Bug 10897

(unmaintained package)

Keywords: (none) => Triaged
CC: (none) => dmorganec, olav

Bugzilla 4.4.1 contains 4 security fixes (+2 security enhancements), see http://www.bugzilla.org/security/4.0.10/.

Summary: Upgrade the Bugzilla RPM to 4.4 final => Upgrade the Bugzilla RPM to 4.4.1
Severity: normal => major

I have uploaded a patched/updated package for Mageia 3.

You can test this by installing the package and pointing your webbrowser at http://localhost/bugzilla.

Suggested advisory:
========================

Updated bugzilla packages fix security vulnerabilities:

* A CSRF vulnerability in process_bug.cgi affecting Bugzilla 4.4 only
  can lead to a bug being edited without the user consent.

* A CSRF vulnerability in attachment.cgi can lead to an attachment
  being edited without the user consent.

* Several unfiltered parameters when editing flagtypes can lead to XSS.

* Due to an incomplete fix for CVE-2012-4189, some incorrectly filtered
  field values in tabular reports can lead to XSS.


References:
http://www.bugzilla.org/security/4.0.10/

========================

Updated packages in core/updates_testing:
========================
bugzilla-4.4.1-1.mga3.noarch.rpm
bugzilla-contrib-4.4.1-1.mga3.noarch.rpm


Source RPMs: 
bugzilla-4.4.1-1.mga3.src.rpm

Assignee: bugsquad => qa-bugs

Procedure: https://bugs.mageia.org/show_bug.cgi?id=9088#c14

Whiteboard: (none) => has_procedure

Testing mga3 64

Current bugzilla package doesn't appear to be working. After configuring the db, running the installation script and browsing to http://localhost/buzilla it displays the perl code rather than running it. Missing some ExecCGI somewhere I think or an apache-mod, I don't know enough about CGI to debug it.

After updating and even running checksetup.pl again it's still the same.

eg:
#!/usr/bin/perl -wT
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
#
# This Source Code Form is "Incompatible With Secondary Licenses", as
# defined by the Mozilla Public License, v. 2.0.

###############################################################################
# Script Initialization
###############################################################################

# Make it harder for us to do dangerous things in Perl.
use strict;

# Include the Bugzilla CGI and general utility library.
use lib qw(. lib);

use Bugzilla;
use Bugzilla::Constants;
use Bugzilla::Error;
use Bugzilla::Update;

Cool, thanks for testing!

Did you notice if it also happened with the original Bugzilla version that came with Mageia 3?

Sorry Olav, I missed your comment. Yes it does. It was the same before and after the update.

Fedora has issued an advisory for this on October 19:
https://lists.fedoraproject.org/pipermail/package-announce/2013-October/119846.html

It fixes CVE-2013-1734, CVE-2013-1742, and CVE-2013-1743.

URL: (none) => http://lwn.net/Vulnerabilities/572097/
Component: RPM Packages => Security

(In reply to David Walser from comment #8)
> Fedora has issued an advisory for this on October 19:
> It fixes CVE-2013-1734, CVE-2013-1742, and CVE-2013-1743.

Fedora has Bugzilla 4.2.x. Mageia 3 has Bugzilla 4.4.x, and so their security advisory is incomplete as it misses one security issue (CVE-2013-1733) which affects 4.4rc1 to 4.4. The official security advisory from Bugzilla is:

  http://www.bugzilla.org/security/4.0.10/

URL: http://lwn.net/Vulnerabilities/572097/ => http://www.bugzilla.org/security/4.0.10/

Assigning Olav for now. 

Please reassign to QA when when you've had a chance to take a look. 

Thanks.

CC: (none) => qa-bugs
Assignee: qa-bugs => olav
Whiteboard: has_procedure feedback => has_procedure

Mandriva has issued an advisory for this today (November 26):
http://www.mandriva.com/en/support/security/advisories/mbs1/MDVSA-2013:285/

Their advisory includes the missing CVE-2013-1733.

LWN reference for CVE-2013-1733:
http://lwn.net/Vulnerabilities/575049/

LWN reference for the other CVEs:
http://lwn.net/Vulnerabilities/572097/

just enable a suitable handler for cgi file, either in main apache configuration file (where it is now disabled by default), either in bugzilla-specific configuration file:
AddHandler cgi-script .cgi

CC: (none) => guillomovitch

Guillaume has fixed the packaging issue.  Thanks Guillaume!

