The default bug view has changed. See this FAQ.
Bug 802204 (CVE-2012-4197)

[SECURITY] Marking an attachment you cannot see as obsolete can disclose its description

RESOLVED FIXED in Bugzilla 3.6

Status

()

Bugzilla
Attachments & Requests
RESOLVED FIXED
5 years ago
4 years ago

People

(Reporter: Frédéric Buclin, Assigned: Frédéric Buclin)

Tracking

2.16
Bugzilla 3.6
Dependency tree / graph
Bug Flags:
approval +
approval4.4 +
blocking4.4 +
approval4.2 +
blocking4.2.4 +
approval4.0 +
blocking4.0.9 +
approval3.6 +
blocking3.6.12 +

Details

Attachments

(2 attachments)

(Assignee)

Description

5 years ago
If an attachment is in a bug you cannot see but for some reason you know its ID (e.g. because bugbot reports the attachment ID on IRC when someone requests/grants/denies review), it's trivial to get its description despite you cannot access the attachment nor the bug:

Imagine you can access the public bug 3 and the attachment 1 [details] [diff] [review] is in the private bug 4. All you have to do is to type this URL in your web browser (with a valid token, but you can extract it from the HTML form):

 attachment.cgi?action=insert&bugid=3&obsolete=1&token=XXXXXXX

Bugzilla will detect the mismatch and throws:

"Attachment 1 [details] [diff] (patch to fix the vulnerability in Foo.cpp when doing action X) is attached to bug 4, but you tried to flag it as obsolete while creating a new attachment to bug 3."

The error message disclosed the description of the attachment, despite you cannot access it!

This vulnerability exists since Bugzilla 2.16, see bug 98602!
Flags: blocking4.4+
Flags: blocking4.2.4+
Flags: blocking4.0.9+
Flags: blocking3.6.12+
(Assignee)

Comment 1

5 years ago
Note that if the attachment is private, the description is not disclosed. If you don't have editbugs privs, the description is also not disclosed. But it's pretty common to have editbugs privs (e.g. on bmo), and attachments in private bugs are usually not marked private themselves, so this is exploitable.
(Assignee)

Comment 2

5 years ago
Created attachment 671907 [details] [diff] [review]
patch for 4.2 and older, v1

This patch applies cleanly to all supported branches.
Attachment #671907 - Flags: review?(gerv)
Comment on attachment 671907 [details] [diff] [review]
patch for 4.2 and older, v1

r=gerv. However, I continue to maintain that we should be doing security checks inside objects, and objects should never provide information that the requesting user is not permitted to see. Our internal APIs should be security-safe by default.

Gerv
Attachment #671907 - Flags: review?(gerv) → review+
(Assignee)

Updated

5 years ago
Flags: approval?
Flags: approval4.4?
Flags: approval4.2?
Flags: approval4.0?
Flags: approval3.6?
(Assignee)

Updated

5 years ago
Blocks: 805640
Alias: CVE-2012-4197
(Assignee)

Comment 4

4 years ago
Created attachment 680680 [details] [diff] [review]
patch for 4.4 and trunk, v1

Unbittroten patch for 4.4 and trunk due to the checkin of bug 676844. The change in the error message has already been committed as part of bug 676844.
Attachment #680680 - Flags: review+
(Assignee)

Updated

4 years ago
Attachment #671907 - Attachment description: patch, v1 → patch for 4.2 and older, v1
(Assignee)

Updated

4 years ago
Flags: approval?
Flags: approval4.4?
Flags: approval4.4+
Flags: approval4.2?
Flags: approval4.2+
Flags: approval4.0?
Flags: approval4.0+
Flags: approval3.6?
Flags: approval3.6+
Flags: approval+
(Assignee)

Comment 5

4 years ago
Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/trunk/
modified Bugzilla/Attachment.pm
Committed revision 8467.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/4.4/
modified Bugzilla/Attachment.pm
Committed revision 8452.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/4.2/
modified Bugzilla/Attachment.pm
modified template/en/default/global/code-error.html.tmpl
Committed revision 8166.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/4.0/
modified Bugzilla/Attachment.pm
modified template/en/default/global/code-error.html.tmpl
Committed revision 7732.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/3.6/
modified Bugzilla/Attachment.pm
modified template/en/default/global/code-error.html.tmpl
Committed revision 7306.
Status: ASSIGNED → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → FIXED
(Assignee)

Comment 6

4 years ago
Security advisory sent. Removing the security flag.
Group: bugzilla-security
You need to log in before you can comment on or make changes to this bug.