Created attachment 250178 [details] correct false postivities for old GLPI versions According to https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=255948#c13, I just want to know - does this mean that false positivities for glpi <= 10.0.7 will never be corrected? If this assumption is wrong, please see included patch.
I think what Jochen meant in https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=255948#c13 is that we don't add new vulnerabilities to existing vuxml entries. When new vulnerabilities become known, we create new vuxml entries for them. If previous entries are wrong though, we should correct them. In this instance: I wonder if it's worth the churn of correcting the old entries, given that newer vulnerabilities have been discovered that affect every version prior to 10.0.14. I'm happy to commit the corrections if someone could double-check them for me, e.g. the maintainer? Does this patch look correct Mathias?
The problem with the old entries is the ranges are wrong, so you get false positives for every current AND future GLPI version. For example: pkg audit -F glpi-10.0.14,1 is vulnerable: glpi -- Multiple SQL Injections Stemming From isNameQuoted() CVE: CVE-2020-15176 WWW: https://vuxml.FreeBSD.org/freebsd/b7abdb0f-3b15-11eb-af2a-080027dbe4b7.html glpi -- Reflexive XSS in Dropdown menus CVE: CVE-2020-11062 WWW: https://vuxml.FreeBSD.org/freebsd/07aecafa-3b12-11eb-af2a-080027dbe4b7.html glpi -- Unauthenticated Stored XSS CVE: CVE-2020-15177 WWW: https://vuxml.FreeBSD.org/freebsd/09eef008-3b16-11eb-af2a-080027dbe4b7.html glpi -- Unauthenticated File Deletion CVE: CVE-2020-15175 WWW: https://vuxml.FreeBSD.org/freebsd/675e5098-3b15-11eb-af2a-080027dbe4b7.html glpi -- SQL injection for all usages of "Clone" feature CVE: CVE-2020-15108 WWW: https://vuxml.FreeBSD.org/freebsd/7f163c81-3b12-11eb-af2a-080027dbe4b7.html glpi -- leakage issue with knowledge base CVE: CVE-2020-15217 WWW: https://vuxml.FreeBSD.org/freebsd/5acd95db-3b16-11eb-af2a-080027dbe4b7.html glpi -- weak csrf tokens CVE: CVE-2020-11035 WWW: https://vuxml.FreeBSD.org/freebsd/b64edef7-3b10-11eb-af2a-080027dbe4b7.html glpi -- SQL Injection in Search API CVE: CVE-2020-15226 WWW: https://vuxml.FreeBSD.org/freebsd/0ba61fcc-3b38-11eb-af2a-080027dbe4b7.html glpi -- Any CalDAV calendars is read-only for every authenticated user CVE: CVE-2020-26212 WWW: https://vuxml.FreeBSD.org/freebsd/6a467439-3b38-11eb-af2a-080027dbe4b7.html glpi -- able to read any token through API user endpoint CVE: CVE-2020-11033 WWW: https://vuxml.FreeBSD.org/freebsd/aec9cbe0-3b0f-11eb-af2a-080027dbe4b7.html All of these were fixed many versions ago... This is what we want to correct, for a long time now...
(In reply to Andrej Ebert from comment #2) Looking at CVE-2020-15176 in vuln.xml, it is defined with these ranges: <range><gt>0.68</gt></range> <range><lt>9.5.2</lt></range> I don't see why pkg audit would report GLPI 10.0.14,1 being affected by this vulnerability. However, some other (non GLPI) entries that specifies multiple ranges seem to use a different syntax though, like `libtool` which states for example: <range><ge>1.3</ge><lt>1.3.5_2</lt></range> Maybe GLPI entries should be rewritten this way ... What do you think guys?
(In reply to Mathias Monnerville from comment #3) Because <range><gt>0.68</gt></range> <range><lt>9.5.2</lt></range> means: vulnerable are versions: - greater than 0.68 PLUS - less than 9.5.2 In this case, all current and future versions match "greater than 0.68", so this should be changed to: <range><gt>0.68</gt><lt>9.5.2</lt></range> and it means: vulnerable are versions between 0.68 and 9.5.2 This is meaning of Andrej's patch. At some point in the past PORTEPOCH of glpi was changed to 1 (0.87?), so I changed this into <range><lt>9.5.2,1</lt></range> Of course, it is little bit unaccurate, because it means "all versions under 9.5.2 are vulnerable", but I hope no one is running GLPI version 0.68 or lower.
Does that mean Andrej's patch is correct, and would you like me to commit it?
(In reply to Philip Paeps from comment #5) No, Andrej's patch says - all versions between 0.68 and 9.5.2 are vulnerable - but glpi in version 9.5.2 never existed in ports, it was version 9.5.2,1. My patch says - all versions prior 9.5.2,1 are vulnerable. I think this is better solution.
Cool. Thank your for clarifying. I agree that your patch looks correct. I'll commit it shortly.
Hhmm. Hang on. This adds <entry>s to 2023.xml. I don't think that's correct. While the vulnerabilities were discovered in 2023, we're adding them to vuxml in 2024. I'm happy to correct the ranges in 2020.xml (and others), with appropriate <modified> tags. The new entries should go in 2024.xml however. Could you please regenerate your patch for me? Thank you. Sorry for the bugzilla-noise!
Thanks for your patch (and explanations) Tomáš! @Philipp this patch looks good to me.
Created attachment 250221 [details] updated patch with corrected year.xml and modified tags (In reply to Philip Paeps from comment #8) Uploading another version of patch modified accordingly to your requirements.
Sorry for another bugzilla-noise, just want say thank you to Andrej Ebert - patches for years 2020 and 2023 are mainly his work, I just stole them from him and did some minor changes :)
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=539ca10aa3f0e80f78b1e684815c2a8d1b74da40 commit 539ca10aa3f0e80f78b1e684815c2a8d1b74da40 Author: Tomáš Čiernik <tomas@ciernik.sk> AuthorDate: 2024-04-25 10:18:00 +0000 Commit: Philip Paeps <philip@FreeBSD.org> CommitDate: 2024-04-25 11:16:00 +0000 security/vuxml: correct historical www/glpi entries Several older entries for www/glpi had incorrect version ranges, causing pkg audit to complain about false positives. This corrects the older entries and adds some missing ones. PR: 278549 security/vuxml/vuln/2020.xml | 70 +++--- security/vuxml/vuln/2023.xml | 3 +- security/vuxml/vuln/2024.xml | 555 +++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 597 insertions(+), 31 deletions(-)
Thank you all!
Great! Thank you Andrej for your initial patch!