Bug 22735 - bugzilla new security issue CVE-2018-5123
Summary: bugzilla new security issue CVE-2018-5123
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: mga6-64-ok
Keywords: advisory, has_procedure, validated_update
Depends on:
Blocks:
 
Reported: 2018-03-11 14:31 CET by David Walser
Modified: 2018-03-19 13:14 CET (History)
3 users (show)

See Also:
Source RPM: bugzilla-5.0.3-2.mga7.src.rpm
CVE:
Status comment: Fixed upstream in 5.0.4

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2018-03-11 14:31:33 CET 
Fedora has issued an advisory on March 6:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/P5C2KWZ264F2MRWTJ2AJWMBZX7MOKV4W/

Mageia 6 is also affected.
Comment 1 David Walser 2018-03-11 14:31:55 CET 
The issue is fixed upstream in 5.0.4.

Whiteboard: (none) => MGA6TOO
Status comment: (none) => Fixed upstream in 5.0.4

Comment 2 Marja Van Waes 2018-03-12 06:10:23 CET 
Assigning to the registered maintainer.

Assignee: bugsquad => shlomif
CC: (none) => marja11

Comment 3 Shlomi Fish 2018-03-12 18:42:51 CET 
Update submitted to both mga7 and mga6 core/updates-testing.

Version: Cauldron => 6
Whiteboard: MGA6TOO => (none)

Comment 4 David Walser 2018-03-13 02:16:49 CET 
Testing procedure:
https://bugs.mageia.org/show_bug.cgi?id=9088#c14

Advisory:
========================

Updated bugzilla packages fix security vulnerability:

A CSRF vulnerability in Bugzilla's report.cgi would allow a third-party site to
extract confidential information from a bug the victim had access to
(CVE-2018-5123).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5123
https://www.bugzilla.org/security/4.4.12/
https://www.bugzilla.org/releases/5.0.4/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/P5C2KWZ264F2MRWTJ2AJWMBZX7MOKV4W/
========================

Updated packages in core/updates_testing:
========================
bugzilla-5.0.4-1.mga6
bugzilla-contrib-5.0.4-1.mga6

from bugzilla-5.0.4-1.mga6.src.rpm

Assignee: shlomif => qa-bugs
CC: (none) => shlomif
Keywords: (none) => has_procedure

Comment 5 claire robinson 2018-03-16 18:32:18 CET 
Testing complete mga6 64

Used phpmyadmin to create a database user 'bugs', selected Local, and chose a stupidly complex password so it will pass the password restrictions. Ticked to create a database with the same name and clicked Go at the bottom.

Installed bugzilla.
# urpmi bugzilla bugzilla-contrib

Ran checksetup.pl
# /usr/share/bugzilla/bin/checksetup.pl

Added the database info into /etc/bugzilla/localconfig
# nano /etc/bugzilla/localconfig

Ran checksetup.pl again
# /usr/share/bugzilla/bin/checksetup.pl

Entered an email and details for the admin account.

Restarted httpd.
# systemctl restart httpd.service

Opened http://localhost/bugzilla in a browser, logged in and created a bug report.

Updated bugzilla + bugzilla-contrib and created another bug.

Cleaned up. Used phpmyadmin to remove the bugzilla db user and ticked to delete the database at the same time. Removed bugzilla packages.

Whiteboard: (none) => mga6-64-ok

Comment 6 Lewis Smith 2018-03-17 20:56:53 CET 
Thanks Claire for your test, and its carefully crafted model description!
Not sure of the wisdom of removing Bugzilla after all the pain to install it; it will be back!
Validating on the one-is-enough basis (esp x64).

Keywords: (none) => advisory, validated_update
CC: (none) => sysadmin-bugs

Comment 7 Mageia Robot 2018-03-19 13:14:21 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0173.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.