Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 537448 (CVE-2014-8630) - <www-apps/bugzilla-{4.4.11,5.0.2}: Command Injection and Information Leak (CVE-2014-8630)
Summary: <www-apps/bugzilla-{4.4.11,5.0.2}: Command Injection and Information Leak (CV...
Status: RESOLVED FIXED
Alias: CVE-2014-8630
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://www.bugzilla.org/security/4.0.15/
Whiteboard: B4 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-01-23 13:34 UTC by Agostino Sarubbo
Modified: 2016-07-20 11:16 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
Ebuild 2.5.0 (bugzilla-5.0.2.ebuild,3.14 KB, text/plain)
2016-01-01 11:33 UTC, Craig Inches
no flags Details
Ebuild - 5.0.2 (bugzilla-5.0.2.ebuild,3.07 KB, text/plain)
2016-01-01 12:51 UTC, Craig Inches
no flags Details
Ebuild - 4.4.11 (bugzilla-4.4.11.ebuild,2.85 KB, text/plain)
2016-01-02 04:47 UTC, Craig Inches
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2015-01-23 13:34:22 UTC
From ${URL} :

Wednesday Jan 21th, 2015
Summary
=======

Bugzilla is a Web-based bug-tracking system used by a large number of
software projects. The following security issues have been discovered
in Bugzilla:

* A user with editcomponents permissions could possibly inject system
  commands in product names and possibly other attributes.
* Methods from imported modules could possibly be executed using
  the WebService API.

All affected installations are encouraged to upgrade as soon as
possible.


Vulnerability Details
=====================

Class:       Command Injection
Versions:    All versions before 4.0.16, 4.1.1 to 4.2.11, 4.3.1 to 4.4.6,
             4.5.1 to 4.5.6
Fixed In:    4.0.16, 4.2.12, 4.4.7, 5.0rc1
Description: Some code in Bugzilla does not properly utilize 3 arguments form
             for open() and it is possible for an account with editcomponents 
             permissions to inject commands into product names and other
             attributes.
References:  https://bugzilla.mozilla.org/show_bug.cgi?id=1079065
CVE Number:  CVE-2014-8630 

Class:       Information Leak
Versions:    2.23.3 to 4.0.15, 4.1.1 to 4.2.11, 4.3.1 to 4.4.6, 4.5.1 to 4.5.6
Fixed In:    4.0.16, 4.2.12, 4.4.7, 5.0rc1
Description: Using the WebServices API, a user can possibly execute imported
             functions from other non-WebService modules. A whitelist has now 
             been added that lists explicit methods that can be executed via the
             API.
References:  https://bugzilla.mozilla.org/show_bug.cgi?id=1090275


Vulnerability Solutions
=======================

The fixes for these issues are included in the 4.0.16, 4.2.12, 4.4.7, and
5.0rc1 releases. Upgrading to a release with the relevant fixes will protect
your installation from possible exploits of these issues.



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2015-06-17 17:43:58 UTC
CVE-2014-8630 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8630):
  Bugzilla before 4.0.16, 4.1.x and 4.2.x before 4.2.12, 4.3.x and 4.4.x
  before 4.4.7, and 5.x before 5.0rc1 allows remote authenticated users to
  execute arbitrary commands by leveraging the editcomponents privilege and
  triggering crafted input to a two-argument Perl open call, as demonstrated
  by shell metacharacters in a product name.
Comment 2 Ian Delaney (RETIRED) gentoo-dev 2015-06-24 08:22:39 UTC
No input or testing yet from first listed maintainer, Andrew Hamilton. With so many listed under CC I wonder if everyone is awaiting everyone else.
Comment 3 Yury German Gentoo Infrastructure gentoo-dev Security 2015-11-22 14:04:30 UTC
It has been some time since this Bug received an update. Since it is security related, bringing it up to the surface so it is not forgotten.

Any updates?
Comment 4 Yury German Gentoo Infrastructure gentoo-dev Security 2015-12-23 15:55:41 UTC
It has been almost a year since the new version came out. Do we want to update?
Comment 5 Craig Inches 2016-01-01 11:32:55 UTC
Attached an ebuild for a version bump to 2.5.0

Worked with the guys in #gentoo-proxy-maintainers to clean up, update and test the ebuild.

