Last Comment Bug 777586 - (CVE-2012-1969) [SECURITY] The description of private attachments is still visible to unauthorized users when mentioned in a comment
(CVE-2012-1969)
: [SECURITY] The description of private attachments is still visible to unautho...
Status: RESOLVED FIXED
:
Product: Bugzilla
Classification: Server Software
Component: Attachments & Requests (show other bugs)
: 2.17.5
: All All
: -- normal (vote)
: Bugzilla 3.6
Assigned To: Frédéric Buclin
: default-qa
:
Mentors:
Depends on: 153583
Blocks: 777558
  Show dependency treegraph
 
Reported: 2012-07-25 17:33 PDT by Frédéric Buclin
Modified: 2012-07-26 23:28 PDT (History)
2 users (show)
LpSolit: blocking4.4+
LpSolit: blocking4.2.2+
LpSolit: approval4.0+
LpSolit: blocking4.0.7+
LpSolit: approval3.6+
LpSolit: blocking3.6.10+
See Also:
QA Whiteboard:
Iteration: ---
Points: ---


Attachments
patch for 3.6 and 4.0, v1 (726 bytes, patch)
2012-07-25 18:25 PDT, Frédéric Buclin
glob: review+
Details | Diff | Splinter Review

Description Frédéric Buclin 2012-07-25 17:33:17 PDT
When a user who can see a private attachment (i.e. a member of the insidergroup) mentions a private attachment in a public comment, then all users who can see the public comment can also see the description of the private attachment despite they are not allowed to view this attachment (note that this attachment is not listed in the attachments table for that reason, unless you are a member of the insidergroup). The reason is that get_attachment_link() only checks if the bug itself is public or not to decide if the attachment description can be seen by the user or not, despite you can have private attachments on public bugs.

This problem exists since attachment IDs are linkified in comments, i.e since Bugzilla 2.17.5, see bug 153583.

I will probably fix this bug in the same patch as bug 777398.
Comment 1 Frédéric Buclin 2012-07-25 18:25:55 PDT
Created attachment 645985 [details] [diff] [review]
patch for 3.6 and 4.0, v1

For 4.2 and trunk, the patch from bug 777398 already fixes this problem. So this patch is for older branches only.
Comment 2 Byron Jones ‹:glob› [PTO until 2016-10-10] 2012-07-25 20:59:28 PDT
Comment on attachment 645985 [details] [diff] [review]
patch for 3.6 and 4.0, v1

r=glob by inspection
Comment 3 Daniel Veditz [:dveditz] 2012-07-26 08:37:40 PDT
use CVE-2012-1969 for this vulnerability
Comment 4 Frédéric Buclin 2012-07-26 14:10:24 PDT
Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/4.0/
modified Bugzilla/Template.pm
Committed revision 7714.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/3.6/
modified Bugzilla/Template.pm
Committed revision 7291.
Comment 5 Frédéric Buclin 2012-07-26 23:28:22 PDT
Security advisory sent.

Note You need to log in before you can comment on or make changes to this bug.