It is possible to tell if someone made a private comment on a bug even if you are not in the insidergroup

RESOLVED FIXED in Bugzilla 4.0

Status

()

Bugzilla
Query/Bug List
RESOLVED FIXED
2 years ago
2 years ago

People

(Reporter: Simon Green, Assigned: Simon Green)

Tracking

Bugzilla 4.0
Bug Flags:
approval +
approval5.0 +
approval4.4 +
approval4.2 +
approval4.0 +

Details

Attachments

(3 attachments, 1 obsolete attachment)

(Assignee)

Description

2 years ago
Steps to reproduce:
1) As a user in the insiders group, make a private comment on a bug
2) As a user not in the insiders group, do a boolean search on 'Comments' 'changed by' '<email address in above step>'

Actual result:
The bug in step 1 is returned

Expected result:
The bug in step 1 is not returned
(Assignee)

Comment 1

2 years ago
Created attachment 8588412 [details] [diff] [review]
bug1151290-40-v1.patch

Patch for v4.0. This version also does not hide private comments when using the changed after / changed before operators.
Attachment #8588412 - Flags: review?(dkl)
(Assignee)

Comment 2

2 years ago
Created attachment 8588413 [details] [diff] [review]
bug1151290-42-v1.patch

Patch for v4.2
Attachment #8588413 - Flags: review?(dkl)
(Assignee)

Comment 3

2 years ago
Created attachment 8588414 [details] [diff] [review]
bug1151290-v1.patch

Patch for 4.4, 5.0 and trunk branches (the first two patch cleanly with offsets)
Attachment #8588414 - Flags: review?(dkl)

Comment 4

2 years ago
You cannot access the content of the comment itself, so this is not a major issue.
Severity: major → normal
It's always been possible to tell that private comments exist, because of the comment numbering scheme. This also leaks who made it, which is not a massive data leak. Still, we should fix it.

Gerv
Comment on attachment 8588412 [details] [diff] [review]
bug1151290-40-v1.patch

Review of attachment 8588412 [details] [diff] [review]:
-----------------------------------------------------------------

Can't locate object method "_user" via package "Bugzilla::Search" at Bugzilla/Search.pm line 1609.
 at Bugzilla/Search.pm line 1609.
	Bugzilla::Search::_long_desc_changedby('Bugzilla::Search=HASH(0x3069e58)', 'multi_fields', 'ARRAY(0x27401b8)', 'sequence', 'SCALAR(0x276e590)', 'wherepart', 'ARRAY(0x273ff60)', 'having', 'ARRAY(0x273ff90)', ...) called at Bugzilla/Search.pm line 1165
	Bugzilla::Search::do_search_function('Bugzilla::Search=HASH(0x3069e58)', 'HASH(0x2f1a4b0)') called at Bugzilla/Search.pm line 968
	Bugzilla::Search::init('Bugzilla::Search=HASH(0x3069e58)') called at Bugzilla/Search.pm line 414
	Bugzilla::Search::new('Bugzilla::Search', 'fields', 'ARRAY(0x2b41440)', 'params', 'Bugzilla::CGI=HASH(0x2e8eb88)', 'order', 'ARRAY(0x2b4db10)') called at /home/bugzilla/devel/htdocs/1151290/buglist.cgi line 832
Attachment #8588412 - Flags: review?(dkl) → review-
Comment on attachment 8588413 [details] [diff] [review]
bug1151290-42-v1.patch

Review of attachment 8588413 [details] [diff] [review]:
-----------------------------------------------------------------

r=dkl
Attachment #8588413 - Flags: review?(dkl) → review+
Comment on attachment 8588414 [details] [diff] [review]
bug1151290-v1.patch

Review of attachment 8588414 [details] [diff] [review]:
-----------------------------------------------------------------

r=dkl
Attachment #8588414 - Flags: review?(dkl) → review+

Updated

2 years ago
Flags: approval?
Flags: approval5.0?
Flags: approval4.4?
Flags: approval4.2?
(Assignee)

Comment 9

2 years ago
Created attachment 8591286 [details] [diff] [review]
patch for v4.0
Attachment #8588412 - Attachment is obsolete: true
Attachment #8591286 - Flags: review?(dkl)
Comment on attachment 8591286 [details] [diff] [review]
patch for v4.0

Review of attachment 8591286 [details] [diff] [review]:
-----------------------------------------------------------------

r=dkl
Attachment #8591286 - Flags: review?(dkl) → review+

Updated

2 years ago
Flags: approval4.0?
Flags: approval?
Flags: approval5.0?
Flags: approval5.0+
Flags: approval4.4?
Flags: approval4.4+
Flags: approval4.2?
Flags: approval4.2+
Flags: approval4.0?
Flags: approval4.0+
Flags: approval+
Target Milestone: --- → Bugzilla 4.0
dveditz, we feel that is more of a 'security enhancement' than a critical issue. As it only gives away the existence of a private comment and not the actual content. Do you feel it warrants a CVE ID before we release this?

Thanks
dkl
Flags: needinfo?(dveditz)
We already leaked the existence of the private comments as Gerv noted. This bug doesn't really leak the name of the commenter unless that is the only comment they made in the bug, or if you do a brute-force search of names against the time-range bounded by the previous and next comments in that bug. I don't think this rates a CVE.
Flags: needinfo?(dveditz)
Went ahead and committed this as want included in 4.4.9 and 5.0rc3 which are being put together now.

To ssh://gitolite3@git.mozilla.org/bugzilla/bugzilla.git
   3961356..877ef5c  4.0 -> 4.0

To ssh://gitolite3@git.mozilla.org/bugzilla/bugzilla.git
   6cfdba0..feca0d8  4.2 -> 4.2

To ssh://gitolite3@git.mozilla.org/bugzilla/bugzilla.git
   fc4a6dd..d445f63  4.4 -> 4.4

To ssh://gitolite3@git.mozilla.org/bugzilla/bugzilla.git
   74d7fca..b09ffb6  5.0 -> 5.0

To ssh://gitolite3@git.mozilla.org/bugzilla/bugzilla.git
   0bcbc0f..802a5cc  master -> master

dkl
Group: bugzilla-security
Status: ASSIGNED → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → FIXED

Updated

2 years ago
Summary: It is possible to tell if someone made a private comment on a bug even if you are not an 'insider' → It is possible to tell if someone made a private comment on a bug even if you are not in the insidergroup
You need to log in before you can comment on or make changes to this bug.