Bug 255948 - security/vuxml: add CVE entries related to www/glpi
Summary: security/vuxml: add CVE entries related to www/glpi
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Many People
Assignee: Philip Paeps
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-05-17 15:23 UTC by Mathias Monnerville
Modified: 2024-04-23 11:11 UTC (History)
6 users (show)

See Also:

Attachments
Patch against vuln.xml, added more CVE entries related to www/glpi (24.40 KB, patch)
2021-05-17 15:23 UTC, Mathias Monnerville 		no flags Details | Diff
Fix version ranges of glpi issues (4.60 KB, patch)
2022-03-17 04:21 UTC, Philip Paeps 		philip: maintainer-approval?
Details | Diff
Add new CVEs, fix version ranges in old (30.56 KB, patch)
2024-04-22 19:58 UTC, Tomáš Čiernik 		no flags Details | Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Mathias Monnerville 2021-05-17 15:23:15 UTC 
Created attachment 225032 [details]
Patch against vuln.xml, added more CVE entries related to www/glpi

Patch for security/vuxml with new entries for the www/glpi port I maintain.

I do it following my recent PR 255943 about upgrading www/glpi to 9.5.5.

Thanks!
Comment 1 Li-Wen Hsu freebsd_committer freebsd_triage 2021-10-22 20:48:09 UTC 
(In reply to Mathias Monnerville from comment #0)
The patch seems the same as the one in bug251754 ?
Comment 2 commit-hook freebsd_committer freebsd_triage 2022-03-07 17:24:05 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=8d55457d6e333a68173be8f6ec18d1f6bb6644cf

commit 8d55457d6e333a68173be8f6ec18d1f6bb6644cf
Author:     Mathias Monnerville <mathias@monnerville.com>
AuthorDate: 2022-03-07 17:22:33 +0000
Commit:     Neel Chauhan <nc@FreeBSD.org>
CommitDate: 2022-03-07 17:23:07 +0000

    security/vuxml: add CVE entries related to www/glpi

    PR:     255948

 security/vuxml/vuln-2022.xml | 529 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 529 insertions(+)
Comment 3 commit-hook freebsd_committer freebsd_triage 2022-03-10 12:16:25 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=235afb70eeabda744aabc8a858023f4eb8184356

commit 235afb70eeabda744aabc8a858023f4eb8184356
Author:     Dmitry Marakasov <amdmi3@FreeBSD.org>
AuthorDate: 2022-03-10 12:09:48 +0000
Commit:     Dmitry Marakasov <amdmi3@FreeBSD.org>
CommitDate: 2022-03-10 12:10:24 +0000

    security/vuxml: fix syntax broken in 8d55457

    PR:             255948

 security/vuxml/vuln-2022.xml | 1 -
 1 file changed, 1 deletion(-)
Comment 4 Dmitry Marakasov freebsd_committer freebsd_triage 2022-03-10 12:17:54 UTC 
Please revert/fix this, and next time please do `make validate` before committing to vuxml.

This commit introduced invalid XML (fixed in 235afb7) and a bunch of duplicate entries copied from 2020:

Error: duplicate vid : b3695b08-3b3a-11eb-af2a-080027dbe4b7
Error: duplicate vid : 695b2310-3b3a-11eb-af2a-080027dbe4b7
Error: duplicate vid : 190176ce-3b3a-11eb-af2a-080027dbe4b7
Error: duplicate vid : 6a467439-3b38-11eb-af2a-080027dbe4b7
Error: duplicate vid : 0ba61fcc-3b38-11eb-af2a-080027dbe4b7
Error: duplicate vid : 5acd95db-3b16-11eb-af2a-080027dbe4b7
Error: duplicate vid : 09eef008-3b16-11eb-af2a-080027dbe4b7
Error: duplicate vid : b7abdb0f-3b15-11eb-af2a-080027dbe4b7
Error: duplicate vid : 675e5098-3b15-11eb-af2a-080027dbe4b7
Error: duplicate vid : 7f163c81-3b12-11eb-af2a-080027dbe4b7
Error: duplicate vid : 07aecafa-3b12-11eb-af2a-080027dbe4b7
Error: duplicate vid : 832fd11b-3b11-11eb-af2a-080027dbe4b7
Error: duplicate vid : 27a230a2-3b11-11eb-af2a-080027dbe4b7
Error: duplicate vid : b64edef7-3b10-11eb-af2a-080027dbe4b7
Error: duplicate vid : 3a63f478-3b10-11eb-af2a-080027dbe4b7
Error: duplicate vid : aec9cbe0-3b0f-11eb-af2a-080027dbe4b7
Error: duplicate vid : b3aae7ea-3aef-11eb-af2a-080027dbe4b7
Error: duplicate vid : 0309c898-3aed-11eb-af2a-080027dbe4b7
Error: duplicate vid : d3f60db0-3aea-11eb-af2a-080027dbe4b7
Comment 5 commit-hook freebsd_committer freebsd_triage 2022-03-16 08:40:08 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=e40349c9f5cca24eccd3889f34c404a2d6225509

commit e40349c9f5cca24eccd3889f34c404a2d6225509
Author:     Philip Paeps <philip@FreeBSD.org>
AuthorDate: 2022-03-16 08:28:48 +0000
Commit:     Philip Paeps <philip@FreeBSD.org>
CommitDate: 2022-03-16 08:28:48 +0000

    security/vuxml: remove duplicate gpli entries

    These entries, introduced in 8d55457d6e333a68173be8f6ec18d1f6bb6644cf,
    were already added to vuxml in 6fdeda4e86c4109ef9be89a0a21d2a15baae3b5b.

    This fixes "make validate"

    PR:             255948
    Pointy hat to:  nc

 security/vuxml/vuln-2022.xml | 528 -------------------------------------------
 1 file changed, 528 deletions(-)
Comment 6 Tomáš Čiernik 2022-03-16 14:37:17 UTC 
Hello,

I'm not sure if behavior on my machine is related to this bug, but pkg audit gives result:

glpi-9.5.7,1 is vulnerable:
  glpi -- weak csrf tokens
  CVE: CVE-2020-11035
  WWW: https://vuxml.FreeBSD.org/freebsd/b64edef7-3b10-11eb-af2a-080027dbe4b7.html

  glpi -- Unauthenticated File Deletion
  CVE: CVE-2020-15175
  WWW: https://vuxml.FreeBSD.org/freebsd/675e5098-3b15-11eb-af2a-080027dbe4b7.html

  glpi -- able to read any token through API user endpoint
  CVE: CVE-2020-11033
  WWW: https://vuxml.FreeBSD.org/freebsd/aec9cbe0-3b0f-11eb-af2a-080027dbe4b7.html

  glpi -- leakage issue with knowledge base
  CVE: CVE-2020-15217
  WWW: https://vuxml.FreeBSD.org/freebsd/5acd95db-3b16-11eb-af2a-080027dbe4b7.html

  glpi -- Unauthenticated Stored XSS
  CVE: CVE-2020-15177
  WWW: https://vuxml.FreeBSD.org/freebsd/09eef008-3b16-11eb-af2a-080027dbe4b7.html

  glpi -- SQL injection for all usages of "Clone" feature
  CVE: CVE-2020-15108
  WWW: https://vuxml.FreeBSD.org/freebsd/7f163c81-3b12-11eb-af2a-080027dbe4b7.html

  glpi -- SQL Injection in Search API
  CVE: CVE-2020-15226
  WWW: https://vuxml.FreeBSD.org/freebsd/0ba61fcc-3b38-11eb-af2a-080027dbe4b7.html

  glpi -- Any CalDAV calendars is read-only for every authenticated user
  CVE: CVE-2020-26212
  WWW: https://vuxml.FreeBSD.org/freebsd/6a467439-3b38-11eb-af2a-080027dbe4b7.html

  glpi -- Multiple SQL Injections Stemming From isNameQuoted()
  CVE: CVE-2020-15176
  WWW: https://vuxml.FreeBSD.org/freebsd/b7abdb0f-3b15-11eb-af2a-080027dbe4b7.html

  glpi -- Reflexive XSS in Dropdown menus
  CVE: CVE-2020-11062
  WWW: https://vuxml.FreeBSD.org/freebsd/07aecafa-3b12-11eb-af2a-080027dbe4b7.html


According to https://vuxml.freebsd.org/freebsd/675e5098-3b15-11eb-af2a-080027dbe4b7.html , this vulnerability should be patched with glpi version 9.5.2, but "Affected packages" shows that affected are all versions higher than 0.70 OR lower than 9.5.2. With local vuln.xml "patch" this vulnerability drops out of result.

# diff -u vuln.xml.orig vuln.xml
--- vuln.xml.orig       2022-03-16 15:22:18.496029000 +0100
+++ vuln.xml    2022-03-16 15:25:41.682943000 +0100
@@ -15450,8 +15450,10 @@
     <affects>
       <package>
        <name>glpi</name>
-       <range><gt>0.70</gt></range>
-       <range><lt>9.5.2</lt></range>
+       <range>
+         <gt>0.70</gt>
+         <lt>9.5.2</lt>
+       </range>
       </package>
     </affects>
     <description>
Comment 7 Philip Paeps freebsd_committer freebsd_triage 2022-03-17 04:21:41 UTC 
Created attachment 232495 [details]
Fix version ranges of glpi issues

(In reply to Tomáš Čiernik from comment #6)

I think you're right.  Could someone familiar with this port and its releases please review the attached patch?  The maintainer is probably the best placed for this.

I'm happy to commit this if someone can check if it's correct.  Thanks!
Comment 8 Philip Paeps freebsd_committer freebsd_triage 2022-03-17 04:23:49 UTC 
In particular: please check if that shouldn't be <ge> rather than <gt>...
Comment 9 Andrej Ebert 2023-10-11 13:21:09 UTC 
Please see my 10.0.10 patch at bug #272685, it also fixes older entries and adds new ones.
Comment 10 Tomáš Čiernik 2024-04-22 19:58:25 UTC 
Created attachment 250162 [details]
Add new CVEs, fix version ranges in old
Comment 11 Tomáš Čiernik 2024-04-22 20:00:39 UTC 
Comment on attachment 232495 [details]
Fix version ranges of glpi issues

With bug 272685 closed and GLPI 10.0.14 in ports here is new VULN list.

Its goal is to deal with uncorrectly added GLPI vulnerabilities in years 2020 and 2023 (IMHO adding false positivities is quite dangerous, people will learn to ignore output of pkg audit), and add new vulnerabilities discovered in years 2023 and 2024.

Thanks to work of Andrej Ebert, very little changes were needed to his patch, basically just adding portepoch to affected versions.
Comment 12 Tomáš Čiernik 2024-04-22 21:06:20 UTC 
Comment on attachment 250162 [details]
Add new CVEs, fix version ranges in old

Of course, my previous comment was meant for this attachment.
Comment 13 Jochen Neumeister freebsd_committer freebsd_triage 2024-04-23 11:10:39 UTC 
If there is a new version of a port with a CVE, please open a new PR with a patch for the port and a vuxml entry.
Older entries in the vuxml will not be changed! 

Jochen - ports-secteam