From ${URL} : Description A weakness and a vulnerability has been reported in Bugzilla, which can be exploited by malicious users to disclose potentially sensitive information and by malicious people to conduct cross-site scripting attacks. 1) Input passed to the "id" parameter in show_bug.cgi (when "format" is set to an invalid format) is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. The vulnerability is reported in versions 2.0 through 3.6.12, 3.7.1 through 4.0.9, and 4.1.1 through 4.2.4. 2) An error related to running a query in debug mode can be exploited to disclose if certain field values exists e.g. product names. The weakness is reported in versions 2.17.1 through 3.6.12 and 3.7.1 through 4.0.9. Solution Update to version 3.6.13, 4.0.10, or 4.2.5. Provided and/or discovered by 1) SimranJeet Singh within a bug ticket. 2) Reported by the vendor. Original Advisory http://www.bugzilla.org/security/3.6.12/ https://bugzilla.mozilla.org/show_bug.cgi?id=842038 https://bugzilla.mozilla.org/show_bug.cgi?id=824399
CVE-2013-0786 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0786): The Bugzilla::Search::build_subselect function in Bugzilla 2.x and 3.x before 3.6.13 and 3.7.x and 4.0.x before 4.0.10 generates different error messages for invalid product queries depending on whether a product exists, which allows remote attackers to discover private product names by using debug mode for a query. CVE-2013-0785 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0785): Cross-site scripting (XSS) vulnerability in show_bug.cgi in Bugzilla before 3.6.13, 3.7.x and 4.0.x before 4.0.10, 4.1.x and 4.2.x before 4.2.5, and 4.3.x and 4.4.x before 4.4rc2 allows remote attackers to inject arbitrary web script or HTML via the id parameter in conjunction with an invalid value of the format parameter.
*** Bug 483050 has been marked as a duplicate of this bug. ***
Since this one has the highest version numbers in the mess of bugzie security issues, let's centralize here. Bugzilla needs bumps to 3.6.13, 4.0.10, 4.2.5.
Security bump. Arches, please test and stabilize: =www-apps/bugzilla-3.6.13 Target arches: amd64 x86
amd64 stable
x86 stable
GLSA vote (for this and blocked bugs as a whole): no.
GLSA vote: no Closing this as noglsa
