When a user who can see a private attachment (i.e. a member of the insidergroup) mentions a private attachment in a public comment, then all users who can see the public comment can also see the description of the private attachment despite they are not allowed to view this attachment (note that this attachment is not listed in the attachments table for that reason, unless you are a member of the insidergroup). The reason is that get_attachment_link() only checks if the bug itself is public or not to decide if the attachment description can be seen by the user or not, despite you can have private attachments on public bugs. This problem exists since attachment IDs are linkified in comments, i.e since Bugzilla 2.17.5, see bug 153583. I will probably fix this bug in the same patch as bug 777398.
Created attachment 645985 [details] [diff] [review] patch for 3.6 and 4.0, v1 For 4.2 and trunk, the patch from bug 777398 already fixes this problem. So this patch is for older branches only.
Assignee: attach-and-request → LpSolit
Status: NEW → ASSIGNED
Attachment #645985 - Flags: review?(glob)
Comment on attachment 645985 [details] [diff] [review] patch for 3.6 and 4.0, v1 r=glob by inspection
Attachment #645985 - Flags: review?(glob) → review+
use CVE-2012-1969 for this vulnerability
Summary: The description of private attachments is still visible to unauthorized users when mentioned in a comment → [SECURITY] The description of private attachments is still visible to unauthorized users when mentioned in a comment
Committing to: bzr+ssh://firstname.lastname@example.org/bugzilla/4.0/ modified Bugzilla/Template.pm Committed revision 7714. Committing to: bzr+ssh://email@example.com/bugzilla/3.6/ modified Bugzilla/Template.pm Committed revision 7291.
Status: ASSIGNED → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → FIXED
Security advisory sent.
You need to log in before you can comment on or make changes to this bug.