Closed Bug 389843 Opened 13 years ago Closed 13 years ago

Security Advisory for 2.20.5, 2.22.3, 3.0.1, and 3.1.1

Categories

(Bugzilla :: bugzilla.org, defect, blocker)

2.20.4
defect
Not set
blocker

Tracking

()

RESOLVED FIXED

People

(Reporter: LpSolit, Assigned: LpSolit)

References

Details

Attachments

(1 file, 1 obsolete file)

3.45 KB, text/plain
mkanat
: review+
Details
3 security bugs will be fixed. We need a sec adv for them.
Attached file Sec Adv, v1 (obsolete) —
I'm not quite sure about the 2nd issue, especially its class and the kind of damage it can do.
Assignee: website → LpSolit
Status: NEW → ASSIGNED
Attachment #276935 - Flags: review?(mkanat)
Comment on attachment 276935 [details]
Sec Adv, v1

>+ Users using the WebService interface may access time-related data they
>  are not allowed to read.

  Let's make that:

  Users using the WebService interface may access Bugzilla's time-tracking fields even if they normally cannot see them.

>Description: Bugzilla does not properly escape the 'buildid' field in
>             the guided form when filing bugs. From 2.17.1 till 2.23.3,
>             this field was based exclusively on the User-Agent string
>             returned by your web browser, which may be considered as
>             safe or not.

  Don't put "which may be considered as safe or not"--security folks will be unhappy with that, as it's never safe.

> Since 2.23.4, this parameter can be defined
>             in the URL passed to enter_bug.cgi, overwriting the
>             User-Agent string and may lead to cross-site scripting.

  Mention also:

  The guided form is not usually used by Bugzilla installations, as it is shipped only as an example to be modified for their own use.


>Issue 2
>-------
>Class:       Manipulation Of Data

  "Command Injection" I believe.

>Versions:    2.23.4 and above
>Description: Bugzilla 2.23.4 and newer use the Email:: modules instead
>             of the Mail:: and MIME:: ones. The argument passed to the -f
>             option of Email::Send::Sendmail() is insufficiently escaped
>             and may lead to arbitrary code execution

  "limited command injection" instead of "arbitrary code execution". (The commands you can run are very limited, but you can still run commands.)

> when called from
>             email_in.pl, a script which has also been introduced in 2.23.4.

  "was" instead of "has also been".

>Description: WebService allows you to get data from a Bugzilla installation
>             using XML-RPC. Time-related data of bugs are returned in all
>             cases, even when the user asking for these data does not have
>             the required privileges.

  "Bugzilla's WebService (XML-RPC) interface allows you to access the time-tracking fields (such as Deadline, Estimated Time, etc.) on all bugs, even if you normally cannot access time-tracking fields."

>Full release downloads, patches to upgrade Bugzilla from previous
>versions, and CVS upgrade instructions are available at:
>
>  http://www.bugzilla.org/download.html

  http://www.bugzilla.org/download/

  Otherwise, looks great! :-) Thank you!
Attachment #276935 - Flags: review?(mkanat) → review-
Attached file Sec Adv, v2
Attachment #276935 - Attachment is obsolete: true
Attachment #277027 - Flags: review?(mkanat)
Comment on attachment 277027 [details]
Sec Adv, v2

Looks great! Thanks! :-)
Attachment #277027 - Flags: review?(mkanat) → review+
Okay, sent to support-bugzilla, announce@, and BugTraq.
Group: webtools-security
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.