Bug 255948 - security/vuxml: add CVE entries related to www/glpi
Summary: security/vuxml: add CVE entries related to www/glpi
Status: In Progress
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Many People
Assignee: Philip Paeps
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-05-17 15:23 UTC by Mathias Monnerville
Modified: 2023-10-11 13:21 UTC (History)
5 users (show)

See Also:


Attachments
Patch against vuln.xml, added more CVE entries related to www/glpi (24.40 KB, patch)
2021-05-17 15:23 UTC, Mathias Monnerville
no flags Details | Diff
Fix version ranges of glpi issues (4.60 KB, patch)
2022-03-17 04:21 UTC, Philip Paeps
philip: maintainer-approval?
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Mathias Monnerville 2021-05-17 15:23:15 UTC
Created attachment 225032 [details]
Patch against vuln.xml, added more CVE entries related to www/glpi

Patch for security/vuxml with new entries for the www/glpi port I maintain.

I do it following my recent PR 255943 about upgrading www/glpi to 9.5.5.

Thanks!
Comment 1 Li-Wen Hsu freebsd_committer freebsd_triage 2021-10-22 20:48:09 UTC
(In reply to Mathias Monnerville from comment #0)
The patch seems the same as the one in bug251754 ?
Comment 2 commit-hook freebsd_committer freebsd_triage 2022-03-07 17:24:05 UTC
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=8d55457d6e333a68173be8f6ec18d1f6bb6644cf

commit 8d55457d6e333a68173be8f6ec18d1f6bb6644cf
Author:     Mathias Monnerville <mathias@monnerville.com>
AuthorDate: 2022-03-07 17:22:33 +0000
Commit:     Neel Chauhan <nc@FreeBSD.org>
CommitDate: 2022-03-07 17:23:07 +0000

    security/vuxml: add CVE entries related to www/glpi

    PR:     255948

 security/vuxml/vuln-2022.xml | 529 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 529 insertions(+)
Comment 3 commit-hook freebsd_committer freebsd_triage 2022-03-10 12:16:25 UTC
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=235afb70eeabda744aabc8a858023f4eb8184356

commit 235afb70eeabda744aabc8a858023f4eb8184356
Author:     Dmitry Marakasov <amdmi3@FreeBSD.org>
AuthorDate: 2022-03-10 12:09:48 +0000
Commit:     Dmitry Marakasov <amdmi3@FreeBSD.org>
CommitDate: 2022-03-10 12:10:24 +0000

    security/vuxml: fix syntax broken in 8d55457

    PR:             255948

 security/vuxml/vuln-2022.xml | 1 -
 1 file changed, 1 deletion(-)
Comment 4 Dmitry Marakasov freebsd_committer freebsd_triage 2022-03-10 12:17:54 UTC
Please revert/fix this, and next time please do `make validate` before committing to vuxml.

This commit introduced invalid XML (fixed in 235afb7) and a bunch of duplicate entries copied from 2020:

Error: duplicate vid : b3695b08-3b3a-11eb-af2a-080027dbe4b7
Error: duplicate vid : 695b2310-3b3a-11eb-af2a-080027dbe4b7
Error: duplicate vid : 190176ce-3b3a-11eb-af2a-080027dbe4b7
Error: duplicate vid : 6a467439-3b38-11eb-af2a-080027dbe4b7
Error: duplicate vid : 0ba61fcc-3b38-11eb-af2a-080027dbe4b7
Error: duplicate vid : 5acd95db-3b16-11eb-af2a-080027dbe4b7
Error: duplicate vid : 09eef008-3b16-11eb-af2a-080027dbe4b7
Error: duplicate vid : b7abdb0f-3b15-11eb-af2a-080027dbe4b7
Error: duplicate vid : 675e5098-3b15-11eb-af2a-080027dbe4b7
Error: duplicate vid : 7f163c81-3b12-11eb-af2a-080027dbe4b7
Error: duplicate vid : 07aecafa-3b12-11eb-af2a-080027dbe4b7
Error: duplicate vid : 832fd11b-3b11-11eb-af2a-080027dbe4b7
Error: duplicate vid : 27a230a2-3b11-11eb-af2a-080027dbe4b7
Error: duplicate vid : b64edef7-3b10-11eb-af2a-080027dbe4b7
Error: duplicate vid : 3a63f478-3b10-11eb-af2a-080027dbe4b7
Error: duplicate vid : aec9cbe0-3b0f-11eb-af2a-080027dbe4b7
Error: duplicate vid : b3aae7ea-3aef-11eb-af2a-080027dbe4b7
Error: duplicate vid : 0309c898-3aed-11eb-af2a-080027dbe4b7
Error: duplicate vid : d3f60db0-3aea-11eb-af2a-080027dbe4b7
Comment 5 commit-hook freebsd_committer freebsd_triage 2022-03-16 08:40:08 UTC
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=e40349c9f5cca24eccd3889f34c404a2d6225509

commit e40349c9f5cca24eccd3889f34c404a2d6225509
Author:     Philip Paeps <philip@FreeBSD.org>
AuthorDate: 2022-03-16 08:28:48 +0000
Commit:     Philip Paeps <philip@FreeBSD.org>
CommitDate: 2022-03-16 08:28:48 +0000

    security/vuxml: remove duplicate gpli entries

    These entries, introduced in 8d55457d6e333a68173be8f6ec18d1f6bb6644cf,
    were already added to vuxml in 6fdeda4e86c4109ef9be89a0a21d2a15baae3b5b.

