Closed Bug 157704 Opened 22 years ago Closed 22 years ago

if you delete a product when usebuggroups is ON, administrator's right may change

Categories

(Bugzilla :: User Accounts, defect)

Product:
Bugzilla
Component:
User Accounts
Version:
2.14.1
Platform:
x86
Windows 2000
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Bugzilla 2.16

People

(Reporter: ravishk, Assigned: justdave)

Details

(Whiteboard: [fixed in 2.16.3][doesn't exist on trunk])

Attachments

(1 file)

patch against 2.16.2
857 bytes, patch
bugreport
: review+
Details | Diff | Splinter Review 
Hi There 

I was going through Bugzilla code. I found one bug in "editproducts.cgi".

fileName: editproducts.cgi # LineNumber : 651 "AND (groupset != 
9223372036854710271)");

but as per my knowledge and as defined in globals.pl Admin bit munber is 
9223372036854775807

So I think it can change admin's right while deleting a product when 
usebuggroups is ON.

Correct me if I am wrong.

Thanks & Regards
R K Singh
This looks like a real error.

The only differrence between these values is that the value in editproducts.cgi
is missing the 2^16 bit.  

I'll be happy to make a patch if it is OK to write/submit a patch where the
benefit is seen only by inspection and it is tested just to make sure it doesn't
break anything.

Use $::admingroupset from globals.pol (or whatever the var is called)
Is this even still an issue?  I think the groups rewrite fixed this (since
there's a separate admin group which is inherited now instead of the admin being
a member of every group)
joel: ping (see comment #3)
This would only impact the old bugzillas.  The new group system already takes
this into account during conversion.  So, unless someone wants to fix this on
the 2.16 branch, there is no change to make.

although it's admittedly a minor thing, it does meet the qualifications of a
security problem, since the admin could accidently change his own privs.  And
the timing is perfect since we're going to be doing a 2.16.3 release shortly anyway.
Whiteboard: [want for 2.16.3]
Target Milestone: --- → Bugzilla 2.16
This patch is against version 2.16.2.  Do note that as mentioned in earlier
comments, this problem is not present in 2.17.
Attachment #114120 - Flags: review?(bugreport)
Whiteboard: [want for 2.16.3] → [want for 2.16.3][doesn't exist on trunk]

        Attachment #114120 -
        Flags: review?(bugreport) → review+

    
    

    
  
From the standpoint of being worth an update, it should be included.  There is
no reason I can see for an advisory, though.  This lets and admin lose privs
rather than creating a hole.


    
    

    
  
mine
Assignee: myk → justdave
Flags: approval+

    
    

    
  
Checked in on BUGZILLA-2_16-BRANCH

Checking in editproducts.cgi;
/cvsroot/mozilla/webtools/bugzilla/editproducts.cgi,v  <--  editproducts.cgi
new revision: 1.24.2.3; previous revision: 1.24.2.2
done

Status: NEW → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
Whiteboard: [want for 2.16.3][doesn't exist on trunk] → [fixed in 2.16.3][doesn't exist on trunk]
QA Contact: matty_is_a_geek → default-qa

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: