The default bug view has changed. See this FAQ.
Bug 777398 (CVE-2012-1968)

[SECURITY] HTML bugmail exposes information about restricted bugs

RESOLVED FIXED in Bugzilla 4.2

Status

()

Bugzilla
Email Notifications
--
critical
RESOLVED FIXED
5 years ago
5 months ago

People

(Reporter: glob, Assigned: Frédéric Buclin)

Tracking

4.1.1
Bugzilla 4.2
Dependency tree / graph
Bug Flags:
approval +
blocking4.4 +
approval4.2 +
blocking4.2.2 +

Details

Attachments

(1 attachment, 1 obsolete attachment)

8.33 KB, patch
Frédéric Buclin
: review+
Details | Diff | Splinter Review
(Reporter)

Description

5 years ago
html bugmail uses the bug_link filter to linkify 'bug NNN' text, both within comments, and when other bugs are referenced (eg blockers, dependencies).

the bug_link code always tests if the current user has access to the bug it's marking up, and if not, it sets the title to just the bug's status.

however when constructing bugmail, the current user is the user which made the change -- we need to test if to_user has access to the bug.
(Assignee)

Comment 1

5 years ago
Affects Bugzilla 4.1.1 and newer. We will need a 4.2.2 and a 4.3.2 release asap.

As you can mention private attachments in comments too, both Bugzilla::Template::get_bug_link() and Bugzilla::Template::get_attachment_link() must be fixed. We should pass a new optional argument to the bug_link() and quoteURLs() filters which, if present, override the user object when validating permissions.
Depends on: 326826, 65477
Flags: blocking4.4+
Flags: blocking4.2.2+
Target Milestone: --- → Bugzilla 4.2
Version: 4.2 → 4.1.1
(Assignee)

Comment 2

5 years ago
I know that Denis is going to upgrade Eclipse Bugzilla to 4.2.1 on Friday, so CC'ing him so that he knows what the problem is with HTML bugmails. The point is: either wait for Bugzilla 4.2.2, or disable HTML bugmails once the upgrade is done from

  Administration > Default Preferences > Preferred email format > Text Only + Enabled off

"Enable off" will prevent users from selecting HTML bugmails. They will be forced to get plain text emails only (as in Bugzilla 4.0 and older).
use CVE-2012-1968 for this bug.
Alias: CVE-2012-1968
(Assignee)

Updated

5 years ago
Blocks: 777558
(Assignee)

Comment 4

5 years ago
Taking! I'm on it.
Assignee: email-notifications → LpSolit
Status: NEW → ASSIGNED
(Assignee)

Comment 5

5 years ago
Created attachment 645982 [details] [diff] [review]
patch, v1

This patch applies to both trunk and 4.2.1. It also fixes bug 777586 as both bugs are closely related.
Attachment #645982 - Flags: review?(glob)
(Reporter)

Comment 6

5 years ago
Comment on attachment 645982 [details] [diff] [review]
patch, v1

r=glob on the condition that bug_list_link is fixed on commit

the bug_list_link filter must also accept an options parameter and pass it to get_bug_link.  while it isn't used in bugzilla's default bugmail template, it's possible for extensions or custom bugmail templates to use this filter.
Attachment #645982 - Flags: review?(glob) → review+
(Reporter)

Updated

5 years ago
Flags: approval?
Flags: approval4.2?
(Assignee)

Comment 7

5 years ago
Created attachment 646081 [details] [diff] [review]
patch, v2

Also fixing bug_list_link(). Carrying forward glob's r+.
Attachment #645982 - Attachment is obsolete: true
Attachment #646081 - Flags: review+
(Assignee)

Updated

5 years ago
Flags: approval?
Flags: approval4.2?
Flags: approval4.2+
Flags: approval+
(Assignee)

Updated

5 years ago
Summary: html bugmail exposes information about restricted bugs → [SECURITY] HTML bugmail exposes information about restricted bugs
(Assignee)

Comment 8

5 years ago
Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/trunk/
modified Bugzilla/Hook.pm
modified Bugzilla/Template.pm
modified template/en/default/email/bugmail.html.tmpl
Committed revision 8306.


Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/4.2/
modified Bugzilla/Hook.pm
modified Bugzilla/Template.pm
modified template/en/default/email/bugmail.html.tmpl
Committed revision 8108.
Status: ASSIGNED → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
(Assignee)

Comment 9

5 years ago
Security advisory sent.
Group: bugzilla-security

Updated

5 months ago
Flags: needinfo?

Updated

5 months ago
Flags: needinfo?
You need to log in before you can comment on or make changes to this bug.