The default bug view has changed. See this FAQ.
Bug 660502 (CVE-2011-2977)

[SECURITY] Temporary files for uploaded attachments are not deleted on Windows (again)

RESOLVED FIXED in Bugzilla 3.6

Status

()

Bugzilla
Attachments & Requests
RESOLVED FIXED
6 years ago
6 years ago

People

(Reporter: Frédéric Buclin, Assigned: Frédéric Buclin)

Tracking

({regression})

Bugzilla 3.6
regression
Bug Flags:
approval +
blocking4.2 +
approval4.0 +
blocking4.0.2 +
approval3.6 +
blocking3.6.6 +

Details

(Whiteboard: [Bugzilla 3.6rc1 and older not affected])

Attachments

(2 attachments)

(Assignee)

Description

6 years ago
We already fixed this problem in Bugzilla 2.20.5 in bug 414002, and it's still working fine in Bugzilla 3.2 and 3.4, but we regressed this again in Bugzilla 3.6. No idea so far what regressed this.

As a user having local access to the server can access the Temp\ directory on Windows, attachments which are uploaded to security bugs or marked as private are still accessible to such users, even if they cannot access them using Bugzilla.
Flags: blocking4.2+
Flags: blocking4.0.2+
Flags: blocking3.6.6+
(Assignee)

Updated

6 years ago
Whiteboard: [Bugzilla 3.4.x and older not affected]
(Assignee)

Comment 1

6 years ago
A good candidate for the regression is bug 454251, but it's just a guess.
(Assignee)

Comment 2

6 years ago
(In reply to comment #1)
> A good candidate for the regression is bug 454251, but it's just a guess.

It's not this one. revno 6854 is fine (Bugzilla 3.5.2), but revno 7167 is not.
(Assignee)

Comment 3

6 years ago
It's a regression due to bug 556429. revno 7112 works fine. revno 7113 is broken.
Depends on: 556429
(Assignee)

Comment 4

6 years ago
Bugzilla 3.6 and 3.7.1 are the first ones to be affected. 3.5.3 and older are fine.
Whiteboard: [Bugzilla 3.4.x and older not affected] → [Bugzilla 3.5.3 and older not affected]
Version: 4.0.1 → 3.6
(Assignee)

Comment 5

6 years ago
Created attachment 535918 [details] [diff] [review]
patch for 3.6 and 4.0, v1

Explicitly closing the filehandle fixes the problem. The temporary file is now correctly purged (and the uploaded attachment integrity is correct). Tested on both 3.6.5 and 4.0.1.
Assignee: attach-and-request → LpSolit
Status: NEW → ASSIGNED
Attachment #535918 - Flags: review?(mkanat)
(Assignee)

Comment 6

6 years ago
Despite this bug appears after the commit of bug 556429, that bug is not the culprit. It only made this bug visible, but is not responsible for it.
No longer depends on: 556429
(Assignee)

Comment 7

6 years ago
Created attachment 535919 [details] [diff] [review]
patch for 4.2, v1
Attachment #535919 - Flags: review?(mkanat)
(Assignee)

Updated

6 years ago
Blocks: 660528
Comment on attachment 535918 [details] [diff] [review]
patch for 3.6 and 4.0, v1

r=glob
Attachment #535918 - Flags: review?(mkanat) → review+
Comment on attachment 535919 [details] [diff] [review]
patch for 4.2, v1

r=glob
please add a comment on checkin explaining why this is required.
Attachment #535919 - Flags: review?(mkanat) → review+
(Assignee)

Comment 10

6 years ago
(In reply to comment #9)
> please add a comment on checkin explaining why this is required.

ok, will do. Thanks for the reviews! :)
(Assignee)

Updated

6 years ago
Flags: approval?
Flags: approval4.0?
Flags: approval3.6?
(Assignee)

Updated

6 years ago
Summary: Temporary files for uploaded attachments are not deleted on Windows (again) → [SECURITY] Temporary files for uploaded attachments are not deleted on Windows (again)
Use CVE-2011-2977 for this bug
Alias: CVE-2011-2977
(Assignee)

Updated

6 years ago
Whiteboard: [Bugzilla 3.5.3 and older not affected] → [Bugzilla 3.6rc1 and older not affected]
(Assignee)

Updated

6 years ago
Flags: approval?
Flags: approval4.0?
Flags: approval4.0+
Flags: approval3.6?
Flags: approval3.6+
Flags: approval+
(Assignee)

Comment 12

6 years ago
Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/trunk/
modified Bugzilla/Attachment.pm
Committed revision 7889.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/4.0/
modified Bugzilla/Attachment.pm
Committed revision 7635.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/3.6/
modified Bugzilla/Attachment.pm
Committed revision 7252.
Status: ASSIGNED → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED

Comment 13

6 years ago
Security advisory sent, unlocking this bug.
Group: bugzilla-security
You need to log in before you can comment on or make changes to this bug.