When a user who can see a private attachment (i.e. a member of the insidergroup) mentions a private attachment in a public comment, then all users who can see the public comment can also see the description of the private attachment despite they are not allowed to view this attachment (note that this attachment is not listed in the attachments table for that reason, unless you are a member of the insidergroup). The reason is that get_attachment_link() only checks if the bug itself is public or not to decide if the attachment description can be seen by the user or not, despite you can have private attachments on public bugs. This problem exists since attachment IDs are linkified in comments, i.e since Bugzilla 2.17.5, see bug 153583. I will probably fix this bug in the same patch as bug 777398.
Created attachment 645985 [details] [diff] [review] patch for 3.6 and 4.0, v1 For 4.2 and trunk, the patch from bug 777398 already fixes this problem. So this patch is for older branches only.
Comment on attachment 645985 [details] [diff] [review] patch for 3.6 and 4.0, v1 r=glob by inspection
use CVE-2012-1969 for this vulnerability
Committing to: bzr+ssh://firstname.lastname@example.org/bugzilla/4.0/ modified Bugzilla/Template.pm Committed revision 7714. Committing to: bzr+ssh://email@example.com/bugzilla/3.6/ modified Bugzilla/Template.pm Committed revision 7291.
Security advisory sent.