I will do a PR on github this evening aswell. 

Id like to put my hand up as a proxy maintainer aswell for this, which was discussed in channell as well.
Comment 6 Craig Inches 2016-01-01 11:33:29 UTC
Created attachment 421444 [details]
Ebuild 2.5.0
Comment 7 Craig Inches 2016-01-01 12:51:10 UTC
Created attachment 421452 [details]
Ebuild - 5.0.2

New ebuild with minor fixes, and the version should be 5.0.2 not 2.5.0.
Comment 8 Ian Delaney (RETIRED) gentoo-dev 2016-01-01 13:44:46 UTC
Craig Inches set as new proxy maintainer of www-apps/bugzilla in metadata.xml
Comment 9 Ian Delaney (RETIRED) gentoo-dev 2016-01-01 14:18:48 UTC
The vn. 5.0.2 is ready to be added. The vn. 4.4.11 should be ready tomorrow morning
Comment 10 Craig Inches 2016-01-02 04:47:31 UTC
Created attachment 421574 [details]
Ebuild - 4.4.11

Ebuild to bump the 4.4.11 build for users not wanting to upgrade at this time
Comment 11 Ian Delaney (RETIRED) gentoo-dev 2016-01-02 06:00:34 UTC
commit 802fb794ae417ee26d1f3488df1ba31ac31b0af0
Author: Craig Inches <craig.inches@xayto.net>
Date:   Sat Jan 2 13:24:27 2016 +0800

    www-apps/bugzilla: Version bumps 5.0.2, and 4.4.11

    Clean up files dir and ebuilds to reflect
    Update copyright


Arch testers please make stable:
=www-apps/bugzilla-4.4.11
=www-apps/bugzilla-5.0.2

Arches:   amd64 x86
Comment 12 Agostino Sarubbo gentoo-dev 2016-01-03 13:36:32 UTC
@perl

to complete this stabilization we need:

=dev-perl/Email-Sender-1.300.11
=dev-perl/Throwable-0.200.3-r1
=dev-perl/MooX-Types-MooseLike-0.270.0

is fine for you?
Comment 13 Patrice Clement gentoo-dev 2016-01-03 15:51:34 UTC
Go ahead and stabilise as many packages as you need.
Comment 14 Andreas K. Hüttel gentoo-dev 2016-01-03 22:53:38 UTC
(In reply to Agostino Sarubbo from comment #12)
> @perl
> 
> to complete this stabilization we need:
> 
> =dev-perl/Email-Sender-1.300.11
> =dev-perl/Throwable-0.200.3-r1
> =dev-perl/MooX-Types-MooseLike-0.270.0
> 
> is fine for you?

Please if possible use the following list (otherwise we just repeat ourselves with another stable request soon):

dev-perl/Email-Sender-1.300.16
dev-perl/Throwable-0.200.11
dev-perl/MooX-Types-MooseLike-0.290.0
dev-perl/strictures-2.0.1
dev-perl/Module-Runtime-0.14.0
dev-perl/Email-Abstract-3.7.0

[Some of these modules are stable on more arches than bugz; feel free to stabilize for "amd64 x86" only now. I'll pick the rest up in due course.]
Comment 15 Agostino Sarubbo gentoo-dev 2016-01-04 09:36:07 UTC
amd64 stable
Comment 16 Agostino Sarubbo gentoo-dev 2016-01-04 09:39:24 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 17 Ian Delaney (RETIRED) gentoo-dev 2016-01-05 15:23:44 UTC
commit bf44152ce74896e34bbdd6b1df7b881d85b16eb9
Author: Ian Delaney <idella4@gentoo.org>
Date:   Tue Jan 5 23:22:19 2016 +0800

    www-apps/bugzilla: clean old vulnerable versions wrt #537448
Comment 18 Yury German Gentoo Infrastructure gentoo-dev Security 2016-02-25 05:33:52 UTC
Arches and Maintainer(s), Thank you for your work.

New GLSA Request filed.
Comment 19 GLSAMaker/CVETool Bot gentoo-dev 2016-07-20 11:16:16 UTC
This issue was resolved and addressed in
 GLSA 201607-11 at https://security.gentoo.org/glsa/201607-11
by GLSA coordinator Aaron Bauman (b-man).