606618 - [SECURITY] Bugzilla 4.0 and Trunk need a YUI upgrade to avoid .swf XSS vulnerability

Status: RESOLVED FIXED

(Bugzilla :: User Interface, defect)

Description

[Max Kanat-Alexander]

bug 606523 details a vulnerability in YUI that will be resolved by YUI 2.8.2. YUI 2.8.2 will be released on 25 October, and we should ideally release on that day or the day after. Thankfully this does not affect any of our stable branches, because we don't ship the YUI .swf file before Bugzilla 4.0.

Comment 1

[Frédéric Buclin]

Do we need this .swf file? Couldn't it simply be removed from our code base?

Comment 2

[Max Kanat-Alexander]

I'm not sure if we need the swf files for any of our current code, but we may need it in the future, and the current general idea is to include all of YUI (or as much of it as is reasonable) so that customizers and future developers don't have to worry about adding pieces.

Comment 3

[Frédéric Buclin]

Per http://yuilibrary.com/support/2.8.2/#dropins, it seems we don't include all the .swf files anyway. So we could as well decide to wait till someone needs them before including them.

Comment 4

[Max Kanat-Alexander]

That's true. We do use the Connection library, though, and connection.swf is part of it. I don't think that we need or use connection.swf, but with JSONP support coming, there's a fair chance that we will want to use it and that customizers will want to use it as well. (I believe that's what allows cross-domain connections using YUI.)

Comment 5

[Frédéric Buclin]

I think we can upgrade YUI to 2.8.2 in advance. No need to wait for the release day before fixing this bug. mkanat, do you want to do it? /me has no idea how to extract *-min.js files only.

Comment 6

[Max Kanat-Alexander]

Yeah, I can do it. Actually, there's a contrib/ script that helps upgrade YUI given a tarball, so this is pretty straightfoward. I do need to update some things about the script, though, and this will be a good opportunity.

Comment 7

[Max Kanat-Alexander]

Attachment: v1

This updates us to YUI 2.8.2, and contains a minor update for new-yui.sh.

Comment 8

[Frédéric Buclin]

Comment on attachment 486209 [details] [diff] [review]
v1

>=== modified file 'js/yui/swfstore/swfstore.swf'
>Binary files js/yui/swfstore/swfstore.swf	2010-06-18 08:00:38 +0000 and js/yui/swfstore/swfstore.swf	2010-09-14 17:06:08 +0000 differ

We have to attach swfstore.swf from YUI 2.8.2 to this bug, so that people can download it.

Comment 9

[Frédéric Buclin]

Attachment: swfstore.swf for YUI 2.8.2

md5sum: 8526b66bd23fe8cebfa3426ad9c74ff0

Comment 10

[Frédéric Buclin]

Just wondering, do we also want to update files in Bugzilla 3.2 - 3.6?
Bugzilla 3.2 has YUI 2.3.1, and Bugzilla 3.4 and 3.6 have YUI 2.6.0.

Comment 11

[Max Kanat-Alexander]

(In reply to comment #10)
> Just wondering, do we also want to update files in Bugzilla 3.2 - 3.6?
> Bugzilla 3.2 has YUI 2.3.1, and Bugzilla 3.4 and 3.6 have YUI 2.6.0.

  No, those versions all are working and are not affected by the vulnerability. Upgrading YUI has side effects that we would have to deal with (and cannot) on those branches.

Comment 12

[Max Kanat-Alexander]

Committing to: bzr+ssh://bzr.mozilla.org/bugzilla/trunk/
modified contrib/new-yui.sh
modified js/yui/animation/animation-min.js
...
Committed revision 7586.


Committing to: bzr+ssh://bzr.mozilla.org/bugzilla/4.0/                         
modified contrib/new-yui.sh
missing js/yui/utilities
modified js/yui/utilities
modified js/yui/animation/animation-min.js
...
Committed revision 7468.

Comment 13

[Max Kanat-Alexander]

Security advisory sent, unlocking bug.