Assigning back to QA.

Advisory:
========================

Updated bugzilla packages fix security vulnerabilities:

Cross-site request forgery (CSRF) vulnerability in process_bug.cgi
in Bugzilla 4.4.x before 4.4.1 allows remote attackers to hijack the
authentication of arbitrary users for requests that modify bugs via
vectors involving a midair-collision token (CVE-2013-1733).

Cross-site request forgery (CSRF) vulnerability in attachment.cgi in
Bugzilla 2.x, 3.x, and 4.0.x before 4.0.11; 4.1.x and 4.2.x before
4.2.7; and 4.3.x and 4.4.x before 4.4.1 allows remote attackers to
hijack the authentication of arbitrary users for requests that commit
an attachment change via an update action (CVE-2013-1734).

Multiple cross-site scripting (XSS) vulnerabilities in
editflagtypes.cgi in Bugzilla 2.x, 3.x, and 4.0.x before 4.0.11;
4.1.x and 4.2.x before 4.2.7; and 4.3.x and 4.4.x before 4.4.1 allow
remote attackers to inject arbitrary web script or HTML via the (1)
id or (2) sortkey parameter (CVE-2013-1742).

Multiple cross-site scripting (XSS) vulnerabilities in report.cgi
in Bugzilla 4.1.x and 4.2.x before 4.2.7 and 4.3.x and 4.4.x before
4.4.1 allow remote attackers to inject arbitrary web script or HTML
via a field value that is not properly handled during construction
of a tabular report, as demonstrated by the (1) summary or (2) real
name field. NOTE: this issue exists because of an incomplete fix
for CVE-2012-4189 (CVE-2013-1743).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1733
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1734
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1743
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1742
http://www.bugzilla.org/security/4.0.10/
http://www.bugzilla.org/releases/4.4.1/release-notes.html
http://www.mandriva.com/en/support/security/advisories/mbs1/MDVSA-2013:285/
========================

Updated packages in core/updates_testing:
========================
bugzilla-4.4.1-1.1.mga3.noarch.rpm
bugzilla-contrib-4.4.1-1.1.mga3.noarch.rpm

from bugzilla-4.4.1-1.1.mga3.src.rpm

Assignee: olav => qa-bugs
QA Contact: (none) => security

It's now displaying the proper bugzilla rather than the code but it's missing graphics or css, maybe a missing alias.

Now this needs to be updated to 4.4.3, for Mageia 3, Mageia 4, and Cauldron.

Any interested packager can do the update and fix the issue in Comment 14.

Here's the new upstream advisory:
http://www.bugzilla.org/security/4.0.11/

Fedora has issued an advisory for this on April 21:
https://lists.fedoraproject.org/pipermail/package-announce/2014-April/132309.html

URL: http://www.bugzilla.org/security/4.0.10/ => http://lwn.net/Vulnerabilities/596803/
Version: 3 => Cauldron
Assignee: qa-bugs => bugsquad
Target Milestone: Mageia 3 => ---
Summary: Upgrade the Bugzilla RPM to 4.4.1 => Upgrade the Bugzilla RPM to 4.4.3
Whiteboard: has_procedure feedback => MGA4TOO MGA3TOO has_procedure

(In reply to David Walser from comment #15)
> Now this needs to be updated to 4.4.3

You must skip 4.4.3 and jump to 4.4.4 directly. One of the security fixes broke 4.4.3 and we had to release 4.4.4 the day after to fix this regression.

Summary: Upgrade the Bugzilla RPM to 4.4.3 => Upgrade the Bugzilla RPM to 4.4.4

Updated to 4.4.4 in Cauldron by tmb.  Other updates apparently in progress.

CC: (none) => tmb
Version: Cauldron => 4
Whiteboard: MGA4TOO MGA3TOO has_procedure => MGA3TOO has_procedure

tmb updated it to 4.4.4 in updates_testing, but I'm not sure if the issue in Comment 14 has been addressed.  I'll let him comment on that before pushing to QA.  Here are potential advisories.

