Closed Bug 660502 (CVE-2011-2977) Opened 9 years ago Closed 9 years ago

[SECURITY] Temporary files for uploaded attachments are not deleted on Windows (again)

Categories

(Bugzilla :: Attachments & Requests, defect)

defect
Not set

Tracking

()

RESOLVED FIXED
Bugzilla 3.6

People

(Reporter: LpSolit, Assigned: LpSolit)

References

Details

(Keywords: regression, Whiteboard: [Bugzilla 3.6rc1 and older not affected])

Attachments

(2 files)

We already fixed this problem in Bugzilla 2.20.5 in bug 414002, and it's still working fine in Bugzilla 3.2 and 3.4, but we regressed this again in Bugzilla 3.6. No idea so far what regressed this.

As a user having local access to the server can access the Temp\ directory on Windows, attachments which are uploaded to security bugs or marked as private are still accessible to such users, even if they cannot access them using Bugzilla.
Flags: blocking4.2+
Flags: blocking4.0.2+
Flags: blocking3.6.6+
Whiteboard: [Bugzilla 3.4.x and older not affected]
A good candidate for the regression is bug 454251, but it's just a guess.
(In reply to comment #1)
> A good candidate for the regression is bug 454251, but it's just a guess.

It's not this one. revno 6854 is fine (Bugzilla 3.5.2), but revno 7167 is not.
It's a regression due to bug 556429. revno 7112 works fine. revno 7113 is broken.
Depends on: 556429
Bugzilla 3.6 and 3.7.1 are the first ones to be affected. 3.5.3 and older are fine.
Whiteboard: [Bugzilla 3.4.x and older not affected] → [Bugzilla 3.5.3 and older not affected]
Version: 4.0.1 → 3.6
Explicitly closing the filehandle fixes the problem. The temporary file is now correctly purged (and the uploaded attachment integrity is correct). Tested on both 3.6.5 and 4.0.1.
Assignee: attach-and-request → LpSolit
Status: NEW → ASSIGNED
Attachment #535918 - Flags: review?(mkanat)
Despite this bug appears after the commit of bug 556429, that bug is not the culprit. It only made this bug visible, but is not responsible for it.
No longer depends on: 556429
Attachment #535919 - Flags: review?(mkanat)
Blocks: 660528
Comment on attachment 535918 [details] [diff] [review]
patch for 3.6 and 4.0, v1

r=glob
Attachment #535918 - Flags: review?(mkanat) → review+
Comment on attachment 535919 [details] [diff] [review]
patch for 4.2, v1

r=glob
please add a comment on checkin explaining why this is required.
Attachment #535919 - Flags: review?(mkanat) → review+
(In reply to comment #9)
> please add a comment on checkin explaining why this is required.

ok, will do. Thanks for the reviews! :)
Flags: approval?
Flags: approval4.0?
Flags: approval3.6?
Summary: Temporary files for uploaded attachments are not deleted on Windows (again) → [SECURITY] Temporary files for uploaded attachments are not deleted on Windows (again)
Use CVE-2011-2977 for this bug
Alias: CVE-2011-2977
Whiteboard: [Bugzilla 3.5.3 and older not affected] → [Bugzilla 3.6rc1 and older not affected]
Flags: approval?
Flags: approval4.0?
Flags: approval4.0+
Flags: approval3.6?
Flags: approval3.6+
Flags: approval+
Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/trunk/
modified Bugzilla/Attachment.pm
Committed revision 7889.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/4.0/
modified Bugzilla/Attachment.pm
Committed revision 7635.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/3.6/
modified Bugzilla/Attachment.pm
Committed revision 7252.
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Security advisory sent, unlocking this bug.
Group: bugzilla-security
You need to log in before you can comment on or make changes to this bug.