Closed
Bug 620540
Opened 14 years ago
Closed 14 years ago
Security Advisory for Bugzilla 4.0rc2, 3.6.4, 3.4.10 and 3.2.10
Categories
(Bugzilla :: bugzilla.org, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: LpSolit, Assigned: mkanat)
References
Details
Attachments
(1 file, 4 obsolete files)
6.59 KB,
patch
|
LpSolit
:
review+
reed
:
review-
|
Details | Diff | Splinter Review |
We have several moderate to critical security bugs to fix for 4.0rc2 & co. I also include the CGI.pm one, hoping a new version will be released on time on CPAN.
CVE ref welcome.
Flags: blocking4.0+
Flags: blocking3.6.4+
Flags: blocking3.4.10+
Flags: blocking3.2.10+
Reporter | ||
Updated•14 years ago
|
Depends on: CVE-2010-4572
Updated•14 years ago
|
Depends on: CVE-2011-0046
Assignee | ||
Comment 2•14 years ago
|
||
Assignee: general → mkanat
Status: NEW → ASSIGNED
Attachment #506051 -
Flags: review?(reed)
Attachment #506051 -
Flags: review?(LpSolit)
Assignee | ||
Updated•14 years ago
|
Component: Bugzilla-General → bugzilla.org
Target Milestone: Bugzilla 3.2 → ---
Comment 3•14 years ago
|
||
Comment on attachment 506051 [details]
v1
>Bugzilla is a Web-based bug-tracking system used by a large number of
>software projects. Recently, the Mozilla Project offered a bounty to
>anyone who could find a security issue in systems that Mozilla uses.
>
>This resulted in several new security issues being found in Bugzilla:
""
Recently, Mozilla expanded its security bug bounty program to include web applications (http://www.mozilla.org/security/bug-bounty.html).
As a result, several new security issues affecting Bugzilla were reported:
OR
This expansion resulted in the finding of several new security issues affecting Bugzilla:
""
The bounty program isn't new, so should clarify that only the webapp part is recent. Also, I added a link to the program. It couldn't hurt, and we might get more submissions that way. I think we should add a shout-out to Mozilla for offering this program, either before the vulnerability details or towards the end. We could move the link there if it's too prominent in the intro.
>* A weakness in Bugzilla could allow a user to gain unauthorized access
> to another Bugzilla account.
Any reason why you're using "could allow" here when you use "allows" or more present/active verbs later on in the list?
>* A weakness in the Perl CGI.pm module allows injecting HTTP headers
> and content to users, on several pages in Bugzilla.
s/users, on/users via/
>* Normally, Bugzilla does not make "javascript:" or "data:" URLs into
> clickable links if they are put into the "URL" field, but there is
> a way to bypass that protection.
This one doesn't flow. Need to restructure to match format of other issues. Maybe something starting like this:
A weakness in Bugzilla's protection against clickable "javascript:" or "data:" URLs allows ....
>* Various pages lacks protection against cross-site request forgeries.
s/lacks/lack/
>Description: By inserting certain strings into certain URLs, it was
> possible to inject both headers and content to any
> browser.
Got another word besides "certain" so you're not using it twice?
s/to any/into any/
>References: https://bugzilla.mozilla.org/show_bug.cgi?id=591165
> http://avatraxiom.livejournal.com/104105.html
> http://cwe.mitre.org/data/definitions/113.html
Add https://bugzilla.mozilla.org/show_bug.cgi?id=621572.
>CVE Number: CVE-2010-2761, CVE-2010-4572, CVE-2010-4411
List in numerical order (also since 2761 and 4411 go together).
>Description: Bugzilla 3.7.x and 4.0rc1 have a new client-side
> autocomplete mechanism for all fields where a username
> is entered. This mechanism was vulnerable to a cross-site
> scripting attack.
s/a username/an e-mail address/
>CVS Number: CVE-2010-4569
s/CVS/CVE/
>Description: Bugzilla has a "URL" field that can contain any type
> of URL, including "javascript:" and "data:" URLs. However,
> it does not make "javascript:" and "data:" URLs into
> clickable links, to protect against cross-site scripting
> attacks or other attacks. It was possible to bypass this
> protection by adding spaces into the URL in places that
> Bugzilla did not expect them.
s/any type/several types/
>Description: Various pages were vulnerable to non-critical Cross-Site
> Request Forgery attacks. Some of these issues were only
Drop the "non-critical", as some do concern dataloss and such.
> addressed on more recent branches of Bugzilla and not
> fixed in earlier branches, to avoid changing behavior
> that external applications may depend on.
... fixed in older branches in order to avoid changing ...
