what you don't know can hurt you

bugzilla-10242004.txt

bugzilla-10242004.txt
Posted Oct 27, 2004
Authored by Michael Whitfield, Joel Peshkin, Casey Klein, Myk Melez | Site bugzilla.org

This advisory covers three security bugs that have recently been discovered and fixed in the Bugzilla code: In the stable 2.16 releases, it is possible to make a specific change to a bug without permissions; and in the 2.18 release candidate, there are information leaks with private attachments and comments.

tags | advisory
MD5 | 2e5a731eb9eaa9fa2ac202c2003bf01c

bugzilla-10242004.txt

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Bugzilla Security Advisory
October 24, 2004

Summary
=======

Bugzilla is a Web-based bug-tracking system, used by a large number of
software projects.

This advisory covers three security bugs that have recently been
discovered and fixed in the Bugzilla code: In the stable 2.16 releases,
it is possible to make a specific change to a bug without permissions;
and in the 2.18 release candidate, there are information leaks with
private attachments and comments. We are not aware of any occasions
where any of these vulnerabilities have been exploited.

All Bugzilla installations are advised to upgrade to the latest stable
version of Bugzilla, 2.16.7, or to the current 2.18 release candidates,
2.18rc3, which were released today.

Development snapshots and version 2.18 release candidates prior to
version 2.18rc3 are also affected, so if you are using a development
snapshot or 2.18 release candidate, you should obtain a newer one
(2.18rc3) or use CVS to update.


Vulnerability Details
=====================

Issue 1
- -------
Class: Unauthorized Bug Change
Versions: 2.9 through 2.18rc2 and 2.19(from cvs)
Description: It is possible to send a carefully crafted HTTP POST
~ message to process_bug.cgi which will remove keywords from
~ a bug even if you don't have permissions to edit all bug
~ fields (the "editbugs" permission). Such changes are
~ reported in "bug changed" email notifications, so they are
~ easily detected and reversed if someone abuses it.
Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=252638

Issue 2
- -------
Class: Information Leak
Versions: 2.17.1 through 2.18rc2 and 2.19(from cvs) (2.16-based
~ releases and earlier are not affected)
Description: Exporting a bug to XML exposes user comments and attachment
~ summaries which are marked as private to users who are not
~ members of the group allowed to see private comments and
~ attachments. XML export is not exposed in the user
~ interface, but is available to anyone who knows the correct
~ URL to invoke it. This only affects sites that use the
~ 'insidergroup' feature.
Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=263780

Issue 3
- -------
Class: Information Leak
Versions: 2.17.1 through 2.18rc2 and 2.19(from cvs) (2.16-based
~ releases and earlier are not affected)
Description: Changes to the metadata (filename, description, mime type,
~ review flags) on attachments which were flagged as private
~ get displayed to users who are not members of the group
~ allowed to see private attachments when viewing the bug
~ activity log and when receiving bug change notification
~ mails. This only affects sites that use the 'insidergroup'
~ feature.
References: https://bugzilla.mozilla.org/show_bug.cgi?id=250605
~ https://bugzilla.mozilla.org/show_bug.cgi?id=253544


Vulnerability Solutions
=======================

The fixes for all of the security bugs mentioned in this advisory are
included in the 2.16.7 and 2.18rc3 releases, and in the 2.19.1
development snapshot. Upgrading to these releases will protect
installations from possible exploits of these issues.

Full release downloads, patches to upgrade Bugzilla to 2.16.7 from
previous 2.16.x versions, and CVS upgrade instructions are available at:
~ http://www.bugzilla.org/download/

Specific patches for each of the individual issues can be found on the
corresponding bug reports for each issue, at the URL given in the
reference for that issue in the list above.


Credits
=======

The Bugzilla team wish to thank the following people for their
assistance in locating, advising us of, and assisting us to fix
these situations:

Michael Whitfield
Joel Peshkin
Casey Klein
Myk Melez


General information about the Bugzilla bug-tracking system can be found
at http://www.bugzilla.org/

Comments and follow-ups can be directed to the
netscape.public.mozilla.webtools newsgroup or the mozilla-webtools
mailing list; http://www.bugzilla.org/support/ has directions for
accessing these forums.

- -30-

- --
Dave Miller Project Leader, Bugzilla Bug Tracking System
http://www.justdave.net/ http://www.bugzilla.org/









-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (Darwin)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFBfN6/0YeDAOcbS44RAvirAJ99cbiFQj9uuF3XjZWRHqQMZDlebgCghu7D
htGWOrR2hzC2mh52Z2iXjwU=
=IYxd
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

December 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    22 Files
  • 2
    Dec 2nd
    33 Files
  • 3
    Dec 3rd
    16 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close