Last Comment Bug 660502 - (CVE-2011-2977) [SECURITY] Temporary files for uploaded attachments are not deleted on Windows (again)
(CVE-2011-2977)
: [SECURITY] Temporary files for uploaded attachments are not deleted on Window...
Status: RESOLVED FIXED
[Bugzilla 3.6rc1 and older not affected]
: regression
Product: Bugzilla
Classification: Server Software
Component: Attachments & Requests (show other bugs)
: 3.6
: All All
: -- normal (vote)
: Bugzilla 3.6
Assigned To: Frédéric Buclin
: default-qa
:
Mentors:
Depends on:
Blocks: 660528
  Show dependency treegraph
 
Reported: 2011-05-28 17:40 PDT by Frédéric Buclin
Modified: 2011-08-05 17:33 PDT (History)
1 user (show)
LpSolit: approval+
LpSolit: blocking4.2+
LpSolit: approval4.0+
LpSolit: blocking4.0.2+
LpSolit: approval3.6+
LpSolit: blocking3.6.6+
See Also:
QA Whiteboard:
Iteration: ---
Points: ---


Attachments
patch for 3.6 and 4.0, v1 (382 bytes, patch)
2011-05-29 05:31 PDT, Frédéric Buclin
glob: review+
Details | Diff | Splinter Review
patch for 4.2, v1 (652 bytes, patch)
2011-05-29 05:43 PDT, Frédéric Buclin
glob: review+
Details | Diff | Splinter Review

Description Frédéric Buclin 2011-05-28 17:40:02 PDT
We already fixed this problem in Bugzilla 2.20.5 in bug 414002, and it's still working fine in Bugzilla 3.2 and 3.4, but we regressed this again in Bugzilla 3.6. No idea so far what regressed this.

As a user having local access to the server can access the Temp\ directory on Windows, attachments which are uploaded to security bugs or marked as private are still accessible to such users, even if they cannot access them using Bugzilla.
Comment 1 Frédéric Buclin 2011-05-28 17:47:36 PDT
A good candidate for the regression is bug 454251, but it's just a guess.
Comment 2 Frédéric Buclin 2011-05-28 18:26:51 PDT
(In reply to comment #1)
> A good candidate for the regression is bug 454251, but it's just a guess.

It's not this one. revno 6854 is fine (Bugzilla 3.5.2), but revno 7167 is not.
Comment 3 Frédéric Buclin 2011-05-28 18:59:42 PDT
It's a regression due to bug 556429. revno 7112 works fine. revno 7113 is broken.
Comment 4 Frédéric Buclin 2011-05-28 19:02:41 PDT
Bugzilla 3.6 and 3.7.1 are the first ones to be affected. 3.5.3 and older are fine.
Comment 5 Frédéric Buclin 2011-05-29 05:31:07 PDT
Created attachment 535918 [details] [diff] [review]
patch for 3.6 and 4.0, v1

Explicitly closing the filehandle fixes the problem. The temporary file is now correctly purged (and the uploaded attachment integrity is correct). Tested on both 3.6.5 and 4.0.1.
Comment 6 Frédéric Buclin 2011-05-29 05:33:11 PDT
Despite this bug appears after the commit of bug 556429, that bug is not the culprit. It only made this bug visible, but is not responsible for it.
Comment 7 Frédéric Buclin 2011-05-29 05:43:12 PDT
Created attachment 535919 [details] [diff] [review]
patch for 4.2, v1
Comment 8 Byron Jones ‹:glob› [PTO until 2017-01-09] 2011-05-30 08:29:41 PDT
Comment on attachment 535918 [details] [diff] [review]
patch for 3.6 and 4.0, v1

r=glob
Comment 9 Byron Jones ‹:glob› [PTO until 2017-01-09] 2011-05-30 08:30:00 PDT
Comment on attachment 535919 [details] [diff] [review]
patch for 4.2, v1

r=glob
please add a comment on checkin explaining why this is required.
Comment 10 Frédéric Buclin 2011-05-30 08:31:53 PDT
(In reply to comment #9)
> please add a comment on checkin explaining why this is required.

ok, will do. Thanks for the reviews! :)
Comment 11 Daniel Veditz [:dveditz] 2011-08-01 16:33:25 PDT
Use CVE-2011-2977 for this bug
Comment 12 Frédéric Buclin 2011-08-04 13:25:59 PDT
Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/trunk/
modified Bugzilla/Attachment.pm
Committed revision 7889.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/4.0/
modified Bugzilla/Attachment.pm
Committed revision 7635.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/3.6/
modified Bugzilla/Attachment.pm
Committed revision 7252.
Comment 13 Max Kanat-Alexander 2011-08-05 17:33:31 PDT
Security advisory sent, unlocking this bug.

Note You need to log in before you can comment on or make changes to this bug.