Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 401809 (CVE-2012-0440) - <www-apps/bugzilla-3.6.8 : Spoofing and Cross-Site Request Forgery Vulnerabilities (CVE-2012-{0440,0448})
Summary: <www-apps/bugzilla-3.6.8 : Spoofing and Cross-Site Request Forgery Vulnerabil...
Status: RESOLVED FIXED
Alias: CVE-2012-0440
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://secunia.com/advisories/47814/
Whiteboard: B4 [noglsa]
Keywords:
Depends on:
Blocks: CVE-2011-3657
  Show dependency tree
 
Reported: 2012-02-01 14:43 UTC by Agostino Sarubbo
Modified: 2012-02-20 21:08 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2012-02-01 14:43:11 UTC
From secunia security advisory at $URL:

Description
1) An error within the handling of email addresses containing certain UTF-8 encoded characters can be exploited to e.g. impersonate another user.

2) The application allows users to perform certain actions via HTTP requests without performing proper validity checks to verify the requests. This can be exploited to e.g. change certain bug data or execute certain administrative tasks when a logged-in user visits a specially crafted web page.

Please see the vendor's advisory for a list of affected versions.


Solution:
Update to version 3.4.14, 3.6.8, or 4.0.4.
Comment 1 Christian Ruppert (idl0r) gentoo-dev 2012-02-01 18:32:24 UTC
3.6.8 is in gentoo-x86 now.
Comment 2 Agostino Sarubbo gentoo-dev 2012-02-01 20:22:15 UTC
Thanks Christian

amd64/x86 stable.


@security, please vote
Comment 3 Tim Sammut (RETIRED) gentoo-dev 2012-02-13 21:44:35 UTC
Thanks, folks. GLSA Vote: no.
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2012-02-20 05:26:10 UTC
CVE-2012-0448 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0448):
  Bugzilla 2.x and 3.x before 3.4.14, 3.5.x and 3.6.x before 3.6.8, 3.7.x and
  4.0.x before 4.0.4, and 4.1.x and 4.2.x before 4.2rc2 does not reject
  non-ASCII characters in e-mail addresses of new user accounts, which makes
  it easier for remote authenticated users to spoof other user accounts by
  choosing a similar e-mail address.

CVE-2012-0440 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0440):
  Cross-site request forgery (CSRF) vulnerability in jsonrpc.cgi in Bugzilla
  3.5.x and 3.6.x before 3.6.8, 3.7.x and 4.0.x before 4.0.4, and 4.1.x and
  4.2.x before 4.2rc2 allows remote attackers to hijack the authentication of
  arbitrary users for requests that use the JSON-RPC API.
Comment 5 Sean Amoss (RETIRED) gentoo-dev Security 2012-02-20 21:08:50 UTC
Vote: no. Closing [noglsa].