On Mon, Jul 30, 2012 at 02:49:50PM +0200, Niels Thykier wrote: > On 2012-07-23 10:56, Pierre Chifflier wrote: > > Package: release.debian.org > > Severity: normal > > User: [email protected] > > Usertags: unblock > > > > Hi, > > > > GLPI 0.83.31 (micro-fix based on 0.83.3) is an important security > > release, fixing two CVEs: > > > > CVE-2012-4002: > > Bug #3704: CSRF prevention step 1 > > Bug #3707: CSRF prevention step 2 > > > > CVE-2012-4003: > > Bug #3705: Security XSS for few items > > > > https://forge.indepnet.net/projects/glpi/versions/771 > > > > Note: the diff from 0.83.2-1 (current testing) is pretty big, but almost > > all the patch is made of fixes in many files. Trying to backport would > > make no sense imho since it would bring almost everything, and make future > > maintenance even harder. > > > > Please allow GLPI 0.83.31 in testing. > > > > Regards, > > Pierre > > > > unblock glpi/0.83.31-1 > > > > > > Hi, > > I am afraid that diff is too much for me to review. I have tried a > couple of times now and there is lot in there I expect is "unrelated > changes". > > I understand that due to #3707, the security fix only will still be a > huge diff. That said, it is not the Html::closeForm() (i.e. CSRF step > 2) that I choke on. So I would be would be interested in seening the > diff with only the security fixes. > > ~Niels > >
Hi, I agree that the diff is pretty big, and that splitting only the security fixes is hard (and would make maintenance almost impossible). I used a few commands to extract a "trimmed" version of the patch: git df upstream/0.83.2..upstream/0.83.31 > glpi_0.83.31_raw.diff cat glpi_0.83.31_raw.diff | filterdiff -x '*locales*' -x '*htmlawed*' \ -x '*glpi-0.83.1-empty.sql*' -x '*update*' > glpi_0.83.31_filtered.diff to exclude the changes related to locales and similar. I did not attach the patch to this mail, it is still 200kB. The stripped diff still makes 5300 lines out of the ~9000 original. It also appears that it does not only include calls to Html::closeForm() but also checks on HTTP_REFERRER (and exemption on some pages with DO_NOT_CHECK_HTTP_REFERER), and addition of CURRENTCSRFTOKEN. I know that there are rules for the freeze, but I do not feel many choices here: - keep a vulnerable version for wheezy. Not good. I may try to maintain something in -backports, but that would still mean having a vulnerable version by default. - try to backport only the security corrections in the current version in testing. Honestly, I do not think I will be able to do that, so if this is decided I will ask for some help. Additionally, since the submission of this ticket, version 0.83.4 was released with some new fixes (not tagged as security, but #3800 also concerns HTTP_REFERER for ex.). Regards, Pierre -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
