Closed Bug 621591 Opened 10 years ago Closed 10 years ago

Critical Security Issue In Bugzilla Since 2.14: Early-Access Patch

Categories

(Bugzilla :: User Accounts, defect)

2.14
defect
Not set
critical

Tracking

()

RESOLVED FIXED
Bugzilla 3.2

People

(Reporter: mkanat, Assigned: mkanat)

References

Details

Attachments

(5 files, 2 obsolete files)

Attached patch Preliminary Patch (obsolete) — Splinter Review
Dear Bugzilla Admins,

A critical security issue has been discovered in Bugzilla, and we are offering you an early-access patch so that you can patch your Bugzilla before we publicly disclose the issue. This issue affects Bugzilla versions 2.14 and higher. The impact of the issue is that a user could gain unauthorized access to any Bugzilla account in a very short amount of time (short enough that the attack is highly effective).

The patch currently attached to this bug is only a preliminary patch--the final patch released with the security advisory will be much more extensive. You will have to revert this patch before upgrading to the security release.

We are aware that, under normal circumstances, what this patch looks to be doing is a bad idea--one should not normally call srand() more than once per process. However, we assure you that for now, it will protect your Bugzilla from this security issue being exploited until a more extensive fix can be provided.

There is one slight exception--if you have Bugzilla installed on Windows, then this patch will not resolve the issue, and you will have to wait for the final security advisory and complete patch.

Please avoid exposing the existence of this issue or this patch until we have a final patch and a public security advisory. (In other words, don't check this patch into any publicly-available version-control repository, don't advertise its contents, etc.)
dkl: Could you CC the appropriate people for Red Hat?

ghendricks: Could you CC the appropriate people for Novell?
If each of you could let us know when your Bugzilla is patched, that would help us know when we can publicly release our final security fix.
WebKit Bugzilla is patched.
Gentoo Bugzilla is patched (production only, not bugs3 test instance, to avoid disclosure).
Yahoo! isn't affected by this vulnerability, but thanks for the heads up.
Mozilla got patched 3 or 4 days ago.

I suspect Novell is unaffected because they use external auth (it's tied into their support system's single-signon).
This has been applied to kernel.org - we should be good for now.
I'm trying to find out who to pass this on to at Red Hat in case David isn't able to do that right away (or doesn't know).  I also do not believe that Gustavo works at Mandriva anymore, so I don't think his email is valid either (I'm trying to find an appropriate contact there as well).
Ignore the Red Hat bit, I just noticed Kevin was cc'd.  Thanks, David.
I've forwarded this on internally to current Wikimedia sysadmins, will add when confirmed patched.
As it goes back as far as 2.14, can we contact the IssueZilla people at OpenOffice.org? Also, I don't see a Facebook person on the list...

Gerv
bugs.clamav.net patched. Thanks.
(In reply to comment #9)
> Ignore the Red Hat bit, I just noticed Kevin was cc'd.  Thanks, David.

Simon Green will patch this. He's in Australia so it may take us another 12 hours.
(In reply to comment #8)
> I also do not believe that Gustavo works at Mandriva anymore

Indeed, but Oden is our contact person at Mandriva. :)
bugs.maemo.org has been patched. Thanks!
qa.mandriva.com has been patched. Thanks!
Frank, do you want to patch GCC's Bugzilla or should I?
Other potential installations of note: 

https://software.sandia.gov/bugzilla/
http://bugs.developers.facebook.net/ - I can try to track down who runs it
http://bugzilla.songbirdnest.com/
http://bugs.winehq.org/ - Max, looks like you've worked with them
bugzilla.wikimedia.org patched.
GCC and Sourceware Bugzilla both patched!
Eclipse Bugzilla patched.  Thanks!
bugzilla.novell.com is now patched. Thanks!
(In reply to comment #6)
> I suspect Novell is unaffected because they use external auth (it's tied into
> their support system's single-signon).

I suspect you're right, but I patched it anyway.
We use our own SSO for Bugzilla authentication but I have patched anyways, so we should be good.  Thanks for the heads-up!
bugs.kde.org has been patched. Thanks!
issues.apache.org has been patched, thank you
[Adding the MeeGo Bugzilla maintainers to CC list.]
bugzilla.gnome.org has been patched. Thanks!
bugzilla.redhat.com has been patched.
bugs.meego.com has been patched. Thank you!
Adding Daniel for freedesktop.org. Daniel, let us know when f.d.o is patched.
I've patched bugs.fd.o now - thanks!
Bugopolis has upgrade all managed servers.
What is the patch for version 2.16.7+? Thanks (Couldn't find the patch line in Util.pm)
(In reply to comment #34)
> What is the patch for version 2.16.7+? Thanks (Couldn't find the patch line in
> Util.pm)

There is no patch for 2.16.7. This branch is unsupported since April 2006. But if you want to hack the code manually yourself, look at GenerateRandomPassword() in globals.pl, line 725.
Version: unspecified → 2.14
Attached patch Patch for 4.1 (bad) (obsolete) — Splinter Review
Here is the final patch for trunk (4.1). If you have already applied the preliminary patch, please revert it before applying this patch.

