Bug 777586 (CVE-2012-1969)

[SECURITY] The description of private attachments is still visible to unauthorized users when mentioned in a comment

RESOLVED FIXED in Bugzilla 3.6

Status

()

Bugzilla
Attachments & Requests
RESOLVED FIXED
5 years ago
5 years ago

People

(Reporter: Frédéric Buclin, Assigned: Frédéric Buclin)

Tracking

2.17.5
Bugzilla 3.6
Dependency tree / graph
Bug Flags:
blocking4.4 +
blocking4.2.2 +
approval4.0 +
blocking4.0.7 +
approval3.6 +
blocking3.6.10 +

Details

Attachments

(1 attachment)

(Assignee)

Description

5 years ago
When a user who can see a private attachment (i.e. a member of the insidergroup) mentions a private attachment in a public comment, then all users who can see the public comment can also see the description of the private attachment despite they are not allowed to view this attachment (note that this attachment is not listed in the attachments table for that reason, unless you are a member of the insidergroup). The reason is that get_attachment_link() only checks if the bug itself is public or not to decide if the attachment description can be seen by the user or not, despite you can have private attachments on public bugs.

This problem exists since attachment IDs are linkified in comments, i.e since Bugzilla 2.17.5, see bug 153583.

I will probably fix this bug in the same patch as bug 777398.
Flags: blocking4.4+
Flags: blocking4.2.2+
Flags: blocking4.0.7+
Flags: blocking3.6.10+
(Assignee)

Comment 1

5 years ago
Created attachment 645985 [details] [diff] [review]
patch for 3.6 and 4.0, v1

For 4.2 and trunk, the patch from bug 777398 already fixes this problem. So this patch is for older branches only.
Assignee: attach-and-request → LpSolit
Status: NEW → ASSIGNED
Attachment #645985 - Flags: review?(glob)
Comment on attachment 645985 [details] [diff] [review]
patch for 3.6 and 4.0, v1

r=glob by inspection
Attachment #645985 - Flags: review?(glob) → review+
(Assignee)

Updated

5 years ago
Flags: approval4.0?
Flags: approval3.6?
use CVE-2012-1969 for this vulnerability
Alias: CVE-2012-1969
(Assignee)

Updated

5 years ago
Flags: approval4.0?
Flags: approval4.0+
Flags: approval3.6?
Flags: approval3.6+
(Assignee)

Updated

5 years ago
Summary: The description of private attachments is still visible to unauthorized users when mentioned in a comment → [SECURITY] The description of private attachments is still visible to unauthorized users when mentioned in a comment
(Assignee)

Comment 4

5 years ago
Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/4.0/
modified Bugzilla/Template.pm
Committed revision 7714.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/3.6/
modified Bugzilla/Template.pm
Committed revision 7291.
Status: ASSIGNED → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
(Assignee)

Comment 5

5 years ago
Security advisory sent.
Group: bugzilla-security
You need to log in before you can comment on or make changes to this bug.