>References: https://bugzilla.mozilla.org/show_bug.cgi?id=621090
> https://bugzilla.mozilla.org/show_bug.cgi?id=621105
> https://bugzilla.mozilla.org/show_bug.cgi?id=621107
> https://bugzilla.mozilla.org/show_bug.cgi?id=621108
> https://bugzilla.mozilla.org/show_bug.cgi?id=621109
> https://bugzilla.mozilla.org/show_bug.cgi?id=621110
dveditz, do we need one CVE for all of these or one per issue?
>Willem Pinckaers of Pine Security (reporter, Account Compromise issue)
Pine Digital Security
>Alex Miller
Replace with mozilla11@mailinator.com (real name unknown). Alex was not the original reporter. If there are questions about this, poke me on IRC (not here).
>Comments and follow-ups can be directed to the mozilla.support.bugzilla
>newsgroup or the support-bugzilla mailing list.
>http://www.bugzilla.org/support/ has directions for accessing these
>forums.
You know, we don't actually have a place (that I can find) explaining how to report security bugs. We should either add a blurb here at the bottom or include something on the /support/ page.
Attachment #506051 -
Flags: review?(reed) → review-
Comment 4•14 years ago
|
||
(In reply to comment #3)
> >References: https://bugzilla.mozilla.org/show_bug.cgi?id=621090
> > https://bugzilla.mozilla.org/show_bug.cgi?id=621105
> > https://bugzilla.mozilla.org/show_bug.cgi?id=621107
> > https://bugzilla.mozilla.org/show_bug.cgi?id=621108
> > https://bugzilla.mozilla.org/show_bug.cgi?id=621109
> > https://bugzilla.mozilla.org/show_bug.cgi?id=621110
>
> dveditz, do we need one CVE for all of these or one per issue?
Looks like Jose A. Vazquez reported one and then you investigated and looked for other places with the same pattern/problem? If so a single CVE is appropriate.
Reporter | ||
Comment 5•14 years ago
|
||
/me will wait for an updated sec adv before reviewing it.
Comment 6•14 years ago
|
||
(In reply to comment #4)
> > dveditz, do we need one CVE for all of these or one per issue?
>
> Looks like Jose A. Vazquez reported one and then you investigated and looked
> for other places with the same pattern/problem? If so a single CVE is
> appropriate.
Correct. Please assign one then. :)
Updated•14 years ago
|
Depends on: CVE-2011-0048
Comment 7•14 years ago
|
||
Also need to add bug 628034 to the advisory.
Comment 8•14 years ago
|
||
(In reply to comment #7)
> Also need to add bug 628034 to the advisory.
... and add Mike Brooks to the credits, as the reporter.
Comment 9•14 years ago
|
||
(In reply to comment #8)
> (In reply to comment #7)
> > Also need to add bug 628034 to the advisory.
>
> ... and add Mike Brooks to the credits, as the reporter.
Make that: Michael Brooks (Sitewatch).
Assignee | ||
Comment 10•14 years ago
|
||
Okay, addressed almost everything that reed pointed out.
Attachment #506051 -
Attachment is obsolete: true
Attachment #506330 -
Flags: review?(reed)
Attachment #506330 -
Flags: review?(LpSolit)
Attachment #506051 -
Flags: review?(LpSolit)
Reporter | ||
Updated•14 years ago
|
Attachment #506330 -
Attachment is patch: false
Comment 11•14 years ago
|
||
Comment on attachment 506330 [details]
v2
>References: https://bugzilla.mozilla.org/show_bug.cgi?id=619588
> https://bugzilla.mozilla.org/show_bug.cgi?id=628034
>CVE Number: CVE-2010-4567
Add CVE-2011-0048 to the list.
>References: https://bugzilla.mozilla.org/show_bug.cgi?id=621090
> https://bugzilla.mozilla.org/show_bug.cgi?id=621105
> https://bugzilla.mozilla.org/show_bug.cgi?id=621107
> https://bugzilla.mozilla.org/show_bug.cgi?id=621108
> https://bugzilla.mozilla.org/show_bug.cgi?id=621109
> https://bugzilla.mozilla.org/show_bug.cgi?id=621110
CVE-2011-0046
>Willem Pinckaers of pine.nl (reporter, Account Compromise issue)
Pine Digital Security, if you can...
>Michael Brooks
List as: Michael Brooks of Sitewatch
>Jose A. Vazquez
José A. Vázquez (I know his bugzilla account says differently, but this comes from e-mail)
Attachment #506330 -
Attachment is patch: true
Updated•14 years ago
|
Attachment #506330 -
Attachment is patch: false
Assignee | ||
Comment 12•14 years ago
|
||
Attachment #506330 -
Attachment is obsolete: true
Attachment #506489 -
Flags: review?(reed)
Attachment #506489 -
Flags: review?(LpSolit)
Attachment #506330 -
Flags: review?(reed)
Attachment #506330 -
Flags: review?(LpSolit)
Comment 13•14 years ago
|
||
Comment on attachment 506489 [details] [diff] [review]
v3
>Class: HTTP Response Splitting
>Versions: Every Version Before 3.2.10, 3.4.10, 3.6.4, 4.0rc2
>Fixed In: 3.2.10, 3.4.10, 3.6.4, 4.0rc2
>Description: By inserting particular strings into certain URLs, it was
> possible to inject both headers and content to any
> browser.
>References: https://bugzilla.mozilla.org/show_bug.cgi?id=591165
> http://avatraxiom.livejournal.com/104105.html
> http://cwe.mitre.org/data/definitions/113.html
Add https://bugzilla.mozilla.org/show_bug.cgi?id=621572.
>Dave Lawrence
David, as per IRC.
r=reed with those fixed.
Attachment #506489 -
Flags: review?(reed) → review+
Comment 14•14 years ago
|
||
Comment on attachment 506489 [details] [diff] [review]
v3
>* A weakness in Bugzilla could allow a user to gain unauthorized access
> to another Bugzilla account.
Any reason why you're using "could allow" here when you use "allows" or more present/active verbs later on in the list?
>Class: Cross-Site Request Forgery
>Versions: Every Version Before 3.2.10, 3.4.10, 3.6.4, 4.0rc2
>Fixed In: 3.2.10, 3.4.10, 3.6.4, 4.0rc2
>Description: Various pages were vulnerable to Cross-Site Request
> Forgery attacks. Most of these issues are not as serious
> as previous CSRF vulnerabilities. Some of these issues
> were only addressed on more recent branches of Bugzilla
> and not fixed in earlier branches, to avoid changing
> behavior that external applications may depend on.
s/, to/in order to/
Attachment #506489 -
Flags: review+ → review-
Assignee | ||
Comment 15•14 years ago
|
||
(In reply to comment #14)
> Any reason why you're using "could allow" here when you use "allows" or more
> present/active verbs later on in the list?
I felt it was more accurate.
> s/, to/in order to/
Will fix.
Assignee | ||
Comment 16•14 years ago
|
||
Attachment #506489 -
Attachment is obsolete: true
Attachment #506528 -
Flags: review?(reed)
Attachment #506528 -
Flags: review?(LpSolit)
Attachment #506489 -
Flags: review?(LpSolit)
Comment 17•14 years ago
|
||
Comment on attachment 506528 [details] [diff] [review]
v4
>References: https://bugzilla.mozilla.org/show_bug.cgi?id=591165
> https://bugzilla.mozilla.org/show_bug.cgi?id=621572
Remove extra space.
r=reed with that fixed.
Attachment #506528 -
Flags: review?(reed) → review+
Reporter | ||
Comment 18•14 years ago
|
||
Comment on attachment 506528 [details] [diff] [review]
v4
>Willem Pinckaers of pine.nl (reporter, Account Compromise issue)
We want a "special thanks" section for Willem, as discussed on IRC.
Assignee | ||
Comment 19•14 years ago
|
||
Attachment #506528 -
Attachment is obsolete: true
Attachment #506545 -
Flags: review?(LpSolit)
Attachment #506528 -
Flags: review?(LpSolit)
Reporter | ||
Comment 20•14 years ago
|
||
Comment on attachment 506545 [details] [diff] [review]
v5
nice, thanks! r=LpSolit
Attachment #506545 -
Flags: review?(LpSolit) → review+
Comment 21•14 years ago
|
||
Comment on attachment 506545 [details] [diff] [review]
v5
>Full release downloads, patches to upgrade Bugzilla from previous
>versions, and CVS/bzr upgrade instructions are available at:
>
> http://www.bugzilla.org/download/
>
>
>Credits
>=======
Remove the extra line.
>Willem Pinckaers
Willem Pinckaers (Pine Digital Security)
Reporter | ||
Comment 22•14 years ago
|
||
(In reply to comment #21)
> >Willem Pinckaers
>
> Willem Pinckaers (Pine Digital Security)
No, this is already in the section below
Comment 23•14 years ago
|
||
Comment on attachment 506545 [details] [diff] [review]
v5
(In reply to comment #22)
> (In reply to comment #21)
> > >Willem Pinckaers
> >
> > Willem Pinckaers (Pine Digital Security)
>
> No, this is already in the section below
No, should also list it in the credits section. Believe me, it's better to duplicate it than upset somebody down the road. I've been down this road before. ;)
Attachment #506545 -
Flags: review-
Reporter | ||
Comment 24•14 years ago
|
||
Security advisory sent. Removing the security flag.
Group: bugzilla-security
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•