Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 412887 (CVE-2012-0465) - <www-apps/bugzilla-{3.6.9,4.0.6,4.2.1}: Cross-Site Request Forgery Vulnerability (CVE-2012-{0465,0466})
Summary: <www-apps/bugzilla-{3.6.9,4.0.6,4.2.1}: Cross-Site Request Forgery Vulnerabil...
Status: RESOLVED FIXED
Alias: CVE-2012-0465
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://secunia.com/advisories/48835/
Whiteboard: B4 [noglsa]
Keywords:
Depends on: CVE-2012-1968 CVE-2013-0785
Blocks:
  Show dependency tree
 
Reported: 2012-04-21 09:36 UTC by Agostino Sarubbo
Modified: 2013-09-23 11:44 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2012-04-21 09:36:48 UTC 
From secunia advisory at $URL:


Description
A vulnerability has been reported in Bugzilla, which can be exploited by malicious people to conduct cross-site request forgery attacks.

The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to e.g. disclose certain information about private bug reports by tricking a logged in administrative user into visiting a malicious web site.

Note: An error when handling the "X-Forwarded-For" HTTP header can be exploited to bypass certain account lockout restrictions.

The vulnerability is reported in versions 2.17.4 through 3.6.8, 3.7.1 through 4.0.5, and 4.1.1 through 4.2.


Solution
Update to version 3.6.9, 4.0.6, or 4.2.1.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2012-04-29 13:17:48 UTC 
CVE-2012-0466 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0466):
  template/en/default/list/list.js.tmpl in Bugzilla 2.x and 3.x before 3.6.9,
  3.7.x and 4.0.x before 4.0.6, and 4.1.x and 4.2.x before 4.2.1 does not
  properly handle multiple logins, which allows remote attackers to conduct
  cross-site scripting (XSS) attacks and obtain sensitive bug information via
  a crafted web page.

CVE-2012-0465 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0465):
  Bugzilla 3.5.x and 3.6.x before 3.6.9, 3.7.x and 4.0.x before 4.0.6, and
  4.1.x and 4.2.x before 4.2.1, when the inbound_proxies option is enabled,
  does not properly validate the X-Forwarded-For HTTP header, which allows
  remote attackers to bypass the lockout policy via a series of authentication
  requests with (1) different IP address strings in this header or (2) a long
  string in this header.
Comment 2 Sean Amoss (RETIRED) gentoo-dev Security 2012-04-29 13:24:53 UTC 
  18 Apr 2012; Christian Ruppert <idl0r@gentoo.org> +bugzilla-3.6.9.ebuild,
  -bugzilla-4.0.5.ebuild, +bugzilla-4.0.6.ebuild, -bugzilla-4.2.ebuild,
  +bugzilla-4.2.1.ebuild:
  Version bumps re CVE-2012-0465 and CVE-2012-0466

Thanks, Christian. May we proceed with stabilization of 3.6.9?
Comment 3 Christian Ruppert (idl0r) gentoo-dev 2013-03-24 20:01:55 UTC 
Go ahead.
Comment 4 Sean Amoss (RETIRED) gentoo-dev Security 2013-03-24 22:51:34 UTC 
(In reply to comment #3)
> Go ahead.

This bug is 11 months old and there have been 11 vulnerabilities found since then. See bugs 428334, 433776, 443162, and 458562.

We now need at least versions 3.6.13, 4.0.10, and 4.2.5 in the tree.