Closed Bug 580214 Opened 9 years ago Closed 9 years ago

Security Advisory for Bugzilla 3.7.3, 3.6.2, 3.4.8 and 3.2.8

Categories

(Bugzilla :: Bugzilla-General, defect, blocker)

defect
Not set
blocker

Tracking

()

RESOLVED FIXED

People

(Reporter: LpSolit, Assigned: LpSolit)

References

Details

Attachments

(1 file, 2 obsolete files)

4.48 KB, text/plain; charset=utf-8
mkanat
: review+
Details
We have three security bugs ready for checkin: bug 417048, bug 450013 and bug 577139.
and a forth one is coming... bug 583690
Depends on: CVE-2010-2759
Attached file sec adv, v1 (obsolete) —
Here is a first shoot. I had no great idea for the "Class" name of each vulnerability.
Assignee: general → LpSolit
Status: NEW → ASSIGNED
Attachment #462532 - Flags: review?(mkanat)
Comment on attachment 462532 [details]
sec adv, v1

>* Everybody could search for group membership information, using
>  boolean charts in queries.

  Hmm. Instead let's say:

  It was possible to (at least partially) determine the membership of any group using the Search interface.

>* The 'Reports' and 'Duplicates' pages let you guess the name
>  of products you cannot see thanks to the error message being
>  thrown.

  Instead of "cannot see thanks", let's say, "could not see, due to"

  And "error message that was" instead of "error message being".

>* Inserting a too large bug or attachment ID in a bug comment
>  made PostgreSQL crash, preventing the bug to be viewed anymore.

  Specifying "bug X" or "attachment X" in a comment would deny access to the bug if X was larger than the maximum 32-bit signed integer size.

>Class:       Security Bypass

  Hmm, yeah, that one's tough to say what it should be. Maybe "Notification Bypass"?

>Description: When a user is being impersonated, he receives an email
>             with the identity of the user impersonating him.
>             If a cookie can be injected with the victim user ID,
>             it's possible to prevent the email from being sent,
>             and so the user gets no notification. The cookie now
>             contains a token instead of the user ID. Note that users
>             who cannot normally be impersonated are not affected.

  Normally, when a user is impersonated, he receives an email informing him that he is being impersonated, containing the identity of the impersonator. However, it was possible to impersonate a user without this notification being sent.

>Description: Bugzilla normally doesn't disclose whether a product
>             does not exist or is not visible to a user. The "Reports"
>             and "Duplicates" pages could disclose this information
>             using a crafted URL. Note that the "Duplicates" page
>             is not vulnerable since Bugzilla 3.6rc1.

  An error message being thrown by the "Reports" and "Duplicates" page confirmed the non-existence of products, thus allowing users to guess confidential product names. (Note that the "Duplicates" page was not vulnerable in Bugzilla 3.6rc1 and above though.)

>Class:       Denial of Service
>Description: If you type a comment containing a bug ID or an
>             attachment ID which exceeds the biggest integer allowed
>             by the PostgreSQL DB server, the server crashes. This
>             prevents the bug report from being viewed or edited
>             for all users.

  If a comment contained the phrases "bug X" or "attachment X", where X was an integer larger than the maximum 32-bit signed integer size, PostgreSQL would throw an error, and any page containing that comment would not be viewable. On most Bugzillas, any user can enter a comment on any bug, so any user could have used this to deny access to one or all bugs. This only affects Bugzilla installations running on PostgreSQL 8.3 or higher, not any other database.

>Vulnerability Solutions
>=======================
>
>The fix for these issues are included in the 3.2.8, 3.4.8, 3.6.2, and

  The fixes

>3.7.3 releases. Upgrading to a release with the relevant fix will

  fixes

>protect your installation from possible exploits of this issue.

  these issues
Attachment #462532 - Flags: review?(mkanat) → review-
Attached patch sec adv, v2 (obsolete) — Splinter Review
Attachment #462532 - Attachment is obsolete: true
Attachment #462787 - Flags: review?(mkanat)
Comment on attachment 462787 [details] [diff] [review]
sec adv, v2

>* Specifying "bug X" or "attachment X" in a comment would deny access
>  to the bug if X was larger than the maximum 32-bit signed integer
>  size.

  This should start with "For installations using PostgreSQL,".

>  when passing a cookie with the
>             victim ID. The cookie used for impersonation now
>             uses a token. 

  Exploit details and fix details aren't necessary in the advisory (unless they're necessary to understanding the issue or important for end users), so we should leave them out.

>Description: An error message being thrown by the "Reports" and

  s/being//

>Description: If a comment contained the phrases "bug X" or
>             "attachment X", where X was an integer larger than the
>             maximum 32-bit signed integer size, PostgreSQL would
>             throw an error, and any page containing that comment would
>             not be viewable. On most Bugzillas, any user can enter
>             a comment on any bug, so any user could have used this to
>             deny access to one or all bugs.

  Append:

  Bugzillas running on databases other than PostgreSQL are not affected.
Attachment #462787 - Flags: review?(mkanat) → review-
Attached file sec adv, v3
Attachment #462787 - Attachment is obsolete: true
Attachment #462906 - Flags: review?(mkanat)
Attachment #462906 - Flags: review?(mkanat) → review+
Attachment #462906 - Attachment mime type: text/plain → text/plain; charset=utf-8
Security advisory sent.
Group: bugzilla-security
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.