From 06e8e7fe81dbf4854d19c1d9a2023731e3b4420e Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Dec 22 2014 08:30:28 +0000 Subject: fix SQL Injection CVE-2014-9258 --- diff --git a/glpi-0.84-CVE-2014-9258.patch b/glpi-0.84-CVE-2014-9258.patch new file mode 100644 index 0000000..97f1966 --- /dev/null +++ b/glpi-0.84-CVE-2014-9258.patch @@ -0,0 +1,62 @@ +Index: branches/0.84-bugfixes/inc/dropdown.class.php +=================================================================== +--- branches/0.84-bugfixes/inc/dropdown.class.php (révision 23260) ++++ branches/0.84-bugfixes/inc/dropdown.class.php (révision 23261) +@@ -177,6 +177,11 @@ + } + } + ++ // Manage condition ++ if (!empty($params['condition'])) { ++ $params['condition'] = static::addNewCondition($params['condition']); ++ } ++ + $param = array('searchText' => '__VALUE__', + 'value' => $params['value'], + 'itemtype' => $itemtype, +@@ -259,6 +264,11 @@ + } + } + ++ static function addNewCondition($condition) { ++ $sha1=sha1($condition); ++ $_SESSION['glpicondition'][$sha1] = $condition; ++ return $sha1; ++ } + + /** + * Get the value of a dropdown +@@ -1095,7 +1105,7 @@ + 'entity_restrict' => $entity_restrict); + + if ($onlyglobal) { +- $params['condition'] = "`is_global` = '1'"; ++ $params['condition'] = static::addNewCondition("`is_global` = '1'"); + } + Ajax::updateItemOnSelectEvent("itemtype$rand", "show_$myname$rand", + $CFG_GLPI["root_doc"]."/ajax/dropdownAllItems.php", $params); +Index: branches/0.84-bugfixes/ajax/dropdownValue.php +=================================================================== +--- branches/0.84-bugfixes/ajax/dropdownValue.php (révision 23260) ++++ branches/0.84-bugfixes/ajax/dropdownValue.php (révision 23261) +@@ -72,13 +72,17 @@ + $_POST['permit_select_parent'] = false; + } + +-// No define rand +-if (!isset($_POST['rand'])) { ++ // No define rand ++ if (!isset($_POST['rand'])) { + $_POST['rand'] = mt_rand(); + } + + if (isset($_POST['condition']) && !empty($_POST['condition'])) { +- $_POST['condition'] = rawurldecode(stripslashes($_POST['condition'])); ++ if (isset($_SESSION['glpicondition'][$_POST['condition']])) { ++ $_POST['condition'] = $_SESSION['glpicondition'][$_POST['condition']]; ++ } else { ++ $_POST['condition'] = ''; ++ } + } + + if (!isset($_POST['emptylabel']) || ($_POST['emptylabel'] == '')) { diff --git a/glpi-0.84-cron.patch b/glpi-0.84-cron.patch index de3b6d7..4ce17d1 100644 --- a/glpi-0.84-cron.patch +++ b/glpi-0.84-cron.patch @@ -18,7 +18,7 @@ diff -up install/install.php.orig install/install.php diff -up install/update.php.orig install/update.php --- install/update.php.orig 2013-09-12 21:17:15.000000000 +0200 +++ install/update.php 2013-09-29 17:07:53.124390070 +0200 -@@ -776,6 +776,10 @@ function updateDbUpTo031() { +@@ -790,6 +790,10 @@ function updateDbUpTo031() { $plugin = new Plugin(); $plugin->unactivateAll(); diff --git a/glpi.spec b/glpi.spec index bef5640..ee952cc 100644 --- a/glpi.spec +++ b/glpi.spec @@ -28,7 +28,7 @@ Name: glpi Version: 0.84.8 -Release: 2%{?dist} +Release: 3%{?dist} Summary: Free IT asset management software Summary(fr): Gestion Libre de Parc Informatique @@ -44,6 +44,8 @@ Source4: glpi-nginx.conf # Switch all internal cron tasks to system Patch0: glpi-0.84-cron.patch +# Upstream security patch +Patch1: glpi-0.84-CVE-2014-9258.patch BuildArch: noarch BuildRequires: gettext @@ -120,6 +122,7 @@ techniciens grâce à une maintenance plus cohérente. %setup -q -n glpi %patch0 -p0 +%patch1 -p2 find . -name \*.orig -exec rm {} \; -print @@ -290,6 +293,9 @@ fi %changelog +* Mon Dec 22 2014 Remi Collet - 0.84.8-3 +- fix SQL Injection CVE-2014-9258 + * Fri Nov 7 2014 Remi Collet - 0.84.8-2 - use httpd_var_lib_t selinux context for /var/lib/glpi - don't rely on system selinux policy in EPEL-7