Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 518046 (CVE-2014-1546) - <www-apps/bugzilla-{4.0.14,4.2.10,4.4.5,4.5.5}: Cross-Site Request Forgery (CVE-2014-1546)
Summary: <www-apps/bugzilla-{4.0.14,4.2.10,4.4.5,4.5.5}: Cross-Site Request Forgery (C...
Status: RESOLVED FIXED
Alias: CVE-2014-1546
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://www.bugzilla.org/security/4.0.13/
Whiteboard: B4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-07-24 22:31 UTC by Alex Xu (Hello71)
Modified: 2016-03-22 07:36 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alex Xu (Hello71) 2014-07-24 22:31:00 UTC
.
Comment 1 Alex Xu (Hello71) 2014-07-24 22:48:51 UTC
Summary
=======

Bugzilla is a Web-based bug-tracking system used by a large number of
software projects. The following security issue has been discovered
in Bugzilla:

* An attacker can get access to some bug information using
  the victim's credentials using a specially crafted HTML page.

All affected installations are encouraged to upgrade as soon as
possible.


Vulnerability Details
=====================

Class:       Cross Site Request Forgery
Versions:    3.7.1 to 4.0.13, 4.1.1 to 4.2.9, 4.3.1 to 4.4.4, 4.5.1 to 4.5.4
Fixed In:    4.0.14, 4.2.10, 4.4.5, 4.5.5
Description: Adobe does not properly restrict the SWF file format,
             which allows remote attackers to conduct cross-site
             request forgery (CSRF) attacks against Bugzilla's JSONP
             endpoint, possibly obtaining sensitive bug information,
             via a crafted OBJECT element with SWF content satisfying
             the character-set requirements of a callback API.
References:  https://bugzilla.mozilla.org/show_bug.cgi?id=1036213
CVE Number:  CVE-2014-1546
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2014-10-12 13:41:28 UTC
CVE-2014-1546 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1546):
  The response function in the JSONP endpoint in WebService/Server/JSONRPC.pm
  in jsonrpc.cgi in Bugzilla 3.x and 4.x before 4.0.14, 4.1.x and 4.2.x before
  4.2.10, 4.3.x and 4.4.x before 4.4.5, and 4.5.x before 4.5.5 accepts certain
  long callback values and does not restrict the initial bytes of a JSONP
  response, which allows remote attackers to conduct cross-site request
  forgery (CSRF) attacks, and obtain sensitive information, via a crafted
  OBJECT element with SWF content consistent with the _bz_callback character
  set.
Comment 3 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-03-22 07:36:53 UTC
No ebuilds in the tree are vulnerable.  Removed months ago.