Advisory (Mageia 3):
========================

Updated bugzilla packages fix security vulnerabilities:

Cross-site request forgery (CSRF) vulnerability in process_bug.cgi
in Bugzilla 4.4.x before 4.4.1 allows remote attackers to hijack the
authentication of arbitrary users for requests that modify bugs via
vectors involving a midair-collision token (CVE-2013-1733).

Cross-site request forgery (CSRF) vulnerability in attachment.cgi in
Bugzilla 2.x, 3.x, and 4.0.x before 4.0.11; 4.1.x and 4.2.x before
4.2.7; and 4.3.x and 4.4.x before 4.4.1 allows remote attackers to
hijack the authentication of arbitrary users for requests that commit
an attachment change via an update action (CVE-2013-1734).

Multiple cross-site scripting (XSS) vulnerabilities in
editflagtypes.cgi in Bugzilla 2.x, 3.x, and 4.0.x before 4.0.11;
4.1.x and 4.2.x before 4.2.7; and 4.3.x and 4.4.x before 4.4.1 allow
remote attackers to inject arbitrary web script or HTML via the (1)
id or (2) sortkey parameter (CVE-2013-1742).

Multiple cross-site scripting (XSS) vulnerabilities in report.cgi
in Bugzilla 4.1.x and 4.2.x before 4.2.7 and 4.3.x and 4.4.x before
4.4.1 allow remote attackers to inject arbitrary web script or HTML
via a field value that is not properly handled during construction
of a tabular report, as demonstrated by the (1) summary or (2) real
name field. NOTE: this issue exists because of an incomplete fix
for CVE-2012-4189 (CVE-2013-1743).

The login form in Bugzilla 2.x, 3.x, 4.x before 4.4.3, and 4.5.x before
4.5.3 does not properly handle a correctly authenticated but unintended
login attempt, which makes it easier for remote authenticated users to
obtain sensitive information by arranging for a victim to login to the
attacker's account and then submit a vulnerability report, related to a
"login CSRF" issue (CVE-2014-1517).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1733
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1734
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1743
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1742
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1517
http://www.bugzilla.org/security/4.0.10/
http://www.bugzilla.org/security/4.0.11/
http://www.bugzilla.org/releases/4.4.4/release-notes.html
http://www.mandriva.com/en/support/security/advisories/mbs1/MDVSA-2013:285/
https://lists.fedoraproject.org/pipermail/package-announce/2014-April/132309.html
========================

Updated packages in core/updates_testing:
========================
bugzilla-4.4.4-1.mga3.noarch.rpm
bugzilla-contrib-4.4.4-1.mga3.noarch.rpm

from bugzilla-4.4.4-1.mga3.src.rpm


Advisory (Mageia 4):
========================

Updated bugzilla packages fix security vulnerability:

The login form in Bugzilla 2.x, 3.x, 4.x before 4.4.3, and 4.5.x before
4.5.3 does not properly handle a correctly authenticated but unintended
login attempt, which makes it easier for remote authenticated users to
obtain sensitive information by arranging for a victim to login to the
attacker's account and then submit a vulnerability report, related to a
"login CSRF" issue (CVE-2014-1517).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1517
http://www.bugzilla.org/security/4.0.11/
http://www.bugzilla.org/releases/4.4.4/release-notes.html
https://lists.fedoraproject.org/pipermail/package-announce/2014-April/132309.html
========================

Updated packages in core/updates_testing:
========================
bugzilla-4.4.4-1.mga4.noarch.rpm
bugzilla-contrib-4.4.4-1.mga4.noarch.rpm

from bugzilla-4.4.4-1.mga4.src.rpm

It looks like tmb has fixed the issue in Comment 14.  Assigning to QA.

Advisory (Mageia 3):
========================

Updated bugzilla packages fix security vulnerabilities:

Cross-site request forgery (CSRF) vulnerability in process_bug.cgi
in Bugzilla 4.4.x before 4.4.1 allows remote attackers to hijack the
authentication of arbitrary users for requests that modify bugs via
vectors involving a midair-collision token (CVE-2013-1733).

