Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 190112

Summary: www-apps/bugzilla XSS, Exposure of sensitive information, System Access (CVE-2007-4538,4539,4543)
Product: Gentoo Security Reporter: Matt Fleming (RETIRED) <mjf>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: devel
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://secunia.com/advisories/26584/
Whiteboard: B1 [glsa]
Package list:
Runtime testing required: ---

Description Matt Fleming (RETIRED) gentoo-dev 2007-08-24 22:58:38 UTC 
Some vulnerabilities and a security issue have been reported in
Bugzilla, which can be exploited by malicious users to inject shell
commands, and by malicious people to conduct cross-site scripting
attacks and to disclose potentially sensitive information.

1) Input passed to the "buildid" parameter when filing bugs using the
guided form is not properly sanitised before being returned to a user.
This can be exploited to execute arbitrary HTML and script code in a
user's browser session in context of an affected site.

The vulnerability is reported in version 2.17.1 and later.

2) The "Email::Send::Sendmail()" function does not properly sanitise
Bugzilla's "from" email information which is later passed to the "-f"
parameter of sendmail. This can be exploited to inject shell commands
via a specially crafted "from" setting.

The vulnerability is reported in version 2.23.4 and later.

3) The XML-RPC interface of Bugzilla allows to disclose certain
time-tracking information without proper access to the time-tracking
fields.

The security issue is reported in version 2.23.3 and above.

SOLUTION:
Update to a fixed version.

Bugzilla 2.20.x users:
Update to version 2.20.5.

Bugzilla 2.22.x users:
Update to version 2.22.3.

Bugzilla 3.0 users:
Update to version 3.0.1.
Comment 1 Matt Fleming (RETIRED) gentoo-dev 2007-08-24 23:01:27 UTC 
Setting whiteboard status.
Comment 2 Mike Doty (RETIRED) gentoo-dev 2007-08-25 00:36:09 UTC 
infra has already verified our installation of bugzilla is unaffected by any of the exploits listed.
Comment 3 Jakub Moc (RETIRED) gentoo-dev 2007-08-26 07:14:57 UTC 
*** Bug 190267 has been marked as a duplicate of this bug. ***
Comment 4 Gunnar Wrobel (RETIRED) gentoo-dev 2007-09-03 07:24:57 UTC 
2.20.5, 2.22.3 and 3.0.1 have been added to the tree.

2.20.5 should be stabilized on

alpha amd64 ia64 ppc ppc64 sparc x86

(alternatively the arches can also stabilize the higher 2.22.3)

2.22.3 should be stabilized on

ia64 ppc64 sparc x86

Is there a specific reason to keep 2.18.6 in the tree? There is no update available for this branch and I guess users of this branch should then upgrade to 2.20.5.
Comment 5 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-09-03 08:02:56 UTC 
(In reply to comment #4)
> 2.20.5, 2.22.3 and 3.0.1 have been added to the tree.
> 
> 2.20.5 should be stabilized on
> 
> alpha amd64 ia64 ppc ppc64 sparc x86
> 
> (alternatively the arches can also stabilize the higher 2.22.3)
> 
> 2.22.3 should be stabilized on
> 
> ia64 ppc64 sparc x86
> 
> Is there a specific reason to keep 2.18.6 in the tree? There is no update
> available for this branch and I guess users of this branch should then upgrade
> to 2.20.5.
> 

Thanks Gunnar. cc'ing arches for stabilization.
Comment 6 Markus Rothe (RETIRED) gentoo-dev 2007-09-03 08:07:56 UTC 
quick update, quick test, quick stabilization: ppc64 stable
Comment 7 Tobias Scherbaum (RETIRED) gentoo-dev 2007-09-03 18:09:55 UTC 
ppc stable
Comment 8 Christian Faulhammer (RETIRED) gentoo-dev 2007-09-04 06:55:02 UTC 
x86 stable
Comment 9 Jose Luis Rivero (yoswink) (RETIRED) gentoo-dev 2007-09-04 16:49:56 UTC 
Sparc stable (2.20.5 and 2.23)
Comment 10 Raúl Porcel (RETIRED) gentoo-dev 2007-09-04 18:24:36 UTC 
alpha/ia64 stable
Comment 11 Steve Dibb (RETIRED) gentoo-dev 2007-09-08 01:40:24 UTC 
amd64 stable
Comment 12 Gunnar Wrobel (RETIRED) gentoo-dev 2007-09-10 04:59:09 UTC 
Removed insecure versions. webapps done here.
Comment 13 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2007-09-26 23:20:27 UTC 
unsubbing our bugzilla alias, since bugs.g.o is not affected.
Comment 14 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-09-30 22:04:39 UTC 
GLSA 200709-18