Beginning on October 25th, 2016, Persona will no longer be an option for authentication on BMO. For more details see Persona Deprecated.
Last Comment Bug 777398 - (CVE-2012-1968) [SECURITY] HTML bugmail exposes information about restricted bugs
: [SECURITY] HTML bugmail exposes information about restricted bugs
Product: Bugzilla
Classification: Server Software
Component: Email Notifications (show other bugs)
: 4.1.1
: All All
: -- critical (vote)
: Bugzilla 4.2
Assigned To: Frédéric Buclin
: default-qa
Depends on: 65477 326826
Blocks: 777558
  Show dependency treegraph
Reported: 2012-07-25 10:09 PDT by Byron Jones ‹:glob›
Modified: 2012-07-26 23:28 PDT (History)
8 users (show)
LpSolit: approval+
LpSolit: blocking4.4+
LpSolit: approval4.2+
LpSolit: blocking4.2.2+
See Also:
QA Whiteboard:
Iteration: ---
Points: ---

patch, v1 (7.79 KB, patch)
2012-07-25 18:13 PDT, Frédéric Buclin
glob: review+
Details | Diff | Splinter Review
patch, v2 (8.33 KB, patch)
2012-07-26 04:11 PDT, Frédéric Buclin
LpSolit: review+
Details | Diff | Splinter Review

Description Byron Jones ‹:glob› 2012-07-25 10:09:23 PDT
html bugmail uses the bug_link filter to linkify 'bug NNN' text, both within comments, and when other bugs are referenced (eg blockers, dependencies).

the bug_link code always tests if the current user has access to the bug it's marking up, and if not, it sets the title to just the bug's status.

however when constructing bugmail, the current user is the user which made the change -- we need to test if to_user has access to the bug.
Comment 1 Frédéric Buclin 2012-07-25 15:39:33 PDT
Affects Bugzilla 4.1.1 and newer. We will need a 4.2.2 and a 4.3.2 release asap.

As you can mention private attachments in comments too, both Bugzilla::Template::get_bug_link() and Bugzilla::Template::get_attachment_link() must be fixed. We should pass a new optional argument to the bug_link() and quoteURLs() filters which, if present, override the user object when validating permissions.
Comment 2 Frédéric Buclin 2012-07-25 15:58:29 PDT
I know that Denis is going to upgrade Eclipse Bugzilla to 4.2.1 on Friday, so CC'ing him so that he knows what the problem is with HTML bugmails. The point is: either wait for Bugzilla 4.2.2, or disable HTML bugmails once the upgrade is done from

  Administration > Default Preferences > Preferred email format > Text Only + Enabled off

"Enable off" will prevent users from selecting HTML bugmails. They will be forced to get plain text emails only (as in Bugzilla 4.0 and older).
Comment 3 Daniel Veditz [:dveditz] 2012-07-25 15:59:19 PDT
use CVE-2012-1968 for this bug.
Comment 4 Frédéric Buclin 2012-07-25 16:39:22 PDT
Taking! I'm on it.
Comment 5 Frédéric Buclin 2012-07-25 18:13:51 PDT
Created attachment 645982 [details] [diff] [review]
patch, v1

This patch applies to both trunk and 4.2.1. It also fixes bug 777586 as both bugs are closely related.
Comment 6 Byron Jones ‹:glob› 2012-07-25 20:57:32 PDT
Comment on attachment 645982 [details] [diff] [review]
patch, v1

r=glob on the condition that bug_list_link is fixed on commit

the bug_list_link filter must also accept an options parameter and pass it to get_bug_link.  while it isn't used in bugzilla's default bugmail template, it's possible for extensions or custom bugmail templates to use this filter.
Comment 7 Frédéric Buclin 2012-07-26 04:11:23 PDT
Created attachment 646081 [details] [diff] [review]
patch, v2

Also fixing bug_list_link(). Carrying forward glob's r+.
Comment 8 Frédéric Buclin 2012-07-26 14:05:15 PDT
Committing to: bzr+ssh://
modified Bugzilla/
modified Bugzilla/
modified template/en/default/email/bugmail.html.tmpl
Committed revision 8306.

Committing to: bzr+ssh://
modified Bugzilla/
modified Bugzilla/
modified template/en/default/email/bugmail.html.tmpl
Committed revision 8108.
Comment 9 Frédéric Buclin 2012-07-26 23:28:11 PDT
Security advisory sent.

Note You need to log in before you can comment on or make changes to this bug.