From ${URL} : Wednesday Jan 21th, 2015 Summary ======= Bugzilla is a Web-based bug-tracking system used by a large number of software projects. The following security issues have been discovered in Bugzilla: * A user with editcomponents permissions could possibly inject system commands in product names and possibly other attributes. * Methods from imported modules could possibly be executed using the WebService API. All affected installations are encouraged to upgrade as soon as possible. Vulnerability Details ===================== Class: Command Injection Versions: All versions before 4.0.16, 4.1.1 to 4.2.11, 4.3.1 to 4.4.6, 4.5.1 to 4.5.6 Fixed In: 4.0.16, 4.2.12, 4.4.7, 5.0rc1 Description: Some code in Bugzilla does not properly utilize 3 arguments form for open() and it is possible for an account with editcomponents permissions to inject commands into product names and other attributes. References: https://bugzilla.mozilla.org/show_bug.cgi?id=1079065 CVE Number: CVE-2014-8630 Class: Information Leak Versions: 2.23.3 to 4.0.15, 4.1.1 to 4.2.11, 4.3.1 to 4.4.6, 4.5.1 to 4.5.6 Fixed In: 4.0.16, 4.2.12, 4.4.7, 5.0rc1 Description: Using the WebServices API, a user can possibly execute imported functions from other non-WebService modules. A whitelist has now been added that lists explicit methods that can be executed via the API. References: https://bugzilla.mozilla.org/show_bug.cgi?id=1090275 Vulnerability Solutions ======================= The fixes for these issues are included in the 4.0.16, 4.2.12, 4.4.7, and 5.0rc1 releases. Upgrading to a release with the relevant fixes will protect your installation from possible exploits of these issues. @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
CVE-2014-8630 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8630): Bugzilla before 4.0.16, 4.1.x and 4.2.x before 4.2.12, 4.3.x and 4.4.x before 4.4.7, and 5.x before 5.0rc1 allows remote authenticated users to execute arbitrary commands by leveraging the editcomponents privilege and triggering crafted input to a two-argument Perl open call, as demonstrated by shell metacharacters in a product name.
No input or testing yet from first listed maintainer, Andrew Hamilton. With so many listed under CC I wonder if everyone is awaiting everyone else.
It has been some time since this Bug received an update. Since it is security related, bringing it up to the surface so it is not forgotten. Any updates?
It has been almost a year since the new version came out. Do we want to update?
Attached an ebuild for a version bump to 2.5.0 Worked with the guys in #gentoo-proxy-maintainers to clean up, update and test the ebuild. I will do a PR on github this evening aswell. Id like to put my hand up as a proxy maintainer aswell for this, which was discussed in channell as well.
Created attachment 421444 [details] Ebuild 2.5.0
Created attachment 421452 [details] Ebuild - 5.0.2 New ebuild with minor fixes, and the version should be 5.0.2 not 2.5.0.
Craig Inches set as new proxy maintainer of www-apps/bugzilla in metadata.xml
The vn. 5.0.2 is ready to be added. The vn. 4.4.11 should be ready tomorrow morning
Created attachment 421574 [details] Ebuild - 4.4.11 Ebuild to bump the 4.4.11 build for users not wanting to upgrade at this time
commit 802fb794ae417ee26d1f3488df1ba31ac31b0af0 Author: Craig Inches <craig.inches@xayto.net> Date: Sat Jan 2 13:24:27 2016 +0800 www-apps/bugzilla: Version bumps 5.0.2, and 4.4.11 Clean up files dir and ebuilds to reflect Update copyright Arch testers please make stable: =www-apps/bugzilla-4.4.11 =www-apps/bugzilla-5.0.2 Arches: amd64 x86
@perl to complete this stabilization we need: =dev-perl/Email-Sender-1.300.11 =dev-perl/Throwable-0.200.3-r1 =dev-perl/MooX-Types-MooseLike-0.270.0 is fine for you?
Go ahead and stabilise as many packages as you need.
(In reply to Agostino Sarubbo from comment #12) > @perl > > to complete this stabilization we need: > > =dev-perl/Email-Sender-1.300.11 > =dev-perl/Throwable-0.200.3-r1 > =dev-perl/MooX-Types-MooseLike-0.270.0 > > is fine for you? Please if possible use the following list (otherwise we just repeat ourselves with another stable request soon): dev-perl/Email-Sender-1.300.16 dev-perl/Throwable-0.200.11 dev-perl/MooX-Types-MooseLike-0.290.0 dev-perl/strictures-2.0.1 dev-perl/Module-Runtime-0.14.0 dev-perl/Email-Abstract-3.7.0 [Some of these modules are stable on more arches than bugz; feel free to stabilize for "amd64 x86" only now. I'll pick the rest up in due course.]
amd64 stable
x86 stable. Maintainer(s), please cleanup. Security, please vote.
commit bf44152ce74896e34bbdd6b1df7b881d85b16eb9 Author: Ian Delaney <idella4@gentoo.org> Date: Tue Jan 5 23:22:19 2016 +0800 www-apps/bugzilla: clean old vulnerable versions wrt #537448
Arches and Maintainer(s), Thank you for your work. New GLSA Request filed.
This issue was resolved and addressed in GLSA 201607-11 at https://security.gentoo.org/glsa/201607-11 by GLSA coordinator Aaron Bauman (b-man).
