[glpi/el6] fix SQL Injection CVE-2014-9258
Remi Collet
remi at fedoraproject.org
Mon Dec 22 09:09:08 UTC 2014
commit 9ba2dca5cb5731d0219326c48f656bf2dfae557e
Author: Remi Collet <remi at fedoraproject.org>
Date: Mon Dec 22 10:09:00 2014 +0100
fix SQL Injection CVE-2014-9258
glpi-0.83-CVE-2014-9258.patch | 53 +++++++++++++++++++++++++++++++++++++++++
glpi.spec | 9 ++++++-
2 files changed, 61 insertions(+), 1 deletions(-)
---
diff --git a/glpi-0.83-CVE-2014-9258.patch b/glpi-0.83-CVE-2014-9258.patch
new file mode 100644
index 0000000..e811b27
--- /dev/null
+++ b/glpi-0.83-CVE-2014-9258.patch
@@ -0,0 +1,53 @@
+diff -up glpi/ajax/dropdownValue.php.orig glpi/ajax/dropdownValue.php
+--- glpi/ajax/dropdownValue.php.orig 2014-12-22 09:51:10.129921869 +0100
++++ glpi/ajax/dropdownValue.php 2014-12-22 09:54:22.203680943 +0100
+@@ -75,7 +75,11 @@ if (!isset($_POST['rand'])) {
+ }
+
+ if (isset($_POST['condition']) && !empty($_POST['condition'])) {
+- $_POST['condition'] = rawurldecode(stripslashes($_POST['condition']));
++ if (isset($_SESSION['glpicondition'][$_POST['condition']])) {
++ $_POST['condition'] = $_SESSION['glpicondition'][$_POST['condition']];
++ } else {
++ $_POST['condition'] = '';
++ }
+ }
+
+ if (!isset($_POST['emptylabel']) || $_POST['emptylabel'] == '') {
+diff -up glpi/inc/dropdown.class.php.orig glpi/inc/dropdown.class.php
+--- glpi/inc/dropdown.class.php.orig 2013-06-25 08:17:42.000000000 +0200
++++ glpi/inc/dropdown.class.php 2014-12-22 09:53:27.451464563 +0100
+@@ -165,6 +165,11 @@ class Dropdown {
+ }
+ }
+
++ // Manage condition
++ if (!empty($params['condition'])) {
++ $params['condition'] = static::addNewCondition($params['condition']);
++ }
++
+ $param = array('searchText' => '__VALUE__',
+ 'value' => $params['value'],
+ 'itemtype' => $itemtype,
+@@ -231,6 +236,12 @@ class Dropdown {
+ }
+
+
++ static function addNewCondition($condition) {
++ $sha1=sha1($condition);
++ $_SESSION['glpicondition'][$sha1] = $condition;
++ return $sha1;
++ }
++
+ /**
+ * Get the value of a dropdown
+ *
+@@ -984,7 +995,7 @@ class Dropdown {
+ 'entity_restrict' => $entity_restrict);
+
+ if ($onlyglobal) {
+- $params['condition'] = "`is_global` = '1'";
++ $params['condition'] = static::addNewCondition("`is_global` = '1'");
+ }
+ Ajax::updateItemOnSelectEvent("itemtype$rand", "show_$myname$rand",
+ $CFG_GLPI["root_doc"]."/ajax/dropdownAllItems.php", $params);
diff --git a/glpi.spec b/glpi.spec
index 7e557d1..5665fa9 100644
--- a/glpi.spec
+++ b/glpi.spec
@@ -2,7 +2,7 @@
Name: glpi
Version: 0.83.9.1
-Release: 5%{?dist}
+Release: 6%{?dist}
Summary: Free IT asset management software
Summary(fr): Gestion Libre de Parc Informatique
@@ -17,6 +17,8 @@ Source3: glpi-logrotate
# Switch all internal cron tasks to system
Patch0: glpi-0.83-cron.patch
+# Upstream security patch, backported from 0.84
+Patch1: glpi-0.83-CVE-2014-9258.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -74,6 +76,8 @@ techniciens grâce à une maintenance plus cohérente.
%setup -q -n glpi
%patch0 -p0
+%patch1 -p1
+
find . -name \*.orig -exec rm {} \; -print
# Drop bundled Flash files
@@ -247,6 +251,9 @@ fi
%changelog
+* Mon Dec 22 2014 Remi Collet <remi at fedoraproject.org> - 0.83.9.1-6
+- fix SQL Injection CVE-2014-9258
+
* Thu Nov 21 2013 Remi Collet <remi at fedoraproject.org> - 0.84.9.1-5
- fix SELinux context #1032995
use httpd_sys_rw_content_t instead of httpd_sys_script_rw_t
More information about the scm-commits
mailing list