Bug 239564 (CVE-2008-4437)

Summary:	www-apps/bugzilla <2.22.5, 3.0.5 importxml.pl Directory traversal (CVE-2008-4437)
Product:	Gentoo Security	Reporter:	Stefan Behte (RETIRED) <craig>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	dany_it, oleg
Priority:	High
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	http://www.bugzilla.org/security/2.22.4/
Whiteboard:	B3 [glsa]
Package list:		Runtime testing required:	---

Description Stefan Behte (RETIRED) gentoo-dev

2008-10-04 16:51:44 UTC

CVE-2008-4437 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4437):
  Directory traversal vulnerability in importxml.pl in Bugzilla before
  2.22.5, and 3.x before 3.0.5, when --attach_path is enabled, allows
  remote attackers to read arbitrary files via an XML file with a ..
  (dot dot) in the data element.

Comment 1 Azamat H. Hackimov 2008-10-05 12:00:36 UTC

See #237842

Comment 2 Stefan Behte (RETIRED) gentoo-dev

2008-10-05 12:15:24 UTC

I missed your bug, because it was not filed in the "Gentoo Security" product.
Security will watch over this one, please mark your bug as duplicate (I don't have the rights to do that).

Comment 3 Robert Buchholz (RETIRED) gentoo-dev

2008-10-05 12:30:59 UTC

*** Bug 237842 has been marked as a duplicate of this bug. ***

Comment 4 Gunnar Wrobel (RETIRED) gentoo-dev

2008-10-11 19:44:47 UTC

Added bugzilla-2.22.5, -3.0.5.

Targets:

bugzilla-2.22.5: amd64 ia64 ppc ppc64 sparc x86

bugzilla-3.0.5:  alpha amd64 ia64 ppc ppc64 sparc x86

Comment 5 Markus Meier gentoo-dev

2008-10-12 15:13:24 UTC

amd64/x86 stable

Comment 6 Friedrich Oslage (RETIRED) gentoo-dev

2008-10-12 15:35:40 UTC

sparc stable

Comment 7 Raúl Porcel (RETIRED) gentoo-dev

2008-10-13 09:28:14 UTC

alpha/ia64 stable

Comment 8 Markus Rothe (RETIRED) gentoo-dev

2008-10-14 08:19:23 UTC

ppc/ppc64 stable

Comment 9 Tobias Heinlein (RETIRED) gentoo-dev

2008-10-16 18:50:13 UTC

Ready for vote, I vote YES.

Comment 10 Oleh Kravchenko 2008-10-17 08:13:07 UTC

www-apps/bugzilla-3.0.5

Create file reports with invalid mask :(

-rw------- 1 oleg oleg 6,7K Окт 16 13:13 -All-_NEW_ASSIGNED_REOPENED_UNCONFIRMED_RESOLVED_VERIFIED_CLOSED_FIXED_INVALID_WONTFIX_DUPLICATE_WORKSFORME_MOVED.png

Comment 11 Gunnar Wrobel (RETIRED) gentoo-dev

2008-10-30 15:10:59 UTC

Removed vulnerable versions. webapps done.

@oleg: Sorry, I don't understand the comment you made. If this is a relevant bug report please open another issue and assign it to webapps.

Comment 12 Oleh Kravchenko 2008-11-04 07:59:02 UTC

(In reply to comment #11)
> Removed vulnerable versions. webapps done.
> 
> @oleg: Sorry, I don't understand the comment you made. If this is a relevant
> bug report please open another issue and assign it to webapps.
> 

Okey ;) I am try to comment:

When I try view graphic report in bugzilla, no image see.
But image report is exist with invalid access mode:
-rw------- 1 oleg oleg 6,7K Окт 16 13:13
-All-_NEW_ASSIGNED_REOPENED_UNCONFIRMED_RESOLVED_VERIFIED_CLOSED_FIXED_INVALID_WONTFIX_DUPLICATE_WORKSFORME_MOVED.png

Comment 13 Raphael Marichez (Falco) (RETIRED) gentoo-dev

2009-01-11 17:44:14 UTC

@Oleg: please file a new bug in case of an applicative bug independent from the current security bug.

I vote yes too. Filling GLSA request.

I re-rate the bug to B4. I consider that this directory traversal vulnerability only implies information leak.

Comment 14 Stefan Behte (RETIRED) gentoo-dev

2009-01-11 18:16:21 UTC

But B4 does not require a GLSA.

Comment 15 Robert Buchholz (RETIRED) gentoo-dev

2009-03-23 16:51:02 UTC

rerating b3

Comment 16 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2009-10-10 16:03:11 UTC

Seems like we have a draft ready to send on this one.

Comment 17 Alex Legler (RETIRED) archtester

2010-05-31 07:34:51 UTC

GLSA with bug 239564, bug 258592, bug 264572, bug 284824, bug 303437, and bug 303725.

Comment 18 Alex Legler (RETIRED) archtester

2010-06-04 05:17:28 UTC

GLSA 201006-19