Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 239564 (CVE-2008-4437) - www-apps/bugzilla <2.22.5, 3.0.5 importxml.pl Directory traversal (CVE-2008-4437)
Summary: www-apps/bugzilla <2.22.5, 3.0.5 importxml.pl Directory traversal (CVE-2008-4...
Status: RESOLVED FIXED
Alias: CVE-2008-4437
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://www.bugzilla.org/security/2.22.4/
Whiteboard: B3 [glsa]
Keywords:
: 237842 (view as bug list)
Depends on:
Blocks:
 
Reported: 2008-10-04 16:51 UTC by Stefan Behte (RETIRED)
Modified: 2010-06-04 05:17 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Behte (RETIRED) gentoo-dev Security 2008-10-04 16:51:44 UTC
CVE-2008-4437 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4437):
  Directory traversal vulnerability in importxml.pl in Bugzilla before
  2.22.5, and 3.x before 3.0.5, when --attach_path is enabled, allows
  remote attackers to read arbitrary files via an XML file with a ..
  (dot dot) in the data element.
Comment 1 Azamat H. Hackimov 2008-10-05 12:00:36 UTC
See #237842
Comment 2 Stefan Behte (RETIRED) gentoo-dev Security 2008-10-05 12:15:24 UTC
I missed your bug, because it was not filed in the "Gentoo Security" product.
Security will watch over this one, please mark your bug as duplicate (I don't have the rights to do that).
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2008-10-05 12:30:59 UTC
*** Bug 237842 has been marked as a duplicate of this bug. ***
Comment 4 Gunnar Wrobel (RETIRED) gentoo-dev 2008-10-11 19:44:47 UTC
Added bugzilla-2.22.5, -3.0.5.

Targets:

bugzilla-2.22.5: amd64 ia64 ppc ppc64 sparc x86

bugzilla-3.0.5:  alpha amd64 ia64 ppc ppc64 sparc x86
Comment 5 Markus Meier gentoo-dev 2008-10-12 15:13:24 UTC
amd64/x86 stable
Comment 6 Friedrich Oslage (RETIRED) gentoo-dev 2008-10-12 15:35:40 UTC
sparc stable
Comment 7 Raúl Porcel (RETIRED) gentoo-dev 2008-10-13 09:28:14 UTC
alpha/ia64 stable
Comment 8 Markus Rothe (RETIRED) gentoo-dev 2008-10-14 08:19:23 UTC
ppc/ppc64 stable
Comment 9 Tobias Heinlein (RETIRED) gentoo-dev 2008-10-16 18:50:13 UTC
Ready for vote, I vote YES.
Comment 10 Oleh Kravchenko 2008-10-17 08:13:07 UTC
www-apps/bugzilla-3.0.5

Create file reports with invalid mask :(

-rw------- 1 oleg oleg 6,7K Окт 16 13:13 -All-_NEW_ASSIGNED_REOPENED_UNCONFIRMED_RESOLVED_VERIFIED_CLOSED_FIXED_INVALID_WONTFIX_DUPLICATE_WORKSFORME_MOVED.png
Comment 11 Gunnar Wrobel (RETIRED) gentoo-dev 2008-10-30 15:10:59 UTC
Removed vulnerable versions. webapps done.

@oleg: Sorry, I don't understand the comment you made. If this is a relevant bug report please open another issue and assign it to webapps.
Comment 12 Oleh Kravchenko 2008-11-04 07:59:02 UTC
(In reply to comment #11)
> Removed vulnerable versions. webapps done.
> 
> @oleg: Sorry, I don't understand the comment you made. If this is a relevant
> bug report please open another issue and assign it to webapps.
> 

Okey ;) I am try to comment:

When I try view graphic report in bugzilla, no image see.
But image report is exist with invalid access mode:
-rw------- 1 oleg oleg 6,7K Окт 16 13:13
-All-_NEW_ASSIGNED_REOPENED_UNCONFIRMED_RESOLVED_VERIFIED_CLOSED_FIXED_INVALID_WONTFIX_DUPLICATE_WORKSFORME_MOVED.png

Comment 13 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2009-01-11 17:44:14 UTC
@Oleg: please file a new bug in case of an applicative bug independent from the current security bug.

I vote yes too. Filling GLSA request.

I re-rate the bug to B4. I consider that this directory traversal vulnerability only implies information leak.
Comment 14 Stefan Behte (RETIRED) gentoo-dev Security 2009-01-11 18:16:21 UTC
But B4 does not require a GLSA.
Comment 15 Robert Buchholz (RETIRED) gentoo-dev 2009-03-23 16:51:02 UTC
rerating b3
Comment 16 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2009-10-10 16:03:11 UTC
Seems like we have a draft ready to send on this one.
Comment 17 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-05-31 07:34:51 UTC
GLSA with bug 239564, bug 258592, bug 264572, bug 284824, bug 303437, and bug 303725.
Comment 18 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-06-04 05:17:28 UTC
GLSA 201006-19