Created attachment 569947 [details] [diff] [review] patch v1 confirming; fix attached.
Hey guys, Thanks for reporting this. I wrote that code, quite some time ago :-| We have various protections in place to detect possible XSS for output coming from templates, but obviously if you just write "print" in a CGI, then... <sigh> Gerv
Comment on attachment 569947 [details] [diff] [review] patch v1 r=gerv. Gerv
Sure, glad to help. Our client also suggested that it'd be great if the hardcoded debugging output (there's more in other places, as I guess you know) could be made optional, as it's normally not needed in a production system and might only lead to problems like this. We didn't find any other problems in the debugging code, but it's always good to reduce your attack surface.
I just did a quick audit of all calls to "print" and "say" in the current codebase, and I've found one more confirmed instance of this - in report.cgi, lines 288-294. Same type of code, put there for the same reason, by the same person, with the same bug. :-| You can trigger it in that case by updating your Real Name to have a <script> tag in it, making e.g. Assignee Real Name one of the chart parameters, and then putting debug=1 on the end of your chart URL. Gerv
By "quick audit", I of course mean "possibly incomplete and should be repeated more thoroughly". I also did a search for other uses of Data::Dumper but couldn't immediately find any vulnerabilities. Gerv
Created attachment 569963 [details] [diff] [review] patch for 4.2 and older, v2 fixes the report.cgi instance. i was also unable to find any other occurrences that smelt bad.
Comment on attachment 569963 [details] [diff] [review] patch for 4.2 and older, v2 r=gerv. Gerv
I guess this patch applies to all branches?
(In reply to Frédéric Buclin from comment #9) > I guess this patch applies to all branches? yes, except for trunk.
Created attachment 570593 [details] [diff] [review] patch v2 (trunk)
Comment on attachment 570593 [details] [diff] [review] patch v2 (trunk) r=gerv. Gerv
Thanks for reporting, fixing, and reviewing this, everybody. I'm a little pressed for time until after Wednesday, but I will start planning to do a sec release for this shortly after that. If anybody else wants to file the relevant release bugs and do the sec adv, it would definitely speed up the process.
Hi, as the last update is almost a month old: what's your current time schedule for releasing the fix? Any idea when this'll be officially announced?
(In reply to Patrick Hof from comment #14) > what's your current time schedule > for releasing the fix? Any idea when this'll be officially announced? We have no hard release date as we are still tracking some other blockers, but this should happen within a few weeks (I would say mid-December at the lastest, without guarantee). The patches in this bug will be committed right before the releases.
Assigning CVE-2011-3657 to this issue.
3.4: Committing to: bzr+ssh://firstname.lastname@example.org/bugzilla/3.4 modified report.cgi modified Bugzilla/Chart.pm Committed revision 6817. 3.6: Committing to: bzr+ssh://email@example.com/bugzilla/3.6 modified report.cgi modified Bugzilla/Chart.pm Committed revision 7266. 4.0: Committing to: bzr+ssh://firstname.lastname@example.org/bugzilla/4.0 modified report.cgi modified Bugzilla/Chart.pm Committed revision 7671. 4.2: Committing to: bzr+ssh://email@example.com/bugzilla/4.2 modified report.cgi modified Bugzilla/Chart.pm Committed revision 7990. trunk: Committing to: bzr+ssh://firstname.lastname@example.org/bugzilla/trunk modified report.cgi modified Bugzilla/Chart.pm Committed revision 8053. dkl
Security Advisory sent and is live on bugzilla.org. Removing the security flag.