Note: There are a few cases of duplicates in user autocompletion which are being worked on.

Critical Security Issue In Bugzilla Since 2.14: Early-Access Patch

RESOLVED FIXED in Bugzilla 3.2

Status

()

Bugzilla
User Accounts
--
critical
RESOLVED FIXED
7 years ago
7 years ago

People

(Reporter: Max Kanat-Alexander, Assigned: Max Kanat-Alexander)

Tracking

2.14
Bugzilla 3.2

Details

Attachments

(5 attachments, 2 obsolete attachments)

(Assignee)

Description

7 years ago
Created attachment 499905 [details] [diff] [review]
Preliminary Patch

Dear Bugzilla Admins,

A critical security issue has been discovered in Bugzilla, and we are offering you an early-access patch so that you can patch your Bugzilla before we publicly disclose the issue. This issue affects Bugzilla versions 2.14 and higher. The impact of the issue is that a user could gain unauthorized access to any Bugzilla account in a very short amount of time (short enough that the attack is highly effective).

The patch currently attached to this bug is only a preliminary patch--the final patch released with the security advisory will be much more extensive. You will have to revert this patch before upgrading to the security release.

We are aware that, under normal circumstances, what this patch looks to be doing is a bad idea--one should not normally call srand() more than once per process. However, we assure you that for now, it will protect your Bugzilla from this security issue being exploited until a more extensive fix can be provided.

There is one slight exception--if you have Bugzilla installed on Windows, then this patch will not resolve the issue, and you will have to wait for the final security advisory and complete patch.

Please avoid exposing the existence of this issue or this patch until we have a final patch and a public security advisory. (In other words, don't check this patch into any publicly-available version-control repository, don't advertise its contents, etc.)
(Assignee)

Comment 1

7 years ago
dkl: Could you CC the appropriate people for Red Hat?

ghendricks: Could you CC the appropriate people for Novell?
(Assignee)

Comment 2

7 years ago
If each of you could let us know when your Bugzilla is patched, that would help us know when we can publicly release our final security fix.

Comment 3

7 years ago
WebKit Bugzilla is patched.
Gentoo Bugzilla is patched (production only, not bugs3 test instance, to avoid disclosure).

Comment 5

7 years ago
Yahoo! isn't affected by this vulnerability, but thanks for the heads up.
Mozilla got patched 3 or 4 days ago.

I suspect Novell is unaffected because they use external auth (it's tied into their support system's single-signon).

Comment 7

7 years ago
This has been applied to kernel.org - we should be good for now.

Comment 8

7 years ago
I'm trying to find out who to pass this on to at Red Hat in case David isn't able to do that right away (or doesn't know).  I also do not believe that Gustavo works at Mandriva anymore, so I don't think his email is valid either (I'm trying to find an appropriate contact there as well).

Comment 9

7 years ago
Ignore the Red Hat bit, I just noticed Kevin was cc'd.  Thanks, David.

Comment 10

7 years ago
I've forwarded this on internally to current Wikimedia sysadmins, will add when confirmed patched.
As it goes back as far as 2.14, can we contact the IssueZilla people at OpenOffice.org? Also, I don't see a Facebook person on the list...

Gerv

Comment 12

7 years ago
bugs.clamav.net patched. Thanks.

Comment 13

7 years ago
(In reply to comment #9)
> Ignore the Red Hat bit, I just noticed Kevin was cc'd.  Thanks, David.

Simon Green will patch this. He's in Australia so it may take us another 12 hours.

Comment 14

7 years ago
(In reply to comment #8)
> I also do not believe that Gustavo works at Mandriva anymore

Indeed, but Oden is our contact person at Mandriva. :)

Comment 15

7 years ago
bugs.maemo.org has been patched. Thanks!

Comment 16

7 years ago
qa.mandriva.com has been patched. Thanks!

Comment 17

7 years ago
Frank, do you want to patch GCC's Bugzilla or should I?

Comment 18

7 years ago
Other potential installations of note: 

https://software.sandia.gov/bugzilla/
http://bugs.developers.facebook.net/ - I can try to track down who runs it
http://bugzilla.songbirdnest.com/
http://bugs.winehq.org/ - Max, looks like you've worked with them

Comment 19

7 years ago
bugzilla.wikimedia.org patched.

Comment 20

7 years ago
GCC and Sourceware Bugzilla both patched!

Comment 21

7 years ago
Eclipse Bugzilla patched.  Thanks!

Comment 22

7 years ago
bugzilla.novell.com is now patched. Thanks!

Comment 23

7 years ago
(In reply to comment #6)
> I suspect Novell is unaffected because they use external auth (it's tied into
> their support system's single-signon).

I suspect you're right, but I patched it anyway.

Comment 24

7 years ago
We use our own SSO for Bugzilla authentication but I have patched anyways, so we should be good.  Thanks for the heads-up!

Comment 25

7 years ago
bugs.kde.org has been patched. Thanks!

Comment 26

7 years ago
issues.apache.org has been patched, thank you

Comment 27

7 years ago
[Adding the MeeGo Bugzilla maintainers to CC list.]

Comment 28

7 years ago
bugzilla.gnome.org has been patched. Thanks!

Comment 29

7 years ago
bugzilla.redhat.com has been patched.

Comment 31

7 years ago
bugs.meego.com has been patched. Thank you!

Comment 32

7 years ago
Adding Daniel for freedesktop.org. Daniel, let us know when f.d.o is patched.

Comment 33

7 years ago
I've patched bugs.fd.o now - thanks!

Comment 34

7 years ago
Bugopolis has upgrade all managed servers.
What is the patch for version 2.16.7+? Thanks (Couldn't find the patch line in Util.pm)

Comment 35

7 years ago
(In reply to comment #34)
> What is the patch for version 2.16.7+? Thanks (Couldn't find the patch line in
> Util.pm)

There is no patch for 2.16.7. This branch is unsupported since April 2006. But if you want to hack the code manually yourself, look at GenerateRandomPassword() in globals.pl, line 725.
(Assignee)

Updated

7 years ago
Version: unspecified → 2.14
(Assignee)

Comment 36

7 years ago
Created attachment 506026 [details] [diff] [review]
Patch for 4.1 (bad)

Here is the final patch for trunk (4.1). If you have already applied the preliminary patch, please revert it before applying this patch.

We plan to release this publicly in a security advisory on Monday. Until such time, please keep this equally as confidential as the original preliminary patch.
Attachment #499905 - Attachment is obsolete: true
Attachment #506026 - Flags: review+
(Assignee)

Comment 37

7 years ago
Created attachment 506030 [details] [diff] [review]
Patch for 3.7.x & 4.0

This is the patch for the 3.7.x series and for 4.0rc1.
Attachment #506030 - Flags: review+
(Assignee)

Comment 38

7 years ago
Created attachment 506031 [details] [diff] [review]
Patch for 3.6.3
Attachment #506031 - Flags: review+
(Assignee)

Comment 39

7 years ago
Comment on attachment 506026 [details] [diff] [review]
Patch for 4.1 (bad)

There's a tiny error in this patch, a new patch is forthcoming. Only this patch is affected, the other patches I've already posted are fine.
Attachment #506026 - Attachment description: Patch for 4.1 → Patch for 4.1 (bad)
Attachment #506026 - Attachment is obsolete: true
(Assignee)

Comment 40

7 years ago
Created attachment 506033 [details] [diff] [review]
Patch for 3.4.9

This patch should apply to any 3.4.x version, although it was written against 3.4.9 specifically.
Attachment #506033 - Flags: review+
(Assignee)

Comment 41

7 years ago
Created attachment 506034 [details] [diff] [review]
Patch for 3.2.9

This patch should apply to any 3.2.x, but was only tested on 3.2.9. It may also apply to 3.0.x, but we haven't tested it there.
Attachment #506034 - Flags: review+
(Assignee)

Comment 42

7 years ago
Created attachment 506047 [details] [diff] [review]
Patch for 4.1

Here is the correct patch for the 4.0 branch.
Attachment #506047 - Flags: review+
(Assignee)

Comment 43

7 years ago
Note that if you have merely applied the preliminary patch, you are not fully secured, although you have protected yourself against the most immediately critical exploits of this issue. 

Ultimately, though, only applying the final patch will protect you against all exploits of this issue, and we strongly recommend that all Bugzilla administrators apply these final patches as soon as possible.

Comment 44

7 years ago
Comment on attachment 506047 [details] [diff] [review]
Patch for 4.1

This patch is *not* for the 4.0 branch. That's the one for 4.1 only. Make sure you applied the correct one.
Attachment #506047 - Attachment description: Patch for 3.7.x and 4.0rc1 → Patch for 4.1

Comment 45

7 years ago
I see that Math::Random::Secure is in the optional section. What are the implications of not installing it? 

Reason I ask: Crypt::Random::Source::Factory does not install for me on SUSE Linux Enterprise Server 10 SP2 (unless I force it).

Comment 46

7 years ago
I should have mentioned: our Bugzilla version is 3.4.3. I applied mrs-34.diff.

Comment 47

7 years ago
(In reply to comment #45)
> Reason I ask: Crypt::Random::Source::Factory does not install for me on SUSE
> Linux Enterprise Server 10 SP2 (unless I force it).

Which error do you get? Maybe should it be reported to CPAN.

Comment 48

7 years ago
(In reply to comment #47)
> (In reply to comment #45)
> > Reason I ask: Crypt::Random::Source::Factory does not install for me on SUSE
> > Linux Enterprise Server 10 SP2 (unless I force it).
> 
> Which error do you get? Maybe should it be reported to CPAN.

Running make test
PERL_DL_NONLAZY=1 /usr/bin/perl "-MExtUtils::Command::MM" "-e" "test_harness(0, 'blib/lib', 'blib/arch')" t/*.t
t/blocking..............ok
t/dev_random............ok
t/factory...............ok
t/proc..................Can't call method "read" on an undefined value at /root/.cpan/build/Crypt-Random-Source-0.07/blib/lib/Crypt/Random/Source/Base/Handle.pm line 38.

Comment 49

7 years ago
Crypt::Random::Source::Factory installs fine on openSUSE 11.2, so it might be a flaw in the older SUSE Linux Enterprise Server 10 SP2

I guess I'm concerned that CPAN won't be able to fix this before this bugzilla security disclosure goes live on Monday.

Comment 50

7 years ago
I see that generate_random_password() has an alternate algorithm if Math::Random::Secure is not installed, so it looks as if we're OK.

Comment 51

7 years ago
What time is the announcement? I need to coordinate this deployment with the Novell Change Control Board.
(Assignee)

Comment 52

7 years ago
(In reply to comment #51)
> What time is the announcement? I need to coordinate this deployment with the
> Novell Change Control Board.

  It's hard to say--it depends on when we finish the release work.

Comment 53

7 years ago
Redhat bugzilla has final 3.6.3 patch applied.
(Assignee)

Comment 54

7 years ago
All of these patches have been checked in. You can consider this issue to be basically public as of now, although the security advisory won't go out for a few hours.
Status: NEW → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → FIXED

Comment 55

7 years ago
bugzilla.novell.com is now patched.

Comment 56

7 years ago
Security advisory sent. Removing the security flag.
Group: bugzilla-security
You need to log in before you can comment on or make changes to this bug.