Bug 7126 - glpi XSS security issue (CVE-2012-4003)
: glpi XSS security issue (CVE-2012-4003)
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
:
: https://forge.indepnet.net/issues/3705
: MGA1TOO MGA1-32-OK MGA1-64-OK MGA2-32...
: validated_update
: 7157
: 6762
  Show dependency treegraph
 
Reported: 2012-08-20 21:45 CEST by David Walser
Modified: 2012-08-30 13:07 CEST (History)
5 users (show)

See Also:
Source RPM: glpi-0.80.7-2.mga2.src.rpm
CVE:


Attachments

Description David Walser 2012-08-20 21:45:04 CEST
Guillaume Rousse has built an update for Mageia 1 and Mageia 2 to fix this issue, which was fixed upstream in 0.83.3.  Cauldron has also been updated.  0.83.3 also fixed a CSRF issue, but the changeset was too complex to backport, so this update will only fix the XSS issue.

Advisory:
========================

Updated glpi package fixes security vulnerability:

Multiple XSS issues affecting glpi versions prior to 0.83.3 have been
corrected (CVE-2012-4003).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4003
https://forge.indepnet.net/issues/3705
http://www.glpi-project.org/spip.php?page=annonce&id_breve=275&lang=en
========================

Updated packages in core/updates_testing:
========================
glpi-0.78.2-2.3.mga1
glpi-0.80.7-2.1.mga2

from SRPMS:
glpi-0.78.2-2.3.mga1.src.rpm
glpi-0.80.7-2.1.mga2.src.rpm
Comment 1 Eduard Beliaev 2012-08-21 01:45:53 CEST
Couldn't make run glpi becuase of mysql errors, will try again next days to relax...(seriously)
Comment 2 Dave Hodgins 2012-08-23 04:30:31 CEST
Testing complete on Mageia 1 i586.

Just testing that the package works.  Added a location, and a computer entry.

Eduard, I ran into the same problem accessing the mysql server, even though
I could access it using phpmyadmin.

I replaced /etc/php.ini with /usr/share/doc/php-doc/php.ini-development,
and restarted the httpd service, expecting it to provide a more detailed
error message.

I was able to access the mysql server in glpi.  I had restarted the http
server after installing glpi, so it looks like there is something in the
default php.ini that is preventing glpi from accessing the mysql server.

I'll test Mageia 1 x86-64 and try to work out exactly which php.ini change(s)
is(are) required to allow glpi to work.
Comment 3 Dave Hodgins 2012-08-23 04:55:39 CEST
Forgot to note, that the License display is blank.

Turns out commenting out the line "skip-networking" in /etc/my.cnf
also works.  Didn't have to use the dev php.ini.

On Mageia 1 x86-64, in the step "Checking of the compatibility of
your environment with the execution of GLPI", I'm getting the error
"Mbstring extension of your parser PHP is not installed", so it looks
like there is a missing dependency for php-mbstring.

As this is a security update, I'll open a new bug report for the
missing dependency and the missing license.

Once I installed php-mbstring, the program is working.

Testing complete on Mageia 1 x86-64.
Comment 4 Dave Hodgins 2012-08-23 20:09:47 CEST
Testing Mageia 2 i586 shortly.
Comment 5 Dave Hodgins 2012-08-23 20:20:32 CEST
Testing complete on Mageia 2 i586.  The missing php-mbstring dependency
and blank license applies to Mageia 2 as well.

Testing Mageia 2 x86-64 shortly.
Comment 6 Dave Hodgins 2012-08-23 20:35:32 CEST
Bug 7157 opened for the missing requires and blank license.

Testing complete on Mageia 2 x86-64.

Could someone from the sysadmin team push the srpm
glpi-0.80.7-2.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates and the srpm
glpi-0.78.2-2.3.mga1.src.rpm
from Mageia 1 Core Updates Testing to Core Updates.

Advisory: Updated glpi package fixes security vulnerability:

Multiple XSS issues affecting glpi versions prior to 0.83.3 have been
corrected (CVE-2012-4003).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4003
https://forge.indepnet.net/issues/3705
http://www.glpi-project.org/spip.php?page=annonce&id_breve=275&lang=e

https://bugs.mageia.org/show_bug.cgi?id=7126
Comment 7 David Walser 2012-08-25 20:22:00 CEST
Since this hasn't been pushed yet, Bug 7157 now blocks this.
Comment 8 Thomas Backlund 2012-08-30 13:07:29 CEST
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0250

Note You need to log in before you can comment on or make changes to this bug.