Closed Bug 515454 Opened 13 years ago Closed 13 years ago

Security Advisory for Bugzilla 3.0.9, 3.2.5, and 3.4.2

Categories

(Bugzilla :: bugzilla.org, defect)

defect
Not set
blocker

Tracking

()

RESOLVED FIXED

People

(Reporter: LpSolit, Assigned: mkanat)

References

Details

Attachments

(1 file, 4 obsolete files)

There are some very critical security bugs we are going to fix in the coming releases + some less critical ones, see the dependency list.
Summary: Security Advisory for Bugzilla 3.0.9, 3.2.5, 3.4.2 and 3.5.1 → Security Advisory for Bugzilla 3.0.9, 3.2.5, and 3.4.2
I'm just going to assume that bug 314871 (which is a very minor issue) isn't going to make this release, because we have a lot of other work to do for the release, and I don't want to check in too many security bugs at once and have various unknown regressions from their interactions.
No longer depends on: CVE-2009-3989
Attached file v1 (No CVEs) (obsolete) —
Assignee: general → mkanat
Status: NEW → ASSIGNED
Attachment #399611 - Flags: review?(LpSolit)
Component: Bugzilla-General → bugzilla.org
Use CVE-2009-3125 for the first SQL injection vuln. I've put in a follow-up request for two more. Hopefully, will have them either later tonight or tomorrow, but I wouldn't hold the release for them, if it needs to rushed.
Attached file v2 (obsolete) —
Here's a second version. This one has the first CVE that reed has given us, and also has a note that you can just apply the security patches if you need to.
Attachment #399611 - Attachment is obsolete: true
Attachment #399637 - Flags: review?(LpSolit)
Attachment #399611 - Flags: review?(LpSolit)
No longer depends on: 513593, 515328
Comment on attachment 399637 [details]
v2

>Versions:    3.3.2 to 3.4.2, 3.5

to 3.4.1


>Class:       SQL Injection
>Versions:    

You forgot to fill Versions.


>Versions:    2.23.4 to 3.0.8, 3.1.1 to 3.2.4, 3.3.1 to 3.4.1

I don't know which bug regressed this. Which one is this? I don't think the 3.0.x and 3.2.x branches are affected as you cannot log in from the token.cgi page itself.


>The fix for this issue in is included in the 3.4.2, 3.2.5, and 3.0.9

There are several fixes and issues.
Attachment #399637 - Flags: review?(LpSolit) → review-
Attached file v3 (obsolete) —
Attachment #399637 - Attachment is obsolete: true
Attachment #399912 - Flags: review?(LpSolit)
Attached file v4 (obsolete) —
I added a note that you can't insert additional statements with semicolons (because this information may be useful for press or security institutions who are writing about this vulnerability), and also re-worded some information to make it clear that this *is* exploitable, just not (as far as we know) to delete or modify existing data.
Attachment #399912 - Attachment is obsolete: true
Attachment #399917 - Flags: review?(LpSolit)
Attachment #399912 - Flags: review?(LpSolit)
Comment on attachment 399917 [details]
v4

>Class:       Sensitive Data Exposure
>Versions:    3.4rc1 to 3.4.1

The mini-login form has been introduced in bug 476090, meaning that 3.3.4 is also affected.

r=LpSolit with s/3.4rc1/3.3.4/.
Attachment #399917 - Flags: review?(LpSolit) → review+
(In reply to comment #8)
> The mini-login form has been introduced in bug 476090, meaning that 3.3.4 is
> also affected.

  No, it's caused by the fact that param() is including both GET and POST variables, which means they get included in -query => 1, which started happening in rc1.
CVE-2009-3125 SQL Injection in Bug.search

CVE-2009-3165 SQL Injection in Bug.create

CVE-2009-3166 Sensitive Data Exposure
Attached file v5 (All CVEs Included)
Attachment #399917 - Attachment is obsolete: true
Attachment #400055 - Flags: review+
Security advisory sent.
Group: bugzilla-security
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.