    This fixes "make validate"

    PR:             255948
    Pointy hat to:  nc

 security/vuxml/vuln-2022.xml | 528 -------------------------------------------
 1 file changed, 528 deletions(-)
Comment 6 Tomáš Čiernik 2022-03-16 14:37:17 UTC
Hello,

I'm not sure if behavior on my machine is related to this bug, but pkg audit gives result:

glpi-9.5.7,1 is vulnerable:
  glpi -- weak csrf tokens
  CVE: CVE-2020-11035
  WWW: https://vuxml.FreeBSD.org/freebsd/b64edef7-3b10-11eb-af2a-080027dbe4b7.html

  glpi -- Unauthenticated File Deletion
  CVE: CVE-2020-15175
  WWW: https://vuxml.FreeBSD.org/freebsd/675e5098-3b15-11eb-af2a-080027dbe4b7.html

  glpi -- able to read any token through API user endpoint
  CVE: CVE-2020-11033
  WWW: https://vuxml.FreeBSD.org/freebsd/aec9cbe0-3b0f-11eb-af2a-080027dbe4b7.html

  glpi -- leakage issue with knowledge base
  CVE: CVE-2020-15217
  WWW: https://vuxml.FreeBSD.org/freebsd/5acd95db-3b16-11eb-af2a-080027dbe4b7.html

  glpi -- Unauthenticated Stored XSS
  CVE: CVE-2020-15177
  WWW: https://vuxml.FreeBSD.org/freebsd/09eef008-3b16-11eb-af2a-080027dbe4b7.html

  glpi -- SQL injection for all usages of "Clone" feature
  CVE: CVE-2020-15108
  WWW: https://vuxml.FreeBSD.org/freebsd/7f163c81-3b12-11eb-af2a-080027dbe4b7.html

  glpi -- SQL Injection in Search API
  CVE: CVE-2020-15226
  WWW: https://vuxml.FreeBSD.org/freebsd/0ba61fcc-3b38-11eb-af2a-080027dbe4b7.html

  glpi -- Any CalDAV calendars is read-only for every authenticated user
  CVE: CVE-2020-26212
  WWW: https://vuxml.FreeBSD.org/freebsd/6a467439-3b38-11eb-af2a-080027dbe4b7.html

  glpi -- Multiple SQL Injections Stemming From isNameQuoted()
  CVE: CVE-2020-15176
  WWW: https://vuxml.FreeBSD.org/freebsd/b7abdb0f-3b15-11eb-af2a-080027dbe4b7.html

  glpi -- Reflexive XSS in Dropdown menus
  CVE: CVE-2020-11062
  WWW: https://vuxml.FreeBSD.org/freebsd/07aecafa-3b12-11eb-af2a-080027dbe4b7.html


According to https://vuxml.freebsd.org/freebsd/675e5098-3b15-11eb-af2a-080027dbe4b7.html , this vulnerability should be patched with glpi version 9.5.2, but "Affected packages" shows that affected are all versions higher than 0.70 OR lower than 9.5.2. With local vuln.xml "patch" this vulnerability drops out of result.

# diff -u vuln.xml.orig vuln.xml
--- vuln.xml.orig       2022-03-16 15:22:18.496029000 +0100
+++ vuln.xml    2022-03-16 15:25:41.682943000 +0100
@@ -15450,8 +15450,10 @@
     <affects>
       <package>
        <name>glpi</name>
-       <range><gt>0.70</gt></range>
-       <range><lt>9.5.2</lt></range>
+       <range>
+         <gt>0.70</gt>
+         <lt>9.5.2</lt>
+       </range>
       </package>
     </affects>
     <description>
Comment 7 Philip Paeps freebsd_committer freebsd_triage 2022-03-17 04:21:41 UTC
Created attachment 232495 [details]
Fix version ranges of glpi issues

(In reply to Tomáš Čiernik from comment #6)

I think you're right.  Could someone familiar with this port and its releases please review the attached patch?  The maintainer is probably the best placed for this.

I'm happy to commit this if someone can check if it's correct.  Thanks!
Comment 8 Philip Paeps freebsd_committer freebsd_triage 2022-03-17 04:23:49 UTC
In particular: please check if that shouldn't be <ge> rather than <gt>...
Comment 9 Andrej Ebert 2023-10-11 13:21:09 UTC
Please see my 10.0.10 patch at bug #272685, it also fixes older entries and adds new ones.