Bug 577139 (CVE-2010-2758)

[SECURITY] request.cgi and duplicates.cgi let you know whether a product exists or not

RESOLVED FIXED in Bugzilla 3.2

Status

()

Bugzilla
Attachments & Requests
--
minor
RESOLVED FIXED
7 years ago
7 years ago

People

(Reporter: Frédéric Buclin, Assigned: Frédéric Buclin)

Tracking

2.17.1
Bugzilla 3.2
Bug Flags:
approval3.6 +
blocking3.6.2 +
approval3.4 +
blocking3.4.8 +
approval3.2 +
blocking3.2.8 +

Details

(Whiteboard: [4.0/4.2 fixed by bug 519835])

Attachments

(2 attachments)

(Assignee)

Description

7 years ago
Bugzilla::Product::check_product() throws an error if you pass a product name which doesn't exist, letting the user know whether it's a valid product name or not.

This is going to be fixed in Bugzilla 4.2 as part of bug 519835.

Updated

7 years ago
Severity: normal → minor
(Assignee)

Comment 1

7 years ago
duplicates.cgi is also vulnerable, at least in 3.2.
Summary: [SECURITY] request.cgi lets you know whether a product exists or not → [SECURITY] request.cgi and duplicates.cgi let you know whether a product exists or not
(Assignee)

Comment 2

7 years ago
Created attachment 456194 [details] [diff] [review]
patch for 3.2 and 3.4, v1

Here is the patch for 3.2. I didn't want to create a new constant as it's for branches only.
Assignee: attach-and-request → LpSolit
Status: NEW → ASSIGNED
Attachment #456194 - Flags: review?(mkanat)

Comment 3

7 years ago
Comment on attachment 456194 [details] [diff] [review]
patch for 3.2 and 3.4, v1

This looks right.

For newer branches you should just be able to use check().
Attachment #456194 - Flags: review?(mkanat) → review+
(Assignee)

Comment 4

7 years ago
(In reply to comment #3)
> For newer branches you should just be able to use check().

For 3.6, I think so. But 3.4 has no custom check() method (which is needed to override the error message).

Comment 5

7 years ago
(In reply to comment #4)
> For 3.6, I think so. But 3.4 has no custom check() method (which is needed to
> override the error message).

  Ah, okay.
(Assignee)

Comment 6

7 years ago
Comment on attachment 456194 [details] [diff] [review]
patch for 3.2 and 3.4, v1

The same patch applies and works for 3.2 and 3.4.
Attachment #456194 - Attachment description: patch for 3.2, v1 → patch for 3.2 and 3.4, v1
(Assignee)

Comment 7

7 years ago
It will be ready on time for the next releases.
Flags: blocking4.0+
Flags: blocking3.6.2+
Flags: blocking3.4.8+
Flags: blocking3.2.8+
Flags: approval3.4?
Flags: approval3.2?
(Assignee)

Comment 8

7 years ago
I finally checked in bug 519835 in 4.0, so Bugzilla 3.7.3 doesn't need to be fixed in this bug. duplicates.cgi was already fixed since Bugzilla 3.6rc1 thanks to bug 514970.

Both request.cgi and duplicates.cgi were affected since Bugzilla 2.17.1.
Flags: blocking4.0+
Whiteboard: [4.0/4.2 fixed by bug 519835]
Version: 3.7 → 2.17.1
(Assignee)

Comment 9

7 years ago
Created attachment 456259 [details] [diff] [review]
patch for 3.6, v1

Bugzilla 3.6 has a custom check() method in Product.pm, which throws the appropriate error. So we can use it here.
Attachment #456259 - Flags: review?(mkanat)

Updated

7 years ago
Attachment #456259 - Flags: review?(mkanat) → review+

Comment 10

7 years ago
Comment on attachment 456259 [details] [diff] [review]
patch for 3.6, v1

Yeah, obviously correct. :-)

Updated

7 years ago
Flags: approval3.6?
(Assignee)

Updated

7 years ago
Blocks: 580214
Alias: CVE-2010-2758
(Assignee)

Updated

7 years ago
Flags: approval3.6?
Flags: approval3.6+
Flags: approval3.4?
Flags: approval3.4+
Flags: approval3.2?
Flags: approval3.2+
(Assignee)

Comment 11

7 years ago
Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/3.6/
modified request.cgi
Committed revision 7159.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/3.4/
modified duplicates.cgi
modified request.cgi
modified Bugzilla/Product.pm
Committed revision 6773.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/3.2/
modified duplicates.cgi
modified request.cgi
modified Bugzilla/Product.pm
Committed revision 6394.
Status: ASSIGNED → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → FIXED

Comment 12

7 years ago
Security advisory sent, unlocking bug.
Group: bugzilla-security
You need to log in before you can comment on or make changes to this bug.