Bug 14241

Summary: bugzilla new security issues CVE-2014-157[1-3]
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: olchal, sysadmin-bugs, tmb
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/615620/
Whiteboard: MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok MGA4-32-OK MGA4-64-OK
Source RPM: bugzilla-4.4.5-1.mga4.src.rpm CVE:
Status comment:

Description David Walser 2014-10-06 21:59:43 CEST 
Upstream has issued an advisory today (October 6):
http://www.bugzilla.org/security/4.0.14/

Updated packages uploaded for Mageia 3, Mageia 4, and Cauldron.

Advisory:
========================

Updated bugzilla packages fix security vulnerabilities:

If a new comment was marked private to the insider group, and a flag was set
in the same transaction, the comment would be visible to flag recipients
even if they were not in the insider group (CVE-2014-1571).

An attacker creating a new Bugzilla account can override certain parameters
when finalizing the account creation that can lead to the user being created
with a different email address than originally requested. The overridden
login name could be automatically added to groups based on the group's
regular expression setting (CVE-2014-1572).

During an audit of the Bugzilla code base, several places were found where
cross-site scripting exploits could occur which could allow an attacker to
access sensitive information (CVE-2014-1573).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1571
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1572
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1573
http://www.bugzilla.org/security/4.0.14/
http://www.bugzilla.org/releases/4.4.6/release-notes.html
========================

Updated packages in core/updates_testing:
========================
bugzilla-4.4.6-1.mga3.noarch.rpm
bugzilla-contrib-4.4.6-1.mga3.noarch.rpm
bugzilla-4.4.6-1.mga4.noarch.rpm
bugzilla-contrib-4.4.6-1.mga4.noarch.rpm

from SRPMS:
bugzilla-4.4.6-1.mga3.src.rpm
bugzilla-4.4.6-1.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2014-10-06 22:00:26 CEST 
Testing procedure:
https://bugs.mageia.org/show_bug.cgi?id=9088#c14

Whiteboard: (none) => MGA3TOO has_procedure

Comment 2 olivier charles 2014-10-07 22:42:38 CEST 
Testing on Mageia4-32

Installed :
- bugzilla-4.4.6-1.mga4.noarch

in /usr/share/bugzilla/bin
# ./checksetup.pl --check-modules
# ./checksetup.pl

# leafpad /etc/bugzilla/localconfig
$db_driver = 'mysql';
$db_host = 'localhost';
$db_name = 'bugs';
$db_pass = 'passwd';

# mysqladmin --user=root -p create bugs
# mysql -u root -p

MariaDB [(none)]> GRANT SELECT, INSERT,
UPDATE, DELETE, INDEX, ALTER, CREATE, LOCK TABLES,
CREATE TEMPORARY TABLES, DROP, REFERENCES ON bugs.*
TO bugs@localhost IDENTIFIED BY 'passwd';
MariaDB [(none)]>  FLUSH PRIVILEGES;
MariaDB [(none)]> quit

# cd /etc/bugzilla/
# grep webservergroup localconfig
$webservergroup = 'apache';
#  grep Group /etc/httpd/conf/httpd.conf
# User/Group: The name (or #number) of the user/group to run httpd as.
Group apache

# cd /usr/share/bugzilla/bin/
#  ./checksetup.pl
* This is Bugzilla 4.4.6 on perl 5.18.1
(...)
Enter the e-mail address of the administrator: olli@free.fr
Enter the real name of the administrator: olli
Enter a password for the administrator account: 
Please retype the password to verify: 
olli@free.fr is now set up as an administrator.
Creating initial dummy product 'TestProduct'...
checksetup.pl complete.

edit /etc/bugzilla/localconfig

http://localhost/bugzilla/

Logged in as olli@free.fr and passwd previously set.
On welcome page, went to Administration/Parameters/Required Settings
and filled urlbase : 
http://localhost/bugzilla/

Then created bugs, add attachments, logged out, search, read bugs, download attachments...

All went smooth.

CC: (none) => olchal
Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure MGA4-32-OK

Comment 3 olivier charles 2014-10-08 20:56:02 CEST 
Testing on Mageia4-64

* This is Bugzilla 4.4.6 on perl 5.18.1

Followed same procedure as in comment 2

Once installed and configured, created bugs, placed comments, attachments, logged in and out, created users, products, etc ...

All good.

Whiteboard: MGA3TOO has_procedure MGA4-32-OK => MGA3TOO has_procedure MGA4-32-OK MGA4-64-OK

Comment 4 claire robinson 2014-10-09 14:41:51 CEST 
Testing complete mga3 64

Whiteboard: MGA3TOO has_procedure MGA4-32-OK MGA4-64-OK => MGA3TOO has_procedure mga3-64-ok MGA4-32-OK MGA4-64-OK

Comment 5 claire robinson 2014-10-09 15:02:49 CEST 
Testing complete mga3 32

Whiteboard: MGA3TOO has_procedure mga3-64-ok MGA4-32-OK MGA4-64-OK => MGA3TOO has_procedure mga3-32-ok mga3-64-ok MGA4-32-OK MGA4-64-OK

Comment 6 claire robinson 2014-10-09 16:01:01 CEST 
Validating. Advisory uploaded.

Could sysadmin please push to 3 & 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok MGA4-32-OK MGA4-64-OK => MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok MGA4-32-OK MGA4-64-OK
CC: (none) => sysadmin-bugs

Comment 7 Mageia Robot 2014-10-09 16:40:02 CEST 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0412.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2014-10-09 18:34:17 CEST

URL: (none) => http://lwn.net/Vulnerabilities/615620/

Comment 8 Thomas Backlund 2014-10-09 18:42:48 CEST 
bugs.mageia.org also updated to 4.4.6

CC: (none) => tmb