Cross-site request forgery (CSRF) vulnerability in attachment.cgi in
Bugzilla 2.x, 3.x, and 4.0.x before 4.0.11; 4.1.x and 4.2.x before
4.2.7; and 4.3.x and 4.4.x before 4.4.1 allows remote attackers to
hijack the authentication of arbitrary users for requests that commit
an attachment change via an update action (CVE-2013-1734).

Multiple cross-site scripting (XSS) vulnerabilities in
editflagtypes.cgi in Bugzilla 2.x, 3.x, and 4.0.x before 4.0.11;
4.1.x and 4.2.x before 4.2.7; and 4.3.x and 4.4.x before 4.4.1 allow
remote attackers to inject arbitrary web script or HTML via the (1)
id or (2) sortkey parameter (CVE-2013-1742).

Multiple cross-site scripting (XSS) vulnerabilities in report.cgi
in Bugzilla 4.1.x and 4.2.x before 4.2.7 and 4.3.x and 4.4.x before
4.4.1 allow remote attackers to inject arbitrary web script or HTML
via a field value that is not properly handled during construction
of a tabular report, as demonstrated by the (1) summary or (2) real
name field. NOTE: this issue exists because of an incomplete fix
for CVE-2012-4189 (CVE-2013-1743).

The login form in Bugzilla 2.x, 3.x, 4.x before 4.4.3, and 4.5.x before
4.5.3 does not properly handle a correctly authenticated but unintended
login attempt, which makes it easier for remote authenticated users to
obtain sensitive information by arranging for a victim to login to the
attacker's account and then submit a vulnerability report, related to a
"login CSRF" issue (CVE-2014-1517).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1733
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1734
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1743
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1742
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1517
http://www.bugzilla.org/security/4.0.10/
http://www.bugzilla.org/security/4.0.11/
http://www.bugzilla.org/releases/4.4.4/release-notes.html
http://www.mandriva.com/en/support/security/advisories/mbs1/MDVSA-2013:285/
https://lists.fedoraproject.org/pipermail/package-announce/2014-April/132309.html
========================

Updated packages in core/updates_testing:
========================
bugzilla-4.4.4-1.1.mga3.noarch.rpm
bugzilla-contrib-4.4.4-1.1.mga3.noarch.rpm

from bugzilla-4.4.4-1.1.mga3.src.rpm


Advisory (Mageia 4):
========================

Updated bugzilla packages fix security vulnerability:

The login form in Bugzilla 2.x, 3.x, 4.x before 4.4.3, and 4.5.x before
4.5.3 does not properly handle a correctly authenticated but unintended
login attempt, which makes it easier for remote authenticated users to
obtain sensitive information by arranging for a victim to login to the
attacker's account and then submit a vulnerability report, related to a
"login CSRF" issue (CVE-2014-1517).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1517
http://www.bugzilla.org/security/4.0.11/
http://www.bugzilla.org/releases/4.4.4/release-notes.html
https://lists.fedoraproject.org/pipermail/package-announce/2014-April/132309.html
========================

Updated packages in core/updates_testing:
========================
bugzilla-4.4.4-1.1.mga4.noarch.rpm
bugzilla-contrib-4.4.4-1.1.mga4.noarch.rpm

from bugzilla-4.4.4-1.1.mga4.src.rpm

CC: qa-bugs => (none)
Assignee: bugsquad => qa-bugs

Yep, and initial tests done on both mga3 64bit and mga4 64bit to confirm they work

 bugs.mageia.org is now also running 4.4.4

Thanks Thomas, testing the others now.

Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure mga3-64-ok mga4-64-ok

Testing complete mga3 32

Reminder, the procedure is here https://bugs.mageia.org/show_bug.cgi?id=9088#c14

Login is with email/password

Whiteboard: MGA3TOO has_procedure mga3-64-ok mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-64-ok

Testing complete mga4 32

Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok

Validating. Separate advisories uploaded for mga3 & mga4

Could sysadmin please push both to updates

Thanks

Keywords: (none) => validated_update
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok => MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok
CC: (none) => sysadmin-bugs

(In reply to Thomas Backlund from comment #21)
>  bugs.mageia.org is now also running 4.4.4

Thank you so much!

CC: (none) => marja11

Mga3 update pushed:
http://advisories.mageia.org/MGASA-2014-0199.html

Mga4 update pushed:
http://advisories.mageia.org/MGASA-2014-0200.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED