151563 – www-apps/bugzilla: Multiple Vulnerabilities (CVE-2006-5453, CVE-2006-5454, CVE-2006-5455)

Bug 151563 - www-apps/bugzilla: Multiple Vulnerabilities (CVE-2006-5453, CVE-2006-5454, CVE-2006-5455)

Summary: www-apps/bugzilla: Multiple Vulnerabilities (CVE-2006-5453, CVE-2006-5454, CV...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High minor
Assignee:	Gentoo Security

URL:	http://secunia.com/advisories/22409/
Whiteboard:	B4 [glsa] Falco
Keywords:

Depends on:
Blocks:

Reported:	2006-10-16 03:38 UTC by Aarni Honka
Modified:	2006-11-09 13:15 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Aarni Honka 2006-10-16 03:38:26 UTC

TITLE:
Bugzilla Multiple Vulnerabilities

SECUNIA ADVISORY ID:
SA22409

VERIFY ADVISORY:
http://secunia.com/advisories/22409/

CRITICAL:
Moderately critical

IMPACT:
Cross Site Scripting, Manipulation of data, Exposure of sensitive
information

WHERE:
>From remote

SOFTWARE:
Bugzilla 2.x
http://secunia.com/product/396/

DESCRIPTION:
Some vulnerabilities have been reported in Bugzilla, which can be
exploited by malicious people or malicious users to disclose
potentially sensitive information, conduct cross-site scripting,
script insertion, and request forgery attacks.

1) Input passed to various fields and when embedded in <h1> and <h2>
tags is not properly sanitised before being returned to users. This
can be exploited to execute arbitrary HTML and script code in a
user's browser session in context of an affected site.

2) An error when viewing attachments in "diff" mode allows users, who
are not members of "insidergroup", to read the descriptions of all
attachments. Additionally, when exporting bugs to the XML format, the
"deadline" field is also visible for users, who are not member of the
"timetrackinggroup" group. This can be exploited to gain knowledge of
potentially sensitive information.

3) Bugzilla allows users to perform certain sensitive actions via
HTTP GET and POST requests without verifying the user's request
properly. This can be exploited to modify, delete, or create bugs.

4) Input passed to showdependencygraph.cgi is not properly sanitised
before being returned to users. This can be exploited to execute
arbitrary HTML and script code in a user's browser session in context
of an affected site.

SOLUTION:
Update to version 2.18.6, 2.20.3, 2.22.1, or 2.23.3.

NOTE: Vulnerability #3 is fixed in versions 2.22.1 and 2.23.3 only.

PROVIDED AND/OR DISCOVERED BY:
1) Fr

Comment 1 Aarni Honka 2006-10-16 03:38:26 UTC

TITLE:
Bugzilla Multiple Vulnerabilities

SECUNIA ADVISORY ID:
SA22409

VERIFY ADVISORY:
http://secunia.com/advisories/22409/

CRITICAL:
Moderately critical

IMPACT:
Cross Site Scripting, Manipulation of data, Exposure of sensitive
information

WHERE:
>From remote

SOFTWARE:
Bugzilla 2.x
http://secunia.com/product/396/

DESCRIPTION:
Some vulnerabilities have been reported in Bugzilla, which can be
exploited by malicious people or malicious users to disclose
potentially sensitive information, conduct cross-site scripting,
script insertion, and request forgery attacks.

1) Input passed to various fields and when embedded in <h1> and <h2>
tags is not properly sanitised before being returned to users. This
can be exploited to execute arbitrary HTML and script code in a
user's browser session in context of an affected site.

2) An error when viewing attachments in "diff" mode allows users, who
are not members of "insidergroup", to read the descriptions of all
attachments. Additionally, when exporting bugs to the XML format, the
"deadline" field is also visible for users, who are not member of the
"timetrackinggroup" group. This can be exploited to gain knowledge of
potentially sensitive information.

3) Bugzilla allows users to perform certain sensitive actions via
HTTP GET and POST requests without verifying the user's request
properly. This can be exploited to modify, delete, or create bugs.

4) Input passed to showdependencygraph.cgi is not properly sanitised
before being returned to users. This can be exploited to execute
arbitrary HTML and script code in a user's browser session in context
of an affected site.

SOLUTION:
Update to version 2.18.6, 2.20.3, 2.22.1, or 2.23.3.

NOTE: Vulnerability #3 is fixed in versions 2.22.1 and 2.23.3 only.

PROVIDED AND/OR DISCOVERED BY:
1) Frédéric Buclin and Gervase Markham
2) Frédéric Buclin and Josh "timeless" Soref
3) Gavin Shelley
4) Max Kanat-Alexander

ORIGINAL ADVISORY:
http://www.bugzilla.org/security/2.18.5/

Comment 2 Raphael Marichez (Falco) (RETIRED) gentoo-dev

2006-10-16 04:14:29 UTC

Thanks Aarni. web-apps Cced :)

Comment 3 Matthias Geerdsen (RETIRED) gentoo-dev

2006-10-17 06:07:37 UTC

CC'ing Jeff for infra
just in case you might be interested in this

Comment 4 Renat Lumpau (RETIRED) gentoo-dev

2006-10-19 19:00:03 UTC

in CVS

Comment 5 Matthias Geerdsen (RETIRED) gentoo-dev

2006-10-20 00:28:38 UTC

arches, please test bugzilla-2.18.6 and mark stable if possible

Comment 6 Christian Faulhammer (RETIRED) gentoo-dev

2006-10-20 01:55:37 UTC


[ebuild  N    ] www-apps/bugzilla-2.18.6  USE="mysql -apache2 -vhosts"

1) emerges fine
2) passes collision test
3) seems to work (locally)

Portage 2.1.1 (default-linux/x86/2006.1/desktop, gcc-4.1.1, glibc-2.4-r3, 2.6.17-gentoo-r8 i686)
=================================================================
System uname: 2.6.17-gentoo-r8 i686 AMD Athlon(tm) XP 2500+
Gentoo Base System version 1.12.5
Last Sync: Fri, 20 Oct 2006 05:20:01 +0000
app-admin/eselect-compiler: [Not Present]
dev-java/java-config: 1.3.7, 2.0.30
dev-lang/python:     2.4.3-r4
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     [Not Present]
dev-util/confcache:  [Not Present]
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.59-r7
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.13-r4
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.17-r1
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config /usr/share/texmf/dvipdfm/config/ /usr/share/texmf/dvips/config/ /usr/share/texmf/tex/generic/config/ /usr/share/texmf/tex/platex/config/ /usr/share/texmf/xdvi/"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/revdep-rebuild /etc/terminfo"
CXXFLAGS="-O2"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig ccache collision-protect distlocks metadata-transfer parallel-fetch sandbox sfperms strict test"
GENTOO_MIRRORS="ftp://sunsite.informatik.rwth-aachen.de/pub/Linux/gentoo/"
LANG="de_DE@euro"
LC_ALL="de_DE@euro"
LINGUAS="de"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://rsync.informatik.rwth-aachen.de/gentoo-portage"
USE="x86 3dnow 3dnowext X Xaw3d a52 aiglx alsa artworkextra asf audiofile bash-completion beagle berkdb bidi bitmap-fonts bootsplash branding bzip2 cairo cdda cddb cdparanoia cdr cli cracklib crypt css cups curl custom-cflags dbus dga directfb divx4linux dlloader dri dts dvd dvdr dvdread dvi eds elibc_glibc emacs emboss encode esd evo exif expat fam fat fbcon ffmpeg firefox fortran ftp gb gcj gdbm gif gnome gpm gstreamer gtk gtk2 gtkhtml hal icq idn imagemagick imap input_devices_keyboard input_devices_mouse ipv6 isdnlog java javascript jikes jpeg jpeg2k kde kernel_linux ldap leim libg++ linguas_de lm_sensors mad maildir matroska mbox mhash mikmod mime mmx mmxext mng mono mp3 mpeg mpeg2 mule mysql nautilus ncurses nforce2 nls nocardbus nptl nptlonly nsplugin nvidia objc ogg opengl pam pcre pdf perl plotutils pmu png ppds pppd preview-latex print python qt3 qt4 quicktime readline reflection reiserfs samba sdk session slang spell spl sse ssl svg svga t1lib tcltk tcpd tetex theora thunderbird tiff truetype truetype-fonts type1-fonts udev usb userland_GNU vcd video_cards_fbdev video_cards_radeon video_cards_vesa videos vorbis win32codecs wmf wxwindows xine xml xorg xosd xv xvid zlib"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LDFLAGS, PORTAGE_RSYNC_EXTRA_OPTS

Comment 7 Markus Meier gentoo-dev

2006-10-20 12:36:01 UTC

1. emerges on x86
2. passes collision test
3. works

www-apps/bugzilla-2.18.6  USE="apache2 mysql -vhosts"

Portage 2.1.1 (default-linux/x86/2006.1/desktop, gcc-4.1.1, glibc-2.4-r3, 2.6.17.13 i686)
=================================================================
System uname: 2.6.17.13 i686 AMD Athlon(TM) XP1800+
Gentoo Base System version 1.12.5
Last Sync: Fri, 20 Oct 2006 16:50:01 +0000
ccache version 2.3 [enabled]
app-admin/eselect-compiler: [Not Present]
dev-java/java-config: 1.3.7, 2.0.30
dev-lang/python:     2.3.5-r3, 2.4.3-r4
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     2.3
dev-util/confcache:  [Not Present]
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.59-r7
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.13-r4
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.17-r1
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -march=i686 -fomit-frame-pointer -pipe"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config /usr/share/texmf/dvipdfm/config/ /usr/share/texmf/dvips/config/ /usr/share/texmf/tex/generic/config/ /usr/share/texmf/tex/platex/config/ /usr/share/texmf/xdvi/"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/revdep-rebuild /etc/terminfo"
CXXFLAGS="-O2 -march=i686 -fomit-frame-pointer -pipe"
DISTDIR="/usr/portage/distfiles"
EMERGE_DEFAULT_OPTS="--nospinner"
FEATURES="autoconfig ccache collision-protect distlocks fixpackages metadata-transfer parallel-fetch sandbox sfperms strict test userfetch userpriv usersandbox"
GENTOO_MIRRORS="http://mirror.switch.ch/mirror/gentoo/ http://gentoo.inode.at/"
LANG="en_GB.utf8"
LINGUAS="en de en_GB"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage/normal"
SYNC="rsync://192.168.2.1/gentoo-portage"
USE="x86 3dnow 3dnowext X a52 aac acpi alsa apache2 bash-completion berkdb bitmap-fonts bzip2 cairo cdr cli cracklib crypt css cups dbus divx4linux dlloader dri dts dvd dvdr dvdread elibc_glibc emboss exif fam ffmpeg firefox font-server fortran gdbm gif gnome gphoto2 gpm gstreamer gtk gtk2 gtkhtml hal input_devices_keyboard input_devices_mouse ipv6 isdnlog java jpeg kde kernel_linux ldap libclamav libg++ linguas_de linguas_en linguas_en_GB logitech-mouse mad mikmod mmx mmxext mono mozcalendar mozdevelop mozsvg mp3 mpeg ncurses network nls nptl nptlonly nvidia oav ogg opengl oss pam pcre perl png ppds pppd python qt qt3 qt4 quicktime readline reflection samba sdl seamonkey session spell spl ssl tcltk tcpd test tetex tiff truetype truetype-fonts type1-fonts udev unicode usb userland_GNU vcd video_cards_none video_cards_nv vorbis win32codecs xine xinerama xml xorg xorg-x11 xprint xv xvg xvid zlib"
Unset:  CTARGET, INSTALL_MASK, LC_ALL, LDFLAGS, MAKEOPTS, PORTAGE_RSYNC_EXTRA_OPTS

Comment 8 Jason Wever (RETIRED) gentoo-dev

2006-10-20 16:38:30 UTC

Stable on SPARC.

Comment 9 Tobias Scherbaum (RETIRED) gentoo-dev

2006-10-20 23:25:29 UTC

ppc stable

Comment 10 Bryan Østergaard (RETIRED) gentoo-dev

2006-10-21 11:52:10 UTC

Stable on Alpha.

Comment 11 Bryan Østergaard (RETIRED) gentoo-dev

2006-10-21 12:25:26 UTC

Stable on ia64.

Comment 12 Markus Rothe (RETIRED) gentoo-dev

2006-10-22 02:26:16 UTC

ppc64 stable

Comment 13 Joshua Jackson (RETIRED) gentoo-dev

2006-10-23 19:49:04 UTC

Thanks guys for testing ^.^ x86 is gone

Comment 14 Simon Stelling (RETIRED) gentoo-dev

2006-10-24 08:59:43 UTC

amd64 stable

Comment 15 Raphael Marichez (Falco) (RETIRED) gentoo-dev

2006-10-24 09:43:50 UTC

i'd tend to vote a half-yes because bugzilla is an important application sometimes used with many users of different levels. Half only because it's "only" a XSS

Comment 16 Matthias Geerdsen (RETIRED) gentoo-dev

2006-11-03 05:34:25 UTC

agree with falco here

/me tends to vote a weak yes

Comment 17 Raphael Marichez (Falco) (RETIRED) gentoo-dev

2006-11-03 07:42:00 UTC

need 2 full yes, sec team please vote

Comment 18 Wolf Giesen (RETIRED) gentoo-dev

2006-11-03 07:44:53 UTC

Another half-digested yes.

Yawn. XSS is so lame.

Comment 19 Matt Drew (RETIRED) gentoo-dev

2006-11-03 08:09:17 UTC

I vote yes, only because it's bugzilla and implementations sometimes contain sensitive information.

Comment 20 Matthias Geerdsen (RETIRED) gentoo-dev

2006-11-04 11:51:03 UTC

so let's have a GLSA

Comment 21 Matthias Geerdsen (RETIRED) gentoo-dev

2006-11-09 13:15:43 UTC

this is GLSA 200611-04
thanks everyone