summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--glpi-0.84-CVE-2014-9258.patch62
-rw-r--r--glpi-0.84-cron.patch2
-rw-r--r--glpi.spec8
3 files changed, 70 insertions, 2 deletions
diff --git a/glpi-0.84-CVE-2014-9258.patch b/glpi-0.84-CVE-2014-9258.patch
new file mode 100644
index 0000000..97f1966
--- /dev/null
+++ b/glpi-0.84-CVE-2014-9258.patch
@@ -0,0 +1,62 @@
+Index: branches/0.84-bugfixes/inc/dropdown.class.php
+===================================================================
+--- branches/0.84-bugfixes/inc/dropdown.class.php (révision 23260)
++++ branches/0.84-bugfixes/inc/dropdown.class.php (révision 23261)
+@@ -177,6 +177,11 @@
+ }
+ }
+
++ // Manage condition
++ if (!empty($params['condition'])) {
++ $params['condition'] = static::addNewCondition($params['condition']);
++ }
++
+ $param = array('searchText' => '__VALUE__',
+ 'value' => $params['value'],
+ 'itemtype' => $itemtype,
+@@ -259,6 +264,11 @@
+ }
+ }
+
++ static function addNewCondition($condition) {
++ $sha1=sha1($condition);
++ $_SESSION['glpicondition'][$sha1] = $condition;
++ return $sha1;
++ }
+
+ /**
+ * Get the value of a dropdown
+@@ -1095,7 +1105,7 @@
+ 'entity_restrict' => $entity_restrict);
+
+ if ($onlyglobal) {
+- $params['condition'] = "`is_global` = '1'";
++ $params['condition'] = static::addNewCondition("`is_global` = '1'");
+ }
+ Ajax::updateItemOnSelectEvent("itemtype$rand", "show_$myname$rand",
+ $CFG_GLPI["root_doc"]."/ajax/dropdownAllItems.php", $params);
+Index: branches/0.84-bugfixes/ajax/dropdownValue.php
+===================================================================
+--- branches/0.84-bugfixes/ajax/dropdownValue.php (révision 23260)
++++ branches/0.84-bugfixes/ajax/dropdownValue.php (révision 23261)
+@@ -72,13 +72,17 @@
+ $_POST['permit_select_parent'] = false;
+ }
+
+-// No define rand
+-if (!isset($_POST['rand'])) {
++ // No define rand
++ if (!isset($_POST['rand'])) {
+ $_POST['rand'] = mt_rand();
+ }
+
+ if (isset($_POST['condition']) && !empty($_POST['condition'])) {
+- $_POST['condition'] = rawurldecode(stripslashes($_POST['condition']));
++ if (isset($_SESSION['glpicondition'][$_POST['condition']])) {
++ $_POST['condition'] = $_SESSION['glpicondition'][$_POST['condition']];
++ } else {
++ $_POST['condition'] = '';
++ }
+ }
+
+ if (!isset($_POST['emptylabel']) || ($_POST['emptylabel'] == '')) {
diff --git a/glpi-0.84-cron.patch b/glpi-0.84-cron.patch
index de3b6d7..4ce17d1 100644
--- a/glpi-0.84-cron.patch
+++ b/glpi-0.84-cron.patch
@@ -18,7 +18,7 @@ diff -up install/install.php.orig install/install.php
diff -up install/update.php.orig install/update.php
--- install/update.php.orig 2013-09-12 21:17:15.000000000 +0200
+++ install/update.php 2013-09-29 17:07:53.124390070 +0200
-@@ -776,6 +776,10 @@ function updateDbUpTo031() {
+@@ -790,6 +790,10 @@ function updateDbUpTo031() {
$plugin = new Plugin();
$plugin->unactivateAll();
diff --git a/glpi.spec b/glpi.spec
index 4ca65ba..696941c 100644
--- a/glpi.spec
+++ b/glpi.spec
@@ -28,7 +28,7 @@
Name: glpi
Version: 0.84.8
-Release: 2%{?dist}
+Release: 3%{?dist}
Summary: Free IT asset management software
Summary(fr): Gestion Libre de Parc Informatique
@@ -44,6 +44,8 @@ Source4: glpi-nginx.conf
# Switch all internal cron tasks to system
Patch0: glpi-0.84-cron.patch
+# Upstream security patch
+Patch1: glpi-0.84-CVE-2014-9258.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildArch: noarch
@@ -125,6 +127,7 @@ techniciens grâce à une maintenance plus cohérente.
%setup -q -n glpi
%patch0 -p0
+%patch1 -p2
find . -name \*.orig -exec rm {} \; -print
@@ -308,6 +311,9 @@ fi
%changelog
+* Mon Dec 22 2014 Remi Collet <remi@fedoraproject.org> - 0.84.8-3
+- fix SQL Injection CVE-2014-9258
+
* Fri Nov 7 2014 Remi Collet <remi@fedoraproject.org> - 0.84.8-2
- use httpd_var_lib_t selinux context for /var/lib/glpi
- don't rely on system selinux policy in EPEL-7