Bug 15134

Summary: bugzilla new security issue CVE-2014-8630
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: olchal, sysadmin-bugs
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/631503/
Whiteboard: has_procedure advisory MGA4-32-OK mga4-64-ok
Source RPM: bugzilla-4.4.6-1.mga4.src.rpm CVE:
Status comment:

Description David Walser 2015-01-26 15:28:53 CET 
Upstream has issued an advisory on January 21:
http://www.bugzilla.org/security/4.0.15/

The issue is fixed in 4.4.7.

Mageia 4 is also affected.

According to Olav, this version causes a regression and 4.4.8 is planned.

Reproducible: 

Steps to Reproduce:
David Walser 2015-01-26 15:29:10 CET

Whiteboard: (none) => MGA4TOO

Comment 1 David Walser 2015-01-28 14:37:49 CET 
Version 4.4.8 has been released:
http://www.bugzilla.org/releases/4.4.8/release-notes.html

Freeze push requested for Cauldron, updates checked into SVN.
Comment 2 David Walser 2015-01-28 16:04:23 CET 
Updated package uploaded for Mageia 4.  Freeze push pending for Cauldron.

Advisory:
========================

Updated bugzilla packages fix security vulnerability:

Some code in Bugzilla does not properly utilize 3 arguments form for open()
and it is possible for an account with editcomponents permissions to inject
commands into product names and other attributes (CVE-2014-8630).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8630
http://www.bugzilla.org/security/4.0.15/
http://www.bugzilla.org/releases/4.4.8/release-notes.html
========================

Updated packages in core/updates_testing:
========================
bugzilla-4.4.8-1.mga4.noarch.rpm
bugzilla-contrib-4.4.8-1.mga4.noarch.rpm

from bugzilla-4.4.8-1.mga4.src.rpm

Whiteboard: MGA4TOO => (none)
Assignee: bugsquad => qa-bugs
Version: Cauldron => 4

Comment 3 David Walser 2015-01-28 16:04:36 CET 
Testing procedure:
https://bugs.mageia.org/show_bug.cgi?id=9088#c14

Whiteboard: (none) => has_procedure

Comment 4 olivier charles 2015-01-28 21:29:16 CET 
Testing on Mageia4-32 real hardware, retracing my steps in previous bug (https://bugs.mageia.org/show_bug.cgi?id=14241#c2)
based on procedure mentioned in comment 3.
Did not fin any PoC in http://www.bugzilla.org/security/4.0.15/

From current package :
--------------------
bugzilla-4.4.6-1.mga4

Installed bugzilla using mysql, 
Browsed to http://localhost/bugzilla/
Logged in, created bugs, deleted bugs, made replies, attached files, logged out and back in, etc.

All OK

To updated testing package :
--------------------------
bugzilla-4.4.8-1.mga4

Restarted httpd,
Browsed to http://localhost/bugzilla/
Logged in and found my previous bugs, added some, deleted, attached files...

All OK

Whiteboard: has_procedure => has_procedure MGA4-32-OK
CC: (none) => olchal

Comment 5 claire robinson 2015-01-29 17:27:24 CET 
Testing complete mga4 64

Whiteboard: has_procedure MGA4-32-OK => has_procedure MGA4-32-OK mga4-64-ok

Comment 6 claire robinson 2015-01-29 17:42:28 CET 
Validating. Advisory uploaded.

Could sysadmin please push to 4 updates

Thanks

Whiteboard: has_procedure MGA4-32-OK mga4-64-ok => has_procedure advisory MGA4-32-OK mga4-64-ok
Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 7 Mageia Robot 2015-01-31 14:24:30 CET 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0048.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

David Walser 2015-02-03 17:54:52 CET

URL: (none) => http://lwn.net/Vulnerabilities/631503/