diff options
author | Remi Collet <fedora@famillecollet.com> | 2014-12-22 09:23:02 +0100 |
---|---|---|
committer | Remi Collet <fedora@famillecollet.com> | 2014-12-22 09:23:02 +0100 |
commit | c0011352162c9ebed6faea4c0f4bdf035d3feb92 (patch) | |
tree | df3adb573794072729b2f182c7f7b258e13df005 | |
parent | d349e4be95ba37c97d9dbbee88241603f668aee8 (diff) |
glpi: fix SQL Injection CVE-2014-9258
-rw-r--r-- | glpi-0.84-CVE-2014-9258.patch | 62 | ||||
-rw-r--r-- | glpi-0.84-cron.patch | 2 | ||||
-rw-r--r-- | glpi.spec | 8 |
3 files changed, 70 insertions, 2 deletions
diff --git a/glpi-0.84-CVE-2014-9258.patch b/glpi-0.84-CVE-2014-9258.patch new file mode 100644 index 0000000..97f1966 --- /dev/null +++ b/glpi-0.84-CVE-2014-9258.patch @@ -0,0 +1,62 @@ +Index: branches/0.84-bugfixes/inc/dropdown.class.php +=================================================================== +--- branches/0.84-bugfixes/inc/dropdown.class.php (révision 23260) ++++ branches/0.84-bugfixes/inc/dropdown.class.php (révision 23261) +@@ -177,6 +177,11 @@ + } + } + ++ // Manage condition ++ if (!empty($params['condition'])) { ++ $params['condition'] = static::addNewCondition($params['condition']); ++ } ++ + $param = array('searchText' => '__VALUE__', + 'value' => $params['value'], + 'itemtype' => $itemtype, +@@ -259,6 +264,11 @@ + } + } + ++ static function addNewCondition($condition) { ++ $sha1=sha1($condition); ++ $_SESSION['glpicondition'][$sha1] = $condition; ++ return $sha1; ++ } + + /** + * Get the value of a dropdown +@@ -1095,7 +1105,7 @@ + 'entity_restrict' => $entity_restrict); + + if ($onlyglobal) { +- $params['condition'] = "`is_global` = '1'"; ++ $params['condition'] = static::addNewCondition("`is_global` = '1'"); + } + Ajax::updateItemOnSelectEvent("itemtype$rand", "show_$myname$rand", + $CFG_GLPI["root_doc"]."/ajax/dropdownAllItems.php", $params); +Index: branches/0.84-bugfixes/ajax/dropdownValue.php +=================================================================== +--- branches/0.84-bugfixes/ajax/dropdownValue.php (révision 23260) ++++ branches/0.84-bugfixes/ajax/dropdownValue.php (révision 23261) +@@ -72,13 +72,17 @@ + $_POST['permit_select_parent'] = false; + } + +-// No define rand +-if (!isset($_POST['rand'])) { ++ // No define rand ++ if (!isset($_POST['rand'])) { + $_POST['rand'] = mt_rand(); + } + + if (isset($_POST['condition']) && !empty($_POST['condition'])) { +- $_POST['condition'] = rawurldecode(stripslashes($_POST['condition'])); ++ if (isset($_SESSION['glpicondition'][$_POST['condition']])) { ++ $_POST['condition'] = $_SESSION['glpicondition'][$_POST['condition']]; ++ } else { ++ $_POST['condition'] = ''; ++ } + } + + if (!isset($_POST['emptylabel']) || ($_POST['emptylabel'] == '')) { diff --git a/glpi-0.84-cron.patch b/glpi-0.84-cron.patch index de3b6d7..4ce17d1 100644 --- a/glpi-0.84-cron.patch +++ b/glpi-0.84-cron.patch @@ -18,7 +18,7 @@ diff -up install/install.php.orig install/install.php diff -up install/update.php.orig install/update.php --- install/update.php.orig 2013-09-12 21:17:15.000000000 +0200 +++ install/update.php 2013-09-29 17:07:53.124390070 +0200 -@@ -776,6 +776,10 @@ function updateDbUpTo031() { +@@ -790,6 +790,10 @@ function updateDbUpTo031() { $plugin = new Plugin(); $plugin->unactivateAll(); @@ -28,7 +28,7 @@ Name: glpi Version: 0.84.8 -Release: 2%{?dist} +Release: 3%{?dist} Summary: Free IT asset management software Summary(fr): Gestion Libre de Parc Informatique @@ -44,6 +44,8 @@ Source4: glpi-nginx.conf # Switch all internal cron tasks to system Patch0: glpi-0.84-cron.patch +# Upstream security patch +Patch1: glpi-0.84-CVE-2014-9258.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildArch: noarch @@ -125,6 +127,7 @@ techniciens grâce à une maintenance plus cohérente. %setup -q -n glpi %patch0 -p0 +%patch1 -p2 find . -name \*.orig -exec rm {} \; -print @@ -308,6 +311,9 @@ fi %changelog +* Mon Dec 22 2014 Remi Collet <remi@fedoraproject.org> - 0.84.8-3 +- fix SQL Injection CVE-2014-9258 + * Fri Nov 7 2014 Remi Collet <remi@fedoraproject.org> - 0.84.8-2 - use httpd_var_lib_t selinux context for /var/lib/glpi - don't rely on system selinux policy in EPEL-7 |