Bug 22735 - bugzilla new security issue CVE-2018-5123
Summary: bugzilla new security issue CVE-2018-5123
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: mga6-64-ok
Keywords: advisory, has_procedure, validated_update
Depends on:
Reported: 2018-03-11 14:31 CET by David Walser
Modified: 2018-03-19 13:14 CET (History)
3 users (show)

See Also:
Source RPM: bugzilla-5.0.3-2.mga7.src.rpm
Status comment: Fixed upstream in 5.0.4


Description David Walser 2018-03-11 14:31:33 CET
Fedora has issued an advisory on March 6:

Mageia 6 is also affected.
Comment 1 David Walser 2018-03-11 14:31:55 CET
The issue is fixed upstream in 5.0.4.

Status comment: (none) => Fixed upstream in 5.0.4
Whiteboard: (none) => MGA6TOO

Comment 2 Marja van Waes 2018-03-12 06:10:23 CET
Assigning to the registered maintainer.

Assignee: bugsquad => shlomif
CC: (none) => marja11

Comment 3 Shlomi Fish 2018-03-12 18:42:51 CET
Update submitted to both mga7 and mga6 core/updates-testing.

Version: Cauldron => 6
Whiteboard: MGA6TOO => (none)

Comment 4 David Walser 2018-03-13 02:16:49 CET
Testing procedure:


Updated bugzilla packages fix security vulnerability:

A CSRF vulnerability in Bugzilla's report.cgi would allow a third-party site to
extract confidential information from a bug the victim had access to


Updated packages in core/updates_testing:

from bugzilla-5.0.4-1.mga6.src.rpm

Assignee: shlomif => qa-bugs
Keywords: (none) => has_procedure
CC: (none) => shlomif

Comment 5 claire robinson 2018-03-16 18:32:18 CET
Testing complete mga6 64

Used phpmyadmin to create a database user 'bugs', selected Local, and chose a stupidly complex password so it will pass the password restrictions. Ticked to create a database with the same name and clicked Go at the bottom.

Installed bugzilla.
# urpmi bugzilla bugzilla-contrib

Ran checksetup.pl
# /usr/share/bugzilla/bin/checksetup.pl

Added the database info into /etc/bugzilla/localconfig
# nano /etc/bugzilla/localconfig

Ran checksetup.pl again
# /usr/share/bugzilla/bin/checksetup.pl

Entered an email and details for the admin account.

Restarted httpd.
# systemctl restart httpd.service

Opened http://localhost/bugzilla in a browser, logged in and created a bug report.

Updated bugzilla + bugzilla-contrib and created another bug.

Cleaned up. Used phpmyadmin to remove the bugzilla db user and ticked to delete the database at the same time. Removed bugzilla packages.

Whiteboard: (none) => mga6-64-ok

Comment 6 Lewis Smith 2018-03-17 20:56:53 CET
Thanks Claire for your test, and its carefully crafted model description!
Not sure of the wisdom of removing Bugzilla after all the pain to install it; it will be back!
Validating on the one-is-enough basis (esp x64).

Keywords: (none) => advisory, validated_update
CC: (none) => sysadmin-bugs

Comment 7 Mageia Robot 2018-03-19 13:14:21 CET
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.