[glpi/f20] fix SQL Injection CVE-2014-9258

Remi Collet remi at fedoraproject.org
Mon Dec 22 08:39:04 UTC 2014 

commit 45a5223b3f00f9e9640c49661ea180ebe05e1633
Author: Remi Collet <remi at fedoraproject.org>
Date:   Mon Dec 22 09:38:58 2014 +0100

    fix SQL Injection CVE-2014-9258

 glpi-0.84-CVE-2014-9258.patch |   62 +++++++++++++++++++++++++++++++++++++++++
 glpi-0.84-cron.patch          |    2 +-
 glpi.spec                     |   18 +++++++++--
 3 files changed, 77 insertions(+), 5 deletions(-)
---
diff --git a/glpi-0.84-CVE-2014-9258.patch b/glpi-0.84-CVE-2014-9258.patch
new file mode 100644
index 0000000..97f1966
--- /dev/null
+++ b/glpi-0.84-CVE-2014-9258.patch
@@ -0,0 +1,62 @@
+Index: branches/0.84-bugfixes/inc/dropdown.class.php
+===================================================================
+--- branches/0.84-bugfixes/inc/dropdown.class.php	(révision 23260)
++++ branches/0.84-bugfixes/inc/dropdown.class.php	(révision 23261)
+@@ -177,6 +177,11 @@
+          }
+       }
+ 
++      // Manage condition
++      if (!empty($params['condition'])) {
++        $params['condition'] = static::addNewCondition($params['condition']);
++      }
++      
+       $param = array('searchText'           => '__VALUE__',
+                       'value'               => $params['value'],
+                       'itemtype'            => $itemtype,
+@@ -259,6 +264,11 @@
+       }
+    }
+ 
++    static function addNewCondition($condition) {
++        $sha1=sha1($condition);
++        $_SESSION['glpicondition'][$sha1] = $condition;
++        return $sha1;
++    }   
+ 
+    /**
+     * Get the value of a dropdown
+@@ -1095,7 +1105,7 @@
+                           'entity_restrict' => $entity_restrict);
+ 
+          if ($onlyglobal) {
+-            $params['condition'] = "`is_global` = '1'";
++            $params['condition'] = static::addNewCondition("`is_global` = '1'");
+          }
+          Ajax::updateItemOnSelectEvent("itemtype$rand", "show_$myname$rand",
+                                        $CFG_GLPI["root_doc"]."/ajax/dropdownAllItems.php", $params);
+Index: branches/0.84-bugfixes/ajax/dropdownValue.php
+===================================================================
+--- branches/0.84-bugfixes/ajax/dropdownValue.php	(révision 23260)
++++ branches/0.84-bugfixes/ajax/dropdownValue.php	(révision 23261)
+@@ -72,13 +72,17 @@
+    $_POST['permit_select_parent'] = false;
+ }
+ 
+-// No define rand
+-if (!isset($_POST['rand'])) {
++    // No define rand
++    if (!isset($_POST['rand'])) {
+    $_POST['rand'] = mt_rand();
+ }
+ 
+ if (isset($_POST['condition']) && !empty($_POST['condition'])) {
+-   $_POST['condition'] = rawurldecode(stripslashes($_POST['condition']));
++    if (isset($_SESSION['glpicondition'][$_POST['condition']])) {
++        $_POST['condition'] = $_SESSION['glpicondition'][$_POST['condition']];
++    } else {
++        $_POST['condition'] = '';
++    }
+ }
+ 
+ if (!isset($_POST['emptylabel']) || ($_POST['emptylabel'] == '')) {
diff --git a/glpi-0.84-cron.patch b/glpi-0.84-cron.patch
index de3b6d7..4ce17d1 100644
--- a/glpi-0.84-cron.patch
+++ b/glpi-0.84-cron.patch
@@ -18,7 +18,7 @@ diff -up install/install.php.orig install/install.php
 diff -up install/update.php.orig install/update.php
 --- install/update.php.orig	2013-09-12 21:17:15.000000000 +0200
 +++ install/update.php	2013-09-29 17:07:53.124390070 +0200
-@@ -776,6 +776,10 @@ function updateDbUpTo031() {
+@@ -790,6 +790,10 @@ function updateDbUpTo031() {
     $plugin = new Plugin();
     $plugin->unactivateAll();
  
diff --git a/glpi.spec b/glpi.spec
index 4884392..f432762 100644
--- a/glpi.spec
+++ b/glpi.spec
@@ -7,7 +7,7 @@
 # Please, preserve the changelog entries
 #
 
-%if 0%{?fedora} < 20 && 0%{?rhel} < 7
+%if 0%{?fedora} < 20
 # See https://bugzilla.redhat.com/1033025
 # selinux-policy : Please include policy for GLPI
 %global useselinux 1
@@ -28,7 +28,7 @@
 
 Name:           glpi
 Version:        0.84.8
-Release:        1%{?dist}
+Release:        3%{?dist}
 Summary:        Free IT asset management software
 Summary(fr):    Gestion Libre de Parc Informatique
 
@@ -44,6 +44,8 @@ Source4:        glpi-nginx.conf
 
 # Switch all internal cron tasks to system
 Patch0:         glpi-0.84-cron.patch
+# Upstream security patch
+Patch1:         glpi-0.84-CVE-2014-9258.patch
 
 BuildArch:      noarch
 BuildRequires:  gettext
@@ -120,6 +122,7 @@ techniciens grâce à une maintenance plus cohérente.
 %setup -q -n glpi
 
 %patch0 -p0
+%patch1 -p2
 
 find . -name \*.orig -exec rm {} \; -print
 
@@ -228,8 +231,7 @@ done >%{name}.lang
 semanage fcontext -a -s system_u -t httpd_sys_rw_content_t -r s0 "%{_sysconfdir}/%{name}(/.*)?"
 semanage fcontext -a -s system_u -t httpd_sys_content_t    -r s0 "%{_datadir}/%{name}(/.*)?"
 semanage fcontext -a -s system_u -t httpd_log_t            -r s0 "%{_localstatedir}/log/%{name}(/.*)?"
-# keep httpd_sys_rw_content_t (httpd_var_lib_t prevent dir creation)
-semanage fcontext -a -s system_u -t httpd_sys_rw_content_t -r s0 "%{_localstatedir}/lib/%{name}(/.*)?"
+semanage fcontext -a -s system_u -t httpd_var_lib_t        -r s0 "%{_localstatedir}/lib/%{name}(/.*)?"
 # files created by app
 restorecon -R %{_sysconfdir}/%{name}
 restorecon -R %{_datadir}/%{name}
@@ -291,6 +293,14 @@ fi
 
 
 %changelog
+* Mon Dec 22 2014 Remi Collet <remi at fedoraproject.org> - 0.84.8-3
+- fix SQL Injection CVE-2014-9258
+
+* Fri Nov  7 2014 Remi Collet <remi at fedoraproject.org> - 0.84.8-2
+- use httpd_var_lib_t selinux context for /var/lib/glpi
+- don't rely on system selinux policy in EPEL-7
+- fix apache configuration when mod_php not enabled
+
 * Fri Oct 17 2014 Remi Collet <remi at fedoraproject.org> - 0.84.8-1
 - update to 0.84.8
   https://forge.indepnet.net/versions/1072

More information about the scm-commits mailing list