Last Comment Bug 621591 - Critical Security Issue In Bugzilla Since 2.14: Early-Access Patch
: Critical Security Issue In Bugzilla Since 2.14: Early-Access Patch
Status: RESOLVED FIXED
:
Product: Bugzilla
Classification: Server Software
Component: User Accounts (show other bugs)
: 2.14
: All All
: -- critical (vote)
: Bugzilla 3.2
Assigned To: Max Kanat-Alexander
: default-qa
Mentors:
Depends on: CVE-2010-4568
Blocks:
  Show dependency treegraph
 
Reported: 2010-12-27 14:42 PST by Max Kanat-Alexander
Modified: 2011-01-24 17:20 PST (History)
40 users (show)
See Also:
QA Whiteboard:
Iteration: ---
Points: ---


Attachments
Preliminary Patch (356 bytes, patch)
2010-12-27 14:42 PST, Max Kanat-Alexander
no flags Details | Diff | Review
Patch for 4.1 (bad) (3.82 KB, patch)
2011-01-21 17:32 PST, Max Kanat-Alexander
mkanat: review+
Details | Diff | Review
Patch for 3.7.x & 4.0 (6.05 KB, patch)
2011-01-21 17:33 PST, Max Kanat-Alexander
mkanat: review+
Details | Diff | Review
Patch for 3.6.3 (6.12 KB, patch)
2011-01-21 17:34 PST, Max Kanat-Alexander
mkanat: review+
Details | Diff | Review
Patch for 3.4.9 (5.63 KB, patch)
2011-01-21 17:38 PST, Max Kanat-Alexander
mkanat: review+
Details | Diff | Review
Patch for 3.2.9 (6.27 KB, patch)
2011-01-21 17:39 PST, Max Kanat-Alexander
mkanat: review+
Details | Diff | Review
Patch for 4.1 (3.89 KB, patch)
2011-01-21 18:20 PST, Max Kanat-Alexander
mkanat: review+
Details | Diff | Review

Description Max Kanat-Alexander 2010-12-27 14:42:25 PST
Created attachment 499905 [details] [diff] [review]
Preliminary Patch

Dear Bugzilla Admins,

A critical security issue has been discovered in Bugzilla, and we are offering you an early-access patch so that you can patch your Bugzilla before we publicly disclose the issue. This issue affects Bugzilla versions 2.14 and higher. The impact of the issue is that a user could gain unauthorized access to any Bugzilla account in a very short amount of time (short enough that the attack is highly effective).

The patch currently attached to this bug is only a preliminary patch--the final patch released with the security advisory will be much more extensive. You will have to revert this patch before upgrading to the security release.

We are aware that, under normal circumstances, what this patch looks to be doing is a bad idea--one should not normally call srand() more than once per process. However, we assure you that for now, it will protect your Bugzilla from this security issue being exploited until a more extensive fix can be provided.

There is one slight exception--if you have Bugzilla installed on Windows, then this patch will not resolve the issue, and you will have to wait for the final security advisory and complete patch.

Please avoid exposing the existence of this issue or this patch until we have a final patch and a public security advisory. (In other words, don't check this patch into any publicly-available version-control repository, don't advertise its contents, etc.)
Comment 1 Max Kanat-Alexander 2010-12-27 14:56:13 PST
dkl: Could you CC the appropriate people for Red Hat?

ghendricks: Could you CC the appropriate people for Novell?
Comment 2 Max Kanat-Alexander 2010-12-27 17:27:13 PST
If each of you could let us know when your Bugzilla is patched, that would help us know when we can publicly release our final security fix.
Comment 3 w@apple.com 2010-12-27 17:37:48 PST
WebKit Bugzilla is patched.
Comment 4 Robin H. Johnson [:robbat2] 2010-12-27 18:02:18 PST
Gentoo Bugzilla is patched (production only, not bugs3 test instance, to avoid disclosure).
Comment 5 David Marshall 2010-12-27 19:25:06 PST
Yahoo! isn't affected by this vulnerability, but thanks for the heads up.
Comment 6 Dave Miller [:justdave] (justdave@bugzilla.org) 2010-12-27 19:49:04 PST
Mozilla got patched 3 or 4 days ago.

I suspect Novell is unaffected because they use external auth (it's tied into their support system's single-signon).
Comment 7 J.H. 2010-12-27 22:10:19 PST
This has been applied to kernel.org - we should be good for now.
Comment 8 Vincent Danen 2010-12-27 22:26:52 PST
I'm trying to find out who to pass this on to at Red Hat in case David isn't able to do that right away (or doesn't know).  I also do not believe that Gustavo works at Mandriva anymore, so I don't think his email is valid either (I'm trying to find an appropriate contact there as well).
Comment 9 Vincent Danen 2010-12-27 22:27:59 PST
Ignore the Red Hat bit, I just noticed Kevin was cc'd.  Thanks, David.
Comment 10 Brion Vibber 2010-12-27 23:31:59 PST
I've forwarded this on internally to current Wikimedia sysadmins, will add when confirmed patched.
Comment 11 Gervase Markham [:gerv] 2010-12-28 00:16:53 PST
As it goes back as far as 2.14, can we contact the IssueZilla people at OpenOffice.org? Also, I don't see a Facebook person on the list...

