Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 712706 (CVE-2018-5123) - <www-apps/bugzilla-5.0.6: CSRF vulnerability via image generation in report.cgi (CVE-2018-5123)
Summary: <www-apps/bugzilla-5.0.6: CSRF vulnerability via image generation in report.c...
Status: RESOLVED FIXED
Alias: CVE-2018-5123
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://www.bugzilla.org/security/4.4...
Whiteboard: B4 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-03-15 14:38 UTC by Sam James
Modified: 2020-08-15 06:01 UTC (History)
3 users (show)

See Also:
Package list:
www-apps/bugzilla-5.0.6
Runtime testing required: ---
nattka: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-15 14:38:07 UTC 
>Class:       Cross-Site Request Forgery
>Versions:    Bugzilla 2.16rc1 to 4.4.12, 4.5.1 to 5.0.3
>Fixed In:    4.4.13, 5.0.4
>Description: Via the image generation in report.cgi, a malicious site
>             using the presence of certain images, could extract
>             potentially confidential information if the victim was
>             logged in and could access the bug.
>References:  https://bugzilla.mozilla.org/show_bug.cgi?id=1433400
>CVE Number:  CVE-2018-5123
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-04-16 00:47:53 UTC 
@maintainer(s): ping
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-05-02 22:26:01 UTC 
@maintainer(s): ping
Comment 4 Larry the Git Cow gentoo-dev 2020-08-01 20:43:32 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f2fa70ce5190a8073fd697326a8495f2626326f2

commit f2fa70ce5190a8073fd697326a8495f2626326f2
Author:     David Denoncin <ddenoncin@gmail.com>
AuthorDate: 2020-07-18 15:58:44 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2020-08-01 20:27:37 +0000

    www-apps/bugzilla: vbump 5.0.6
    
    This new ebuild leaves dealing with mod_perl to experienced users. This
    change enables bumping the ebuild to EAPI 7.
    
    It also loses using use flags for optional runtime dependencies.
    
    Bug: https://bugs.gentoo.org/712706
    Closes: https://bugs.gentoo.org/332251
    Package-Manager: Portage-2.3.99, Repoman-2.3.22
    Signed-off-by: David Denoncin <ddenoncin@gmail.com>
    Closes: https://github.com/gentoo/gentoo/pull/16125
    Signed-off-by: Sam James <sam@gentoo.org>

 www-apps/bugzilla/Manifest                         |   1 +
 www-apps/bugzilla/bugzilla-5.0.6.ebuild            | 118 +++++++++++++++++++++
 .../bugzilla/files/bugzilla-5.0.6-leftbrace.patch  |  17 +++
 www-apps/bugzilla/files/bugzilla-5.0.6-perl.patch  |  17 +++
 .../bugzilla/files/bugzilla-5.0.6-template.patch   |  17 +++
 www-apps/bugzilla/files/postinstall-5.0.6-en.txt   |  30 ++++++
 www-apps/bugzilla/files/postinstall-en.txt         |   1 +
 www-apps/bugzilla/files/postupgrade-5.0.6-en.txt   |  10 ++
 8 files changed, 211 insertions(+)
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-02 00:08:19 UTC 
Giving it a few days.
Comment 6 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-15 04:38:11 UTC 
amd64 done
Comment 7 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-15 05:49:35 UTC 
x86 done

all arches done
Comment 8 Larry the Git Cow gentoo-dev 2020-08-15 06:01:06 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e7e5ee5f8f488c35a163dda0075df0ceb0e02a7b

commit e7e5ee5f8f488c35a163dda0075df0ceb0e02a7b
Author:     David Denoncin <ddenoncin@gmail.com>
AuthorDate: 2020-08-10 21:15:42 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2020-08-15 05:59:09 +0000

    www-apps/bugzilla: drop vulnerable old
    
    Package-Manager: Portage-2.3.103, Repoman-2.3.23
    Signed-off-by: David Denoncin <ddenoncin@gmail.com>
    Bug: https://bugs.gentoo.org/712706
    Closes: https://github.com/gentoo/gentoo/pull/17073
    Signed-off-by: Sam James <sam@gentoo.org>

 www-apps/bugzilla/Manifest                         |   2 -
 www-apps/bugzilla/bugzilla-4.4.12-r2.ebuild        | 130 --------------------
 www-apps/bugzilla/bugzilla-5.0.3-r2.ebuild         | 134 ---------------------
 .../bugzilla/files/bugzilla-5.0.3-leftbrace.patch  |  26 ----
 www-apps/bugzilla/files/bugzilla-queue.confd       |   4 -
 www-apps/bugzilla/files/bugzilla.cron.daily        |   5 -
 www-apps/bugzilla/files/bugzilla.cron.tab          |   1 -
 www-apps/bugzilla/files/postinstall-en.txt         |  14 ---
 www-apps/bugzilla/files/reconfig                   |  19 ---
 www-apps/bugzilla/metadata.xml                     |   4 -
 10 files changed, 339 deletions(-)
Comment 9 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-15 06:01:43 UTC 
GLSA vote: no.

Tree is clean. Closing.