillaume Rousse 2013-02-23 16:09:19 CET
Indeed. However, there is no patch available for 0.80, and the 0.83 ones are far too much invasives to be ported:
https://forge.indepnet.net/issues/3704
https://forge.indepnet.net/issues/3707

I'd rather close this ticket now as WONTFIX than waiting for mga2 end of life to close it.
Comment 16 David Walser 2013-02-23 16:15:39 CET
Then maybe we should update this to 0.83.7 backported from Cauldron.  We have 0.80 here, which for quite some time now has been unsupported upstream, and we still are supposed to be supporting Mageia 2 for like 10 more months.  Fedora and Mandriva both updated to 0.83.4 to fix these issues.
Comment 17 Guillaume Rousse 2013-02-23 16:58:18 CET
That's also an option. However, a version update means a database schema changes, and breaks all installed plugins, which is a bit harsh change for something installed and running. I don't think this is very wise here.
Comment 18 David Walser 2013-02-23 17:08:54 CET
I can certainly understand that perspective.

There's arguments to be made for both sides.

Arguments to update:
- We continue to provide support for this package.
- We move to a version that's supported upstream.
- We only have to support one version of the software, as it's the same in Mageia 2 and Mageia 3.
- We fix a security hole.
- People will have to upgrade this when they upgrade to Mageia 3 anyway, dealing with it now will actually make that transition later less painless.  Obviously careful admins will deal with this update carefully.
- Everyone else is doing it :o)

Arguments to not update:
- Lot of packager work initially to prepare the update and update the plugins too.
- More invasive/involved update for the users.

Both are reasonable arguments.  Ultimately, it's your package and you know more about it than anyone in Mageia, so I'll trust your decision.
Comment 19 Guillaume Rousse 2013-03-02 15:49:52 CET
Not updating the software version doesn't mean dropping support completly, it just means than some issues with a defavorable complexity/severity ratio won't be backported. Which is is own analysis of the present issue.

And I really think we should avoid introducing any disturbing changes in updates. I'm personnaly really biased toward allowing users to automatically apply those updates in non-supervised manner, which means typically vetoing any change involving a manual intervention to keep something running.
Comment 20 David Walser 2013-03-02 16:43:12 CET
(In reply to Guillaume Rousse from comment #19)
> I'm personnaly really biased toward allowing users to automatically
> apply those updates in non-supervised manner, which means typically vetoing
> any change involving a manual intervention to keep something running.

In general I agree with that.  In fact, since Mageia 2, I have all my servers installing updates daily with a cron job since it's worked so well.

Unfortunately every once in a while to fix some security issues there may be some manual intervention needed, which we always explain in the advisories.
Comment 21 Guillaume Rousse 2013-07-26 18:14:55 CEST
I won't provide security fixes for those old versions.

Status: REOPENED => RESOLVED
Resolution: (none) => WONTFIX

Comment 22 David Walser 2013-09-19 22:35:33 CEST
Just leaving a note on this bug that additional issues also affect the Mageia 2 GLPI package that will not be fixed.  They are described in Bug 10579.

Depends on: (none) => 10579


Note You need to log in before you can comment on or make changes to this bug.