Gerv
Comment 12 Luca Gibelli 2010-12-28 03:07:25 PST
bugs.clamav.net patched. Thanks.
Comment 13 Kevin Baker 2010-12-28 06:11:25 PST
(In reply to comment #9)
> Ignore the Red Hat bit, I just noticed Kevin was cc'd.  Thanks, David.

Simon Green will patch this. He's in Australia so it may take us another 12 hours.
Comment 14 Frédéric Buclin 2010-12-28 06:21:14 PST
(In reply to comment #8)
> I also do not believe that Gustavo works at Mandriva anymore

Indeed, but Oden is our contact person at Mandriva. :)
Comment 15 Andre Klapper 2010-12-28 06:47:39 PST
bugs.maemo.org has been patched. Thanks!
Comment 16 Oden Eriksson 2010-12-28 07:03:02 PST
qa.mandriva.com has been patched. Thanks!
Comment 17 Frédéric Buclin 2010-12-28 07:10:08 PST
Frank, do you want to patch GCC's Bugzilla or should I?
Comment 18 Zach Lipton [:zach] 2010-12-28 08:23:23 PST
Other potential installations of note: 

https://software.sandia.gov/bugzilla/
http://bugs.developers.facebook.net/ - I can try to track down who runs it
http://bugzilla.songbirdnest.com/
http://bugs.winehq.org/ - Max, looks like you've worked with them
Comment 19 Brion Vibber 2010-12-28 08:38:29 PST
bugzilla.wikimedia.org patched.
Comment 20 Frédéric Buclin 2010-12-28 09:45:24 PST
GCC and Sourceware Bugzilla both patched!
Comment 21 Denis Roy 2010-12-28 11:37:11 PST
Eclipse Bugzilla patched.  Thanks!
Comment 22 Vance Baarda 2010-12-28 13:07:09 PST
bugzilla.novell.com is now patched. Thanks!
Comment 23 Vance Baarda 2010-12-28 13:09:45 PST
(In reply to comment #6)
> I suspect Novell is unaffected because they use external auth (it's tied into
> their support system's single-signon).

I suspect you're right, but I patched it anyway.
Comment 24 Kevin J. Woolley 2010-12-28 13:23:22 PST
We use our own SSO for Bugzilla authentication but I have patched anyways, so we should be good.  Thanks for the heads-up!
Comment 25 Matt Rogers 2010-12-28 19:48:14 PST
bugs.kde.org has been patched. Thanks!
Comment 26 Paul Querna 2010-12-29 01:20:09 PST
issues.apache.org has been patched, thank you
Comment 27 Andre Klapper 2010-12-29 05:41:19 PST
[Adding the MeeGo Bugzilla maintainers to CC list.]
Comment 28 Olav Vitters 2010-12-29 05:58:17 PST
bugzilla.gnome.org has been patched. Thanks!
Comment 29 mail 2010-12-29 06:12:12 PST
bugzilla.redhat.com has been patched.
Comment 31 Eric Le Roux 2010-12-29 06:38:19 PST
bugs.meego.com has been patched. Thank you!
Comment 32 Frédéric Buclin 2011-01-13 10:36:53 PST
Adding Daniel for freedesktop.org. Daniel, let us know when f.d.o is patched.
Comment 33 Daniel Stone 2011-01-13 10:48:52 PST
I've patched bugs.fd.o now - thanks!
Comment 34 Jim Walters 2011-01-17 10:54:57 PST
Bugopolis has upgrade all managed servers.
What is the patch for version 2.16.7+? Thanks (Couldn't find the patch line in Util.pm)
Comment 35 Frédéric Buclin 2011-01-17 11:06:03 PST
(In reply to comment #34)
> What is the patch for version 2.16.7+? Thanks (Couldn't find the patch line in
> Util.pm)

There is no patch for 2.16.7. This branch is unsupported since April 2006. But if you want to hack the code manually yourself, look at GenerateRandomPassword() in globals.pl, line 725.
Comment 36 Max Kanat-Alexander 2011-01-21 17:32:33 PST
Created attachment 506026 [details] [diff] [review]
Patch for 4.1 (bad)

Here is the final patch for trunk (4.1). If you have already applied the preliminary patch, please revert it before applying this patch.

We plan to release this publicly in a security advisory on Monday. Until such time, please keep this equally as confidential as the original preliminary patch.
Comment 37 Max Kanat-Alexander 2011-01-21 17:33:43 PST
Created attachment 506030 [details] [diff] [review]
Patch for 3.7.x & 4.0

This is the patch for the 3.7.x series and for 4.0rc1.
Comment 38 Max Kanat-Alexander 2011-01-21 17:34:17 PST
Created attachment 506031 [details] [diff] [review]
Patch for 3.6.3
Comment 39 Max Kanat-Alexander 2011-01-21 17:35:16 PST
Comment on attachment 506026 [details] [diff] [review]
Patch for 4.1 (bad)

There's a tiny error in this patch, a new patch is forthcoming. Only this patch is affected, the other patches I've already posted are fine.
Comment 40 Max Kanat-Alexander 2011-01-21 17:38:17 PST
Created attachment 506033 [details] [diff] [review]
Patch for 3.4.9

This patch should apply to any 3.4.x version, although it was written against 3.4.9 specifically.
Comment 41 Max Kanat-Alexander 2011-01-21 17:39:31 PST
Created attachment 506034 [details] [diff] [review]
Patch for 3.2.9

This patch should apply to any 3.2.x, but was only tested on 3.2.9. It may also apply to 3.0.x, but we haven't tested it there.
Comment 42 Max Kanat-Alexander 2011-01-21 18:20:55 PST
Created attachment 506047 [details] [diff] [review]
Patch for 4.1

Here is the correct patch for the 4.0 branch.
Comment 43 Max Kanat-Alexander 2011-01-21 18:22:15 PST
Note that if you have merely applied the preliminary patch, you are not fully secured, although you have protected yourself against the most immediately critical exploits of this issue. 

Ultimately, though, only applying the final patch will protect you against all exploits of this issue, and we strongly recommend that all Bugzilla administrators apply these final patches as soon as possible.
Comment 44 Frédéric Buclin 2011-01-22 04:57:23 PST
Comment on attachment 506047 [details] [diff] [review]
Patch for 4.1

This patch is *not* for the 4.0 branch. That's the one for 4.1 only. Make sure you applied the correct one.
Comment 45 Vance Baarda 2011-01-22 11:10:34 PST
I see that Math::Random::Secure is in the optional section. What are the implications of not installing it? 

Reason I ask: Crypt::Random::Source::Factory does not install for me on SUSE Linux Enterprise Server 10 SP2 (unless I force it).
Comment 46 Vance Baarda 2011-01-22 11:12:12 PST
I should have mentioned: our Bugzilla version is 3.4.3. I applied mrs-34.diff.
Comment 47 Frédéric Buclin 2011-01-22 11:16:43 PST
(In reply to comment #45)
> Reason I ask: Crypt::Random::Source::Factory does not install for me on SUSE
> Linux Enterprise Server 10 SP2 (unless I force it).

Which error do you get? Maybe should it be reported to CPAN.
Comment 48 Vance Baarda 2011-01-22 11:19:44 PST
(In reply to comment #47)
> (In reply to comment #45)
> > Reason I ask: Crypt::Random::Source::Factory does not install for me on SUSE
> > Linux Enterprise Server 10 SP2 (unless I force it).
> 
> Which error do you get? Maybe should it be reported to CPAN.

Running make test
PERL_DL_NONLAZY=1 /usr/bin/perl "-MExtUtils::Command::MM" "-e" "test_harness(0, 'blib/lib', 'blib/arch')" t/*.t
t/blocking..............ok
t/dev_random............ok
t/factory...............ok
t/proc..................Can't call method "read" on an undefined value at /root/.cpan/build/Crypt-Random-Source-0.07/blib/lib/Crypt/Random/Source/Base/Handle.pm line 38.
Comment 49 Vance Baarda 2011-01-22 11:23:18 PST
Crypt::Random::Source::Factory installs fine on openSUSE 11.2, so it might be a flaw in the older SUSE Linux Enterprise Server 10 SP2

I guess I'm concerned that CPAN won't be able to fix this before this bugzilla security disclosure goes live on Monday.
Comment 50 Vance Baarda 2011-01-22 14:52:08 PST
I see that generate_random_password() has an alternate algorithm if Math::Random::Secure is not installed, so it looks as if we're OK.
Comment 51 Vance Baarda 2011-01-22 15:05:39 PST
What time is the announcement? I need to coordinate this deployment with the Novell Change Control Board.
Comment 52 Max Kanat-Alexander 2011-01-22 23:36:17 PST
(In reply to comment #51)
> What time is the announcement? I need to coordinate this deployment with the
> Novell Change Control Board.

  It's hard to say--it depends on when we finish the release work.
Comment 53 mail 2011-01-23 15:48:35 PST
Redhat bugzilla has final 3.6.3 patch applied.
Comment 54 Max Kanat-Alexander 2011-01-24 13:51:39 PST
All of these patches have been checked in. You can consider this issue to be basically public as of now, although the security advisory won't go out for a few hours.
Comment 55 Vance Baarda 2011-01-24 17:04:52 PST
bugzilla.novell.com is now patched.
Comment 56 Frédéric Buclin 2011-01-24 17:20:07 PST
Security advisory sent. Removing the security flag.

Note You need to log in before you can comment on or make changes to this bug.