Closed Bug 620540 Opened 14 years ago Closed 14 years ago

Security Advisory for Bugzilla 4.0rc2, 3.6.4, 3.4.10 and 3.2.10

Categories

(Bugzilla :: bugzilla.org, defect)

3.2.9
defect
Not set
blocker

Tracking

()

RESOLVED FIXED

People

(Reporter: LpSolit, Assigned: mkanat)

References

Details

Attachments

(1 file, 4 obsolete files)

We have several moderate to critical security bugs to fix for 4.0rc2 & co. I also include the CGI.pm one, hoping a new version will be released on time on CPAN. CVE ref welcome.
Flags: blocking4.0+
Flags: blocking3.6.4+
Flags: blocking3.4.10+
Flags: blocking3.2.10+
Depends on: CVE-2010-4572
Depends on: 621110
Depends on: 621109
Depends on: 621108
Depends on: 621107
Depends on: CVE-2011-0046
Depends on: 621105
Attached file v1 (obsolete) —
Assignee: general → mkanat
Status: NEW → ASSIGNED
Attachment #506051 - Flags: review?(reed)
Attachment #506051 - Flags: review?(LpSolit)
Component: Bugzilla-General → bugzilla.org
Target Milestone: Bugzilla 3.2 → ---
Comment on attachment 506051 [details] v1 >Bugzilla is a Web-based bug-tracking system used by a large number of >software projects. Recently, the Mozilla Project offered a bounty to >anyone who could find a security issue in systems that Mozilla uses. > >This resulted in several new security issues being found in Bugzilla: "" Recently, Mozilla expanded its security bug bounty program to include web applications (http://www.mozilla.org/security/bug-bounty.html). As a result, several new security issues affecting Bugzilla were reported: OR This expansion resulted in the finding of several new security issues affecting Bugzilla: "" The bounty program isn't new, so should clarify that only the webapp part is recent. Also, I added a link to the program. It couldn't hurt, and we might get more submissions that way. I think we should add a shout-out to Mozilla for offering this program, either before the vulnerability details or towards the end. We could move the link there if it's too prominent in the intro. >* A weakness in Bugzilla could allow a user to gain unauthorized access > to another Bugzilla account. Any reason why you're using "could allow" here when you use "allows" or more present/active verbs later on in the list? >* A weakness in the Perl CGI.pm module allows injecting HTTP headers > and content to users, on several pages in Bugzilla. s/users, on/users via/ >* Normally, Bugzilla does not make "javascript:" or "data:" URLs into > clickable links if they are put into the "URL" field, but there is > a way to bypass that protection. This one doesn't flow. Need to restructure to match format of other issues. Maybe something starting like this: A weakness in Bugzilla's protection against clickable "javascript:" or "data:" URLs allows .... >* Various pages lacks protection against cross-site request forgeries. s/lacks/lack/ >Description: By inserting certain strings into certain URLs, it was > possible to inject both headers and content to any > browser. Got another word besides "certain" so you're not using it twice? s/to any/into any/ >References: https://bugzilla.mozilla.org/show_bug.cgi?id=591165 > http://avatraxiom.livejournal.com/104105.html > http://cwe.mitre.org/data/definitions/113.html Add https://bugzilla.mozilla.org/show_bug.cgi?id=621572. >CVE Number: CVE-2010-2761, CVE-2010-4572, CVE-2010-4411 List in numerical order (also since 2761 and 4411 go together). >Description: Bugzilla 3.7.x and 4.0rc1 have a new client-side > autocomplete mechanism for all fields where a username > is entered. This mechanism was vulnerable to a cross-site > scripting attack. s/a username/an e-mail address/ >CVS Number: CVE-2010-4569 s/CVS/CVE/ >Description: Bugzilla has a "URL" field that can contain any type > of URL, including "javascript:" and "data:" URLs. However, > it does not make "javascript:" and "data:" URLs into > clickable links, to protect against cross-site scripting > attacks or other attacks. It was possible to bypass this > protection by adding spaces into the URL in places that > Bugzilla did not expect them. s/any type/several types/ >Description: Various pages were vulnerable to non-critical Cross-Site > Request Forgery attacks. Some of these issues were only Drop the "non-critical", as some do concern dataloss and such. > addressed on more recent branches of Bugzilla and not > fixed in earlier branches, to avoid changing behavior > that external applications may depend on. ... fixed in older branches in order to avoid changing ... >References: https://bugzilla.mozilla.org/show_bug.cgi?id=621090 > https://bugzilla.mozilla.org/show_bug.cgi?id=621105 > https://bugzilla.mozilla.org/show_bug.cgi?id=621107 > https://bugzilla.mozilla.org/show_bug.cgi?id=621108 > https://bugzilla.mozilla.org/show_bug.cgi?id=621109 > https://bugzilla.mozilla.org/show_bug.cgi?id=621110 dveditz, do we need one CVE for all of these or one per issue? >Willem Pinckaers of Pine Security (reporter, Account Compromise issue) Pine Digital Security >Alex Miller Replace with mozilla11@mailinator.com (real name unknown). Alex was not the original reporter. If there are questions about this, poke me on IRC (not here). >Comments and follow-ups can be directed to the mozilla.support.bugzilla >newsgroup or the support-bugzilla mailing list. >http://www.bugzilla.org/support/ has directions for accessing these >forums. You know, we don't actually have a place (that I can find) explaining how to report security bugs. We should either add a blurb here at the bottom or include something on the /support/ page.
Attachment #506051 - Flags: review?(reed) → review-
(In reply to comment #3) > >References: https://bugzilla.mozilla.org/show_bug.cgi?id=621090 > > https://bugzilla.mozilla.org/show_bug.cgi?id=621105 > > https://bugzilla.mozilla.org/show_bug.cgi?id=621107 > > https://bugzilla.mozilla.org/show_bug.cgi?id=621108 > > https://bugzilla.mozilla.org/show_bug.cgi?id=621109 > > https://bugzilla.mozilla.org/show_bug.cgi?id=621110 > > dveditz, do we need one CVE for all of these or one per issue? Looks like Jose A. Vazquez reported one and then you investigated and looked for other places with the same pattern/problem? If so a single CVE is appropriate.
/me will wait for an updated sec adv before reviewing it.
(In reply to comment #4) > > dveditz, do we need one CVE for all of these or one per issue? > > Looks like Jose A. Vazquez reported one and then you investigated and looked > for other places with the same pattern/problem? If so a single CVE is > appropriate. Correct. Please assign one then. :)
Depends on: CVE-2011-0048
Also need to add bug 628034 to the advisory.
(In reply to comment #7) > Also need to add bug 628034 to the advisory. ... and add Mike Brooks to the credits, as the reporter.
(In reply to comment #8) > (In reply to comment #7) > > Also need to add bug 628034 to the advisory. > > ... and add Mike Brooks to the credits, as the reporter. Make that: Michael Brooks (Sitewatch).
Attached file v2 (obsolete) —
Okay, addressed almost everything that reed pointed out.
Attachment #506051 - Attachment is obsolete: true
Attachment #506330 - Flags: review?(reed)
Attachment #506330 - Flags: review?(LpSolit)
Attachment #506051 - Flags: review?(LpSolit)
Attachment #506330 - Attachment is patch: false
Comment on attachment 506330 [details] v2 >References: https://bugzilla.mozilla.org/show_bug.cgi?id=619588 > https://bugzilla.mozilla.org/show_bug.cgi?id=628034 >CVE Number: CVE-2010-4567 Add CVE-2011-0048 to the list. >References: https://bugzilla.mozilla.org/show_bug.cgi?id=621090 > https://bugzilla.mozilla.org/show_bug.cgi?id=621105 > https://bugzilla.mozilla.org/show_bug.cgi?id=621107 > https://bugzilla.mozilla.org/show_bug.cgi?id=621108 > https://bugzilla.mozilla.org/show_bug.cgi?id=621109 > https://bugzilla.mozilla.org/show_bug.cgi?id=621110 CVE-2011-0046 >Willem Pinckaers of pine.nl (reporter, Account Compromise issue) Pine Digital Security, if you can... >Michael Brooks List as: Michael Brooks of Sitewatch >Jose A. Vazquez José A. Vázquez (I know his bugzilla account says differently, but this comes from e-mail)
Attachment #506330 - Attachment is patch: true
Attachment #506330 - Attachment is patch: false
Attached patch v3 (obsolete) — Splinter Review
Attachment #506330 - Attachment is obsolete: true
Attachment #506489 - Flags: review?(reed)
Attachment #506489 - Flags: review?(LpSolit)
Attachment #506330 - Flags: review?(reed)
Attachment #506330 - Flags: review?(LpSolit)
Comment on attachment 506489 [details] [diff] [review] v3 >Class: HTTP Response Splitting >Versions: Every Version Before 3.2.10, 3.4.10, 3.6.4, 4.0rc2 >Fixed In: 3.2.10, 3.4.10, 3.6.4, 4.0rc2 >Description: By inserting particular strings into certain URLs, it was > possible to inject both headers and content to any > browser. >References: https://bugzilla.mozilla.org/show_bug.cgi?id=591165 > http://avatraxiom.livejournal.com/104105.html > http://cwe.mitre.org/data/definitions/113.html Add https://bugzilla.mozilla.org/show_bug.cgi?id=621572. >Dave Lawrence David, as per IRC. r=reed with those fixed.
Attachment #506489 - Flags: review?(reed) → review+
Comment on attachment 506489 [details] [diff] [review] v3 >* A weakness in Bugzilla could allow a user to gain unauthorized access > to another Bugzilla account. Any reason why you're using "could allow" here when you use "allows" or more present/active verbs later on in the list? >Class: Cross-Site Request Forgery >Versions: Every Version Before 3.2.10, 3.4.10, 3.6.4, 4.0rc2 >Fixed In: 3.2.10, 3.4.10, 3.6.4, 4.0rc2 >Description: Various pages were vulnerable to Cross-Site Request > Forgery attacks. Most of these issues are not as serious > as previous CSRF vulnerabilities. Some of these issues > were only addressed on more recent branches of Bugzilla > and not fixed in earlier branches, to avoid changing > behavior that external applications may depend on. s/, to/in order to/
Attachment #506489 - Flags: review+ → review-
(In reply to comment #14) > Any reason why you're using "could allow" here when you use "allows" or more > present/active verbs later on in the list? I felt it was more accurate. > s/, to/in order to/ Will fix.
Attached patch v4 (obsolete) — Splinter Review
Attachment #506489 - Attachment is obsolete: true
Attachment #506528 - Flags: review?(reed)
Attachment #506528 - Flags: review?(LpSolit)
Attachment #506489 - Flags: review?(LpSolit)
Attachment #506528 - Flags: review?(reed) → review+
Comment on attachment 506528 [details] [diff] [review] v4 >Willem Pinckaers of pine.nl (reporter, Account Compromise issue) We want a "special thanks" section for Willem, as discussed on IRC.
Attached patch v5Splinter Review
Attachment #506528 - Attachment is obsolete: true
Attachment #506545 - Flags: review?(LpSolit)
Attachment #506528 - Flags: review?(LpSolit)
Comment on attachment 506545 [details] [diff] [review] v5 nice, thanks! r=LpSolit
Attachment #506545 - Flags: review?(LpSolit) → review+
Comment on attachment 506545 [details] [diff] [review] v5 >Full release downloads, patches to upgrade Bugzilla from previous >versions, and CVS/bzr upgrade instructions are available at: > > http://www.bugzilla.org/download/ > > >Credits >======= Remove the extra line. >Willem Pinckaers Willem Pinckaers (Pine Digital Security)
(In reply to comment #21) > >Willem Pinckaers > > Willem Pinckaers (Pine Digital Security) No, this is already in the section below
Comment on attachment 506545 [details] [diff] [review] v5 (In reply to comment #22) > (In reply to comment #21) > > >Willem Pinckaers > > > > Willem Pinckaers (Pine Digital Security) > > No, this is already in the section below No, should also list it in the credits section. Believe me, it's better to duplicate it than upset somebody down the road. I've been down this road before. ;)
Attachment #506545 - Flags: review-
Security advisory sent. Removing the security flag.
Group: bugzilla-security
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: