Closed Bug 606618 Opened 14 years ago Closed 14 years ago

[SECURITY] Bugzilla 4.0 and Trunk need a YUI upgrade to avoid .swf XSS vulnerability

Categories

(Bugzilla :: User Interface, defect)

Product:
Bugzilla
Component:
User Interface
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Bugzilla 4.0

People

(Reporter: mkanat, Assigned: mkanat)

References

Details

Attachments

(2 files)

v1
1.09 MB, patch
LpSolit
: review+
Details | Diff | Splinter Review
swfstore.swf for YUI 2.8.2
4.76 KB, application/octet-stream
Details
bug 606523 details a vulnerability in YUI that will be resolved by YUI 2.8.2. YUI 2.8.2 will be released on 25 October, and we should ideally release on that day or the day after. Thankfully this does not affect any of our stable branches, because we don't ship the YUI .swf file before Bugzilla 4.0.
Flags: blocking4.0+
Do we need this .swf file? Couldn't it simply be removed from our code base?
I'm not sure if we need the swf files for any of our current code, but we may need it in the future, and the current general idea is to include all of YUI (or as much of it as is reasonable) so that customizers and future developers don't have to worry about adding pieces.
Summary: Bugzilla 4.0 and Trunk need a YUI upgrade to avoid .swf XSS vulnerability → [SECURITY] Bugzilla 4.0 and Trunk need a YUI upgrade to avoid .swf XSS vulnerability
Blocks: 606854
Per http://yuilibrary.com/support/2.8.2/#dropins, it seems we don't include all the .swf files anyway. So we could as well decide to wait till someone needs them before including them.
That's true. We do use the Connection library, though, and connection.swf is part of it. I don't think that we need or use connection.swf, but with JSONP support coming, there's a fair chance that we will want to use it and that customizers will want to use it as well. (I believe that's what allows cross-domain connections using YUI.)
I think we can upgrade YUI to 2.8.2 in advance. No need to wait for the release day before fixing this bug. mkanat, do you want to do it? /me has no idea how to extract *-min.js files only.
Yeah, I can do it. Actually, there's a contrib/ script that helps upgrade YUI given a tarball, so this is pretty straightfoward. I do need to update some things about the script, though, and this will be a good opportunity.
Attached patch v1Splinter Review
This updates us to YUI 2.8.2, and contains a minor update for new-yui.sh.
Assignee: ui → mkanat
Status: NEW → ASSIGNED
Attachment #486209 - Flags: review?(LpSolit)
Comment on attachment 486209 [details] [diff] [review] v1 >=== modified file 'js/yui/swfstore/swfstore.swf' >Binary files js/yui/swfstore/swfstore.swf 2010-06-18 08:00:38 +0000 and js/yui/swfstore/swfstore.swf 2010-09-14 17:06:08 +0000 differ We have to attach swfstore.swf from YUI 2.8.2 to this bug, so that people can download it.
Attachment #486209 - Flags: review?(LpSolit) → review+
Flags: approval?
Flags: approval4.0?
md5sum: 8526b66bd23fe8cebfa3426ad9c74ff0
Just wondering, do we also want to update files in Bugzilla 3.2 - 3.6? Bugzilla 3.2 has YUI 2.3.1, and Bugzilla 3.4 and 3.6 have YUI 2.6.0.
(In reply to comment #10) > Just wondering, do we also want to update files in Bugzilla 3.2 - 3.6? > Bugzilla 3.2 has YUI 2.3.1, and Bugzilla 3.4 and 3.6 have YUI 2.6.0. No, those versions all are working and are not affected by the vulnerability. Upgrading YUI has side effects that we would have to deal with (and cannot) on those branches.
Flags: approval?
Flags: approval4.0?
Flags: approval4.0+
Flags: approval+
Committing to: bzr+ssh://bzr.mozilla.org/bugzilla/trunk/ modified contrib/new-yui.sh modified js/yui/animation/animation-min.js ... Committed revision 7586. Committing to: bzr+ssh://bzr.mozilla.org/bugzilla/4.0/ modified contrib/new-yui.sh missing js/yui/utilities modified js/yui/utilities modified js/yui/animation/animation-min.js ... Committed revision 7468.
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Security advisory sent, unlocking bug.
Group: bugzilla-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: