Bug#682482: unblock: glpi/0.83.31-1

To: Niels Thykier <niels@thykier.net>
Cc: 682482@bugs.debian.org
Subject: Bug#682482: unblock: glpi/0.83.31-1
From: Pierre Chifflier <pollux@debian.org>
Date: Tue, 31 Jul 2012 20:08:08 +0200
Message-id: <20120731180808.GF14033@mail.wzdftpd.net>
Reply-to: Pierre Chifflier <pollux@debian.org>, 682482@bugs.debian.org, 682482@bugs.debian.org
In-reply-to: <501682EE.2060302@thykier.net>
References: <20120723085635.5720.2308.reportbug@ks26688.kimsufi.com> <501682EE.2060302@thykier.net>

On Mon, Jul 30, 2012 at 02:49:50PM +0200, Niels Thykier wrote:
> On 2012-07-23 10:56, Pierre Chifflier wrote:
> > Package: release.debian.org
> > Severity: normal
> > User: release.debian.org@packages.debian.org
> > Usertags: unblock
> > 
> > Hi,
> > 
> > GLPI 0.83.31 (micro-fix based on 0.83.3) is an important security
> > release, fixing two CVEs:
> > 
> > CVE-2012-4002:
> >   Bug #3704: CSRF prevention step 1
> >   Bug #3707: CSRF prevention step 2
> > 
> > CVE-2012-4003:
> >   Bug #3705: Security XSS for few items
> > 
> > https://forge.indepnet.net/projects/glpi/versions/771
> > 
> > Note: the diff from 0.83.2-1 (current testing) is pretty big, but almost
> > all the patch is made of fixes in many files. Trying to backport would
> > make no sense imho since it would bring almost everything, and make future
> > maintenance even harder.
> > 
> > Please allow GLPI 0.83.31 in testing.
> > 
> > Regards,
> > Pierre
> > 
> > unblock glpi/0.83.31-1
> > 
> > 
> 
> Hi,
> 
> I am afraid that diff is too much for me to review.  I have tried a
> couple of times now and there is lot in there I expect is "unrelated
> changes".
> 
> I understand that due to #3707, the security fix only will still be a
> huge diff.  That said, it is not the Html::closeForm() (i.e. CSRF step
> 2) that I choke on.  So I would be would be interested in seening the
> diff with only the security fixes.
> 
> ~Niels
> 
> 

Hi,

I agree that the diff is pretty big, and that splitting only the
security fixes is hard (and would make maintenance almost impossible).

I used a few commands to extract a "trimmed" version of the patch:

git df upstream/0.83.2..upstream/0.83.31 > glpi_0.83.31_raw.diff
cat glpi_0.83.31_raw.diff | filterdiff -x '*locales*' -x '*htmlawed*' \
 -x '*glpi-0.83.1-empty.sql*' -x '*update*' > glpi_0.83.31_filtered.diff

to exclude the changes related to locales and similar. I did not attach
the patch to this mail, it is still 200kB.

The stripped diff still makes 5300 lines out of the ~9000 original. It
also appears that it does not only include calls to
Html::closeForm()

but also checks on HTTP_REFERRER (and exemption on some pages with
DO_NOT_CHECK_HTTP_REFERER), and addition of CURRENTCSRFTOKEN.

I know that there are rules for the freeze, but I do not feel many
choices here:
- keep a vulnerable version for wheezy. Not good. I may try to maintain
  something in -backports, but that would still mean having a vulnerable
  version by default.
- try to backport only the security corrections in the current version
  in testing. Honestly, I do not think I will be able to do that, so if
  this is decided I will ask for some help.

Additionally, since the submission of this ticket,
version 0.83.4 was released with some new fixes (not tagged as
security, but #3800 also concerns HTTP_REFERER for ex.).

Regards,
Pierre

Reply to:

References:
- Bug#682482: unblock: glpi/0.83.31-1
  - From: Pierre Chifflier <pollux@debian.org>
- Bug#682482: unblock: glpi/0.83.31-1
  - From: Niels Thykier <niels@thykier.net>

Prev by Date: Bug#683342: unblock: e2fsprogs/1.42.5-1
Next by Date: Bug#683334: unblock: libcrypt-ssleay-perl/0.58-2 (pre-approval request)
Previous by thread: Bug#682482: unblock: glpi/0.83.31-1
Next by thread: Please unblock: lua5.1/5.1.5-4
Index(es):
- Date
- Thread