Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 712706 (CVE-2018-5123) - <www-apps/bugzilla-5.0.6: CSRF vulnerability via image generation in report.cgi (CVE-2018-5123)
Summary: <www-apps/bugzilla-5.0.6: CSRF vulnerability via image generation in report.c...
Status: RESOLVED FIXED
Alias: CVE-2018-5123
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL: https://www.bugzilla.org/security/4.4...
Whiteboard: B4 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-03-15 14:38 UTC by Sam James
Modified: 2020-08-15 06:01 UTC (History)
3 users (show)

See Also:
Package list:
www-apps/bugzilla-5.0.6
Runtime testing required: ---
nattka: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-15 14:38:07 UTC
>Class:       Cross-Site Request Forgery
>Versions:    Bugzilla 2.16rc1 to 4.4.12, 4.5.1 to 5.0.3
>Fixed In:    4.4.13, 5.0.4
>Description: Via the image generation in report.cgi, a malicious site
>             using the presence of certain images, could extract
>             potentially confidential information if the victim was
>             logged in and could access the bug.
>References:  https://bugzilla.mozilla.org/show_bug.cgi?id=1433400
>CVE Number:  CVE-2018-5123
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-04-16 00:47:53 UTC
@maintainer(s): ping
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-05-02 22:26:01 UTC
@maintainer(s): ping
Comment 4 Larry the Git Cow gentoo-dev 2020-08-01 20:43:32 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f2fa70ce5190a8073fd697326a8495f2626326f2

commit f2fa70ce5190a8073fd697326a8495f2626326f2
Author:     David Denoncin <ddenoncin@gmail.com>
AuthorDate: 2020-07-18 15:58:44 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2020-08-01 20:27:37 +0000

    www-apps/bugzilla: vbump 5.0.6
    
    This new ebuild leaves dealing with mod_perl to experienced users. This
    change enables bumping the ebuild to EAPI 7.
    
    It also loses using use flags for optional runtime dependencies.
    
    Bug: https://bugs.gentoo.org/712706
    Closes: https://bugs.gentoo.org/332251
    Package-Manager: Portage-2.3.99, Repoman-2.3.22
    Signed-off-by: David Denoncin <ddenoncin@gmail.com>
    Closes: https://github.com/gentoo/gentoo/pull/16125
    Signed-off-by: Sam James <sam@gentoo.org>

 www-apps/bugzilla/Manifest                         |   1 +
 www-apps/bugzilla/bugzilla-5.0.6.ebuild            | 118 +++++++++++++++++++++
 .../bugzilla/files/bugzilla-5.0.6-leftbrace.patch  |  17 +++
 www-apps/bugzilla/files/bugzilla-5.0.6-perl.patch  |  17 +++
 .../bugzilla/files/bugzilla-5.0.6-template.patch   |  17 +++
 www-apps/bugzilla/files/postinstall-5.0.6-en.txt   |  30 ++++++
 www-apps/bugzilla/files/postinstall-en.txt         |   1 +
 www-apps/bugzilla/files/postupgrade-5.0.6-en.txt   |  10 ++
 8 files changed, 211 insertions(+)
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-02 00:08:19 UTC
Giving it a few days.
Comment 6 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-15 04:38:11 UTC
amd64 done
Comment 7 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-15 05:49:35 UTC
x86 done

all arches done
Comment 8 Larry the Git Cow gentoo-dev 2020-08-15 06:01:06 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e7e5ee5f8f488c35a163dda0075df0ceb0e02a7b

commit e7e5ee5f8f488c35a163dda0075df0ceb0e02a7b
Author:     David Denoncin <ddenoncin@gmail.com>
AuthorDate: 2020-08-10 21:15:42 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2020-08-15 05:59:09 +0000

    www-apps/bugzilla: drop vulnerable old
    
    Package-Manager: Portage-2.3.103, Repoman-2.3.23
    Signed-off-by: David Denoncin <ddenoncin@gmail.com>
    Bug: https://bugs.gentoo.org/712706
    Closes: https://github.com/gentoo/gentoo/pull/17073
    Signed-off-by: Sam James <sam@gentoo.org>

 www-apps/bugzilla/Manifest                         |   2 -
 www-apps/bugzilla/bugzilla-4.4.12-r2.ebuild        | 130 --------------------
 www-apps/bugzilla/bugzilla-5.0.3-r2.ebuild         | 134 ---------------------
 .../bugzilla/files/bugzilla-5.0.3-leftbrace.patch  |  26 ----
 www-apps/bugzilla/files/bugzilla-queue.confd       |   4 -
 www-apps/bugzilla/files/bugzilla.cron.daily        |   5 -
 www-apps/bugzilla/files/bugzilla.cron.tab          |   1 -
 www-apps/bugzilla/files/postinstall-en.txt         |  14 ---
 www-apps/bugzilla/files/reconfig                   |  19 ---
 www-apps/bugzilla/metadata.xml                     |   4 -
 10 files changed, 339 deletions(-)
Comment 9 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-15 06:01:43 UTC
GLSA vote: no.

Tree is clean. Closing.