All users were logged out of Bugzilla on October 13th, 2018

Security advisory for Bugzilla 5.0rc1, 4.4.7, 4.2.12, and 4.0.16

RESOLVED FIXED

Status

()

--
blocker
RESOLVED FIXED
4 years ago
4 years ago

People

(Reporter: dkl, Assigned: dkl)

Tracking

Dependency tree / graph

Details

Attachments

(1 attachment, 2 obsolete attachments)

(Assignee)

Description

4 years ago
One or more security fixes exists for Bugzilla 5.0rc1, 4.4.7, 4.2.12, and 4.0.16 and will need a security advisory.
(Assignee)

Updated

4 years ago
Depends on: 1079065
(Assignee)

Updated

4 years ago
Depends on: 1090275
(Assignee)

Comment 1

4 years ago
No CVE required for 1090275 as only a small subset of harmless methods were able to be exploited and the whitelist was added to future proof any new code changes later. We will not that in the security advisory.

dkl
(Assignee)

Comment 2

4 years ago
Created attachment 8551878 [details]
sec_adv_4.0.15.txt
Attachment #8551878 - Flags: review?(LpSolit)
(Assignee)

Comment 3

4 years ago
Comment on attachment 8551878 [details]
sec_adv_4.0.15.txt

Sorry. Forgot to add the credits. New version coming up.
Attachment #8551878 - Flags: review?(LpSolit)
(Assignee)

Comment 4

4 years ago
Created attachment 8551886 [details]
sec_adv_4.0.15_2.txt
Attachment #8551878 - Attachment is obsolete: true
Attachment #8551886 - Flags: review?(LpSolit)

Comment 5

4 years ago
Comment on attachment 8551886 [details]
sec_adv_4.0.15_2.txt

>* An user with editcomponents permissions could possibly inject system

s/An user/A user/


>Class:       Command Injection
>Versions:    2.17.1 to 4.0.15, 4.1.1 to 4.2.11, 4.3.1 to 4.4.6, 4.5.1 to 4.5.6

I'm not sure about 2.17.1. I would say "All versions before 4.0.16, 4.1.1 to ..."


>Description: Some code in Bugzilla did not properly utilize 3 argument form for

3 arguments (plural)? Also, I think using the present rather than the past to write the sec adv would be better.


>Class:       Information Leak
>Versions:    2.17.1 to 4.0.14, 4.1.1 to 4.2.10, 4.3.1 to 4.4.5, 4.5.1 to 4.5.6

Webservices has been implemented in 2.23.3. Also, all "end" versions are wrong (that's those from an older sec adv).


>             functions from other non-WebService modules. A whitelist has been
>             added that list explicit methods that can be executed via the API.

s/that list/that lists/ ?


>  http://www.bugzilla.org/download/

s/http/https/ Same for other links to bugzilla.org.
Attachment #8551886 - Flags: review?(LpSolit) → review-
(Assignee)

Comment 6

4 years ago
Created attachment 8552010 [details]
sec_adv_4.0.15_3.txt

Thanks. Changes applied.
Attachment #8551886 - Attachment is obsolete: true
Attachment #8552010 - Flags: review?(LpSolit)

Comment 7

4 years ago
Comment on attachment 8552010 [details]
sec_adv_4.0.15_3.txt

r=LpSolit
Attachment #8552010 - Flags: review?(LpSolit) → review+
(Assignee)

Comment 8

4 years ago
Released
Status: ASSIGNED → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → FIXED
(Assignee)

Updated

4 years ago
Group: bugzilla-security
You need to log in before you can comment on or make changes to this bug.