We plan to release this publicly in a security advisory on Monday. Until such time, please keep this equally as confidential as the original preliminary patch.
Attachment #499905 - Attachment is obsolete: true
Attachment #506026 - Flags: review+
This is the patch for the 3.7.x series and for 4.0rc1.
Attachment #506030 - Flags: review+
Attached patch Patch for 3.6.3Splinter Review
Attachment #506031 - Flags: review+
Comment on attachment 506026 [details] [diff] [review]
Patch for 4.1 (bad)

There's a tiny error in this patch, a new patch is forthcoming. Only this patch is affected, the other patches I've already posted are fine.
Attachment #506026 - Attachment description: Patch for 4.1 → Patch for 4.1 (bad)
Attachment #506026 - Attachment is obsolete: true
Attached patch Patch for 3.4.9Splinter Review
This patch should apply to any 3.4.x version, although it was written against 3.4.9 specifically.
Attachment #506033 - Flags: review+
Attached patch Patch for 3.2.9Splinter Review
This patch should apply to any 3.2.x, but was only tested on 3.2.9. It may also apply to 3.0.x, but we haven't tested it there.
Attachment #506034 - Flags: review+
Attached patch Patch for 4.1Splinter Review
Here is the correct patch for the 4.0 branch.
Attachment #506047 - Flags: review+
Note that if you have merely applied the preliminary patch, you are not fully secured, although you have protected yourself against the most immediately critical exploits of this issue. 

Ultimately, though, only applying the final patch will protect you against all exploits of this issue, and we strongly recommend that all Bugzilla administrators apply these final patches as soon as possible.
Comment on attachment 506047 [details] [diff] [review]
Patch for 4.1

This patch is *not* for the 4.0 branch. That's the one for 4.1 only. Make sure you applied the correct one.
Attachment #506047 - Attachment description: Patch for 3.7.x and 4.0rc1 → Patch for 4.1
I see that Math::Random::Secure is in the optional section. What are the implications of not installing it? 

Reason I ask: Crypt::Random::Source::Factory does not install for me on SUSE Linux Enterprise Server 10 SP2 (unless I force it).
I should have mentioned: our Bugzilla version is 3.4.3. I applied mrs-34.diff.
(In reply to comment #45)
> Reason I ask: Crypt::Random::Source::Factory does not install for me on SUSE
> Linux Enterprise Server 10 SP2 (unless I force it).

Which error do you get? Maybe should it be reported to CPAN.
(In reply to comment #47)
> (In reply to comment #45)
> > Reason I ask: Crypt::Random::Source::Factory does not install for me on SUSE
> > Linux Enterprise Server 10 SP2 (unless I force it).
> 
> Which error do you get? Maybe should it be reported to CPAN.

Running make test
PERL_DL_NONLAZY=1 /usr/bin/perl "-MExtUtils::Command::MM" "-e" "test_harness(0, 'blib/lib', 'blib/arch')" t/*.t
t/blocking..............ok
t/dev_random............ok
t/factory...............ok
t/proc..................Can't call method "read" on an undefined value at /root/.cpan/build/Crypt-Random-Source-0.07/blib/lib/Crypt/Random/Source/Base/Handle.pm line 38.
Crypt::Random::Source::Factory installs fine on openSUSE 11.2, so it might be a flaw in the older SUSE Linux Enterprise Server 10 SP2

I guess I'm concerned that CPAN won't be able to fix this before this bugzilla security disclosure goes live on Monday.
I see that generate_random_password() has an alternate algorithm if Math::Random::Secure is not installed, so it looks as if we're OK.
What time is the announcement? I need to coordinate this deployment with the Novell Change Control Board.
(In reply to comment #51)
> What time is the announcement? I need to coordinate this deployment with the
> Novell Change Control Board.

  It's hard to say--it depends on when we finish the release work.
Redhat bugzilla has final 3.6.3 patch applied.
All of these patches have been checked in. You can consider this issue to be basically public as of now, although the security advisory won't go out for a few hours.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
bugzilla.novell.com is now patched.
Security advisory sent. Removing the security flag.
Group: bugzilla-security
You need to log in before you can comment on or make changes to this bug.