808845 - (CVE-2012-5475) [SECURITY] Security vulnerability in YUI's swfstore.swf in YUI 2.8.2 and 2.9.0

Status: RESOLVED FIXED

(Bugzilla :: Bugzilla-General, defect)

Description

[Frédéric Buclin]

Attachment: Patched swfstore.swf for YUI 2.8.2 (Bugzilla 4.0)

Bugzilla 3.6 has no SWF files in js/yui/ and so is not affected by the vulnerability described here. Bugzilla 4.0 and newer all have:

  md5sum ./swfstore/swfstore.swf 8526b66bd23fe8cebfa3426ad9c74ff0

This is the md5sum of swfstore.swf being released with YUI 2.8.0 - 2.8.2 (bug 606618).

Per http://yuilibrary.com/support/20121030-vulnerability/, this SWF file is affected. Bugzilla 4.2 and newer were supposed to be fully upgraded to YUI 2.9.0 (bug 649879) which is not affected by this issue, and which has the following checksum:

  md5sum ./swfstore/swfstore.swf 844a3718c5f8c04ece6a86065a658a07

But this file has not been included in the list of updated files in bug 649879, and so we are still storing the file from YUI 2.8.x instead of the new one from YUI 2.9.0. Consequently, we are vulnerable to CVE-2012-5475. :(

Attached is the patched swfstore.swf file for YUI 2.8.2 (Bugzilla 4.0):

  md5sum swfstore.swf 0114ab8c878ac4e48fd110f32164258b

Comment 1

[Frédéric Buclin]

Attachment: swfstore.swf for YUI 2.9.0 (Bugzilla 4.2 and newer)

And here is the SWF file for YUI 2.9.0 which was originally supposed to be uploaded in bug 649879 (Bugzilla 4.2 and newer).

Comment 2

[Daniel Veditz [:dveditz]]

(In reply to Frédéric Buclin from comment #0)
> Bugzilla 4.2 and newer were supposed to be fully upgraded to YUI
> 2.9.0 (bug 649879) which is not affected by this issue, and which has the
> following checksum:
> 
>   md5sum ./swfstore/swfstore.swf 844a3718c5f8c04ece6a86065a658a07

Is that true? The updated announcement says 2.9.0 and that checksum are vulnerable according to their table, and says the 2.9.0 patch is "Coming Soon"

http://yuilibrary.com/support/20121030-vulnerability/#dropins

> Attached is the patched swfstore.swf file for YUI 2.8.2 (Bugzilla 4.0):
> 
>   md5sum swfstore.swf 0114ab8c878ac4e48fd110f32164258b

That is the checksum listed as the fix for the 2.8.2 version, don't know why that isn't also the fix for the 2.9.0 version.

Comment 3

[Daniel Veditz [:dveditz]]

What do we use those for, I don't think I've ever run across flash on BMO. If we don't use it can we simply delete it?

Do we have the affected charts.swf and/or uploader.swf as well?

Comment 4

[:glob ✱]

(In reply to Daniel Veditz [:dveditz] from comment #3)
> What do we use those for, I don't think I've ever run across flash on BMO.
> If we don't use it can we simply delete it?

no, because it's possible for extensions to use this file.

> Do we have the affected charts.swf and/or uploader.swf as well?

no.

Comment 5

[Reed Loden [:reed]]

(In reply to Byron Jones ‹:glob› from comment #4)
> (In reply to Daniel Veditz [:dveditz] from comment #3)
> > What do we use those for, I don't think I've ever run across flash on BMO.
> > If we don't use it can we simply delete it?
> 
> no, because it's possible for extensions to use this file.

Just because extensions may use it doesn't mean we need it on BMO. We should remove it, as it's already been the cause of security problems before.

Comment 6

[:glob ✱]

(In reply to Reed Loden [:reed] from comment #5)
> Just because extensions may use it doesn't mean we need it on BMO. We should
> remove it, as it's already been the cause of security problems before.

this bug is isn't about bmo.


what are thoughts on updating the .swf, but also adding an explicit entry to .htaccess to block all of yui's .swf files?  sites which have installed an extension can remove the block, while other sites gain protection against any further issues.

Comment 7

[Frédéric Buclin]

(In reply to Daniel Veditz [:dveditz] from comment #2)
> Is that true? The updated announcement says 2.9.0 and that checksum are
> vulnerable according to their table, and says the 2.9.0 patch is "Coming
> Soon"

That was true when I wrote that comment. Meanwhile, I emailed the YUI team to notify them that they said that swfstore.swf was only vulnerable in YUI 2.8.0 and 2.8.1, but not in 2.8.2. But YUI 2.8.2 has the same file as previous 2.8.x releases. So they investigated, and they replied that 2.8.2 and 2.9.0 were indeed also affected. So the support page has been updated during the night, after I posted my comment. So we will indeed also need a patched SWF file for 2.9.0. I will attach it here once it's available.


(In reply to Byron Jones ‹:glob› from comment #4)
> > If we don't use it can we simply delete it?
> 
> no, because it's possible for extensions to use this file.

I think that was a bad decision, but it seems I was the only one to complain when these SWF files have been added to the bugzilla repo. There is no reason to only include two of the four SWF files from YUI. I think there is no rationale behind this. Also, we usually never include stuff which we don't use in the core code, but these two SWF files have been added anyway.

AFAIK, YUI3 no longer uses these SWF files, so this is another good reason to leave YUI2 asap.

Comment 8

[Frédéric Buclin]

Attachment: Patched swfstore.swf for YUI 2.9.0 (Bugzilla 4.2 and newer)

Here is the patched swfstore.swf file for YUI 2.9.0:

  md5sum swfstore-290.swf 42af62409ff28a1880f5e77697af5b2e

Comment 9

[Frédéric Buclin]

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/trunk/
modified js/yui/swfstore/swfstore.swf
Committed revision 8469.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/4.4/
modified js/yui/swfstore/swfstore.swf
Committed revision 8454.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/4.2/
modified js/yui/swfstore/swfstore.swf
Committed revision 8168.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/4.0/
modified js/yui/swfstore/swfstore.swf
Committed revision 7734.

Comment 10

[Frédéric Buclin]

Security advisory sent. Removing the security flag.