Last Comment Bug 577139 - (CVE-2010-2758) [SECURITY] request.cgi and duplicates.cgi let you know whether a product exists or not
(CVE-2010-2758)
: [SECURITY] request.cgi and duplicates.cgi let you know whether a product exis...
Status: RESOLVED FIXED
[4.0/4.2 fixed by bug 519835]
:
Product: Bugzilla
Classification: Server Software
Component: Attachments & Requests (show other bugs)
: 2.17.1
: All All
: -- minor (vote)
: Bugzilla 3.2
Assigned To: Frédéric Buclin
: default-qa
Mentors:
Depends on:
Blocks: 580214
  Show dependency treegraph
 
Reported: 2010-07-06 13:04 PDT by Frédéric Buclin
Modified: 2010-08-05 21:39 PDT (History)
2 users (show)
LpSolit: approval3.6+
LpSolit: blocking3.6.2+
LpSolit: approval3.4+
LpSolit: blocking3.4.8+
LpSolit: approval3.2+
LpSolit: blocking3.2.8+
See Also:
QA Whiteboard:
Iteration: ---
Points: ---

Attachments
patch for 3.2 and 3.4, v1 (3.59 KB, patch)
2010-07-06 14:05 PDT, Frédéric Buclin 		mkanat: review+
Details | Diff | Splinter Review
patch for 3.6, v1 (661 bytes, patch)
2010-07-07 03:59 PDT, Frédéric Buclin 		mkanat: review+
Details | Diff | Splinter Review
View All Add an attachment (proposed patch, testcase, etc.)

Description Frédéric Buclin 2010-07-06 13:04:01 PDT 
Bugzilla::Product::check_product() throws an error if you pass a product name which doesn't exist, letting the user know whether it's a valid product name or not.

This is going to be fixed in Bugzilla 4.2 as part of bug 519835.
Comment 1 Frédéric Buclin 2010-07-06 14:03:47 PDT 
duplicates.cgi is also vulnerable, at least in 3.2.
Comment 2 Frédéric Buclin 2010-07-06 14:05:07 PDT 
Created attachment 456194 [details] [diff] [review]
patch for 3.2 and 3.4, v1

Here is the patch for 3.2. I didn't want to create a new constant as it's for branches only.
Comment 3 Max Kanat-Alexander 2010-07-06 14:30:48 PDT 
Comment on attachment 456194 [details] [diff] [review]
patch for 3.2 and 3.4, v1

This looks right.

For newer branches you should just be able to use check().
Comment 4 Frédéric Buclin 2010-07-06 14:35:07 PDT 
(In reply to comment #3)
> For newer branches you should just be able to use check().

For 3.6, I think so. But 3.4 has no custom check() method (which is needed to override the error message).
Comment 5 Max Kanat-Alexander 2010-07-06 15:11:32 PDT 
(In reply to comment #4)
> For 3.6, I think so. But 3.4 has no custom check() method (which is needed to
> override the error message).

  Ah, okay.
Comment 6 Frédéric Buclin 2010-07-06 18:47:18 PDT 
Comment on attachment 456194 [details] [diff] [review]
patch for 3.2 and 3.4, v1

The same patch applies and works for 3.2 and 3.4.
Comment 7 Frédéric Buclin 2010-07-06 18:48:01 PDT 
It will be ready on time for the next releases.
Comment 8 Frédéric Buclin 2010-07-06 19:15:28 PDT 
I finally checked in bug 519835 in 4.0, so Bugzilla 3.7.3 doesn't need to be fixed in this bug. duplicates.cgi was already fixed since Bugzilla 3.6rc1 thanks to bug 514970.

Both request.cgi and duplicates.cgi were affected since Bugzilla 2.17.1.
Comment 9 Frédéric Buclin 2010-07-07 03:59:56 PDT 
Created attachment 456259 [details] [diff] [review]
patch for 3.6, v1

Bugzilla 3.6 has a custom check() method in Product.pm, which throws the appropriate error. So we can use it here.
Comment 10 Max Kanat-Alexander 2010-07-07 18:59:49 PDT 
Comment on attachment 456259 [details] [diff] [review]
patch for 3.6, v1

Yeah, obviously correct. :-)
Comment 11 Frédéric Buclin 2010-08-04 15:00:42 PDT 
Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/3.6/
modified request.cgi
Committed revision 7159.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/3.4/
modified duplicates.cgi
modified request.cgi
modified Bugzilla/Product.pm
Committed revision 6773.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/3.2/
modified duplicates.cgi
modified request.cgi
modified Bugzilla/Product.pm
Committed revision 6394.
Comment 12 Max Kanat-Alexander 2010-08-05 21:39:57 PDT 
Security advisory sent, unlocking bug.
Note You need to log in before you can comment on or make changes to this bug.