Bug 9088 - Multiple vulnerabilities in bugzilla (CVE-2012-4199,4198,4189,4197,5475, CVE-2013-0785,0786)
: Multiple vulnerabilities in bugzilla (CVE-2012-4199,4198,4189,4197,5475, CVE-...
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/546611/
: has_procedure mga2-32-ok MGA2-64-OK
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-02-16 19:35 CET by Oden Eriksson
Modified: 2013-04-18 00:22 CEST (History)
8 users (show)

See Also:
Source RPM: bugzilla
CVE:


Attachments

Description Oden Eriksson 2013-02-16 19:35:04 CET
Tuesday, Nov 13th, 2012

Summary
=======

Bugzilla is a Web-based bug-tracking system used by a large number of
software projects. The following security issues have been discovered
in Bugzilla:

* Confidential product and component names can be disclosed to
  unauthorized users if they are used to control the visibility of
  a custom field.

* When calling the 'User.get' WebService method with a 'groups'
  argument, it is possible to check if the given group names exist
  or not.

* Due to incorrectly filtered field values in tabular reports, it is
  possible to inject code which can lead to XSS.

* When trying to mark an attachment in a bug you cannot see as
  obsolete, the description of the attachment is disclosed in the
  error message.

* A vulnerability in swfstore.swf from YUI2 can lead to XSS.

All affected installations are encouraged to upgrade as soon as
possible.


Vulnerability Details
=====================

Class:       Information Leak
Versions:    3.3.4 to 3.6.11, 3.7.1 to 4.0.8, 4.1.1 to 4.2.3,
             4.3.1 to 4.3.3
Fixed In:    3.6.12, 4.0.9, 4.2.4, 4.4rc1
Description: If the visibility of a custom field is controlled by
             a product or a component of a product you cannot see,
             their names are disclosed in the JavaScript code
             generated for this custom field despite they should
             remain confidential.
References:  https://bugzilla.mozilla.org/show_bug.cgi?id=731178
CVE Number:  CVE-2012-4199

Class:       Information Leak
Versions:    3.7.1 to 4.0.8, 4.1.1 to 4.2.3, 4.3.1 to 4.3.3
Fixed In:    4.0.9, 4.2.4, 4.4rc1
Description: Calling the User.get method with a 'groups' argument leaks
             the existence of the groups depending on whether an error
             is thrown or not. This method now also throws an error if
             the user calling this method does not belong to these
             groups (independently of whether the groups exist or not).
References:  https://bugzilla.mozilla.org/show_bug.cgi?id=781850
CVE Number:  CVE-2012-4198

Class:       Cross-Site Scripting
Versions:    4.1.1 to 4.2.3, 4.3.1 to 4.3.3
Fixed In:    4.2.4, 4.4rc1
Description: Due to incorrectly filtered field values in tabular
             reports, it is possible to inject code leading to XSS.
References:  https://bugzilla.mozilla.org/show_bug.cgi?id=790296
CVE Number:  CVE-2012-4189

Class:       Information Leak
Versions:    2.16 to 3.6.11, 3.7.1 to 4.0.8, 4.1.1 to 4.2.3,
             4.3.1 to 4.3.3
Fixed In:    3.6.12, 4.0.9, 4.2.4, 4.4rc1
Description: Trying to mark an attachment in a bug you cannot see as
             obsolete discloses its description in the error message.
             The description of the attachment is now removed from
             the error message.
References:  https://bugzilla.mozilla.org/show_bug.cgi?id=802204
CVE Number:  CVE-2012-4197

Class:       Cross-Site Scripting
Versions:    3.7.1 to 4.0.8, 4.1.1 to 4.2.3, 4.3.1 to 4.3.3
Fixed In:    4.0.9, 4.2.4, 4.4rc1
Description: A vulnerability in swfstore.swf from YUI2 allows
             JavaScript injection exploits to be created against
             domains that host this affected YUI .swf file.
References:  https://bugzilla.mozilla.org/show_bug.cgi?id=808845
             http://yuilibrary.com/support/20121030-vulnerability/
CVE Number:  CVE-2012-5475

Vulnerability Solutions
=======================

The fixes for these issues are included in the 3.6.12, 4.0.9, 4.2.4
and 4.4rc1 releases. Upgrading to a release with the relevant fixes
will protect your installation from possible exploits of these issues.

If you are unable to upgrade but would like to patch just the
individual security vulnerabilities, there are patches available for
each issue at the "References" URL for each vulnerability.

Full release downloads, patches to upgrade Bugzilla from previous
versions, and CVS/bzr upgrade instructions are available at:

  http://www.bugzilla.org/download/


Credits
=======

The Bugzilla team wish to thank the following people/organizations for
their assistance in locating, advising us of, and assisting us to fix
this issue:

Frédéric Buclin
David Lawrence
Gervase Markham
Mateusz Goik

General information about the Bugzilla bug-tracking system can be found
at:

  http://www.bugzilla.org/

Comments and follow-ups can be directed to the mozilla.support.bugzilla
newsgroup or the support-bugzilla mailing list.
http://www.bugzilla.org/support/ has directions for accessing these
forums.
Comment 1 Oden Eriksson 2013-02-16 19:40:59 CET
This was forgotten for some unknown reason. Additionally this bugzilla installation is affected as well.

Anyway, fixed packages (4.2.4) has been submitted to mga2, updates_testing.

Same version was committed to cauldron, and has to be submitted.
Comment 4 Frédéric Buclin 2013-02-16 22:21:05 CET
Note that we are going to release Bugzilla 4.2.5 next week. It fixes one critical security bug, see https://bugzilla.mozilla.org/show_bug.cgi?id=832256.
Comment 5 Frédéric Buclin 2013-02-19 12:27:20 CET
(In reply to comment #1)
> Same version was committed to cauldron, and has to be submitted.

When will this be done? Note that for Cauldron, you should rather move to the 4.4 branch. 4.4rc1 is already available, and 4.4rc2 is going to be released very soon now.
Comment 6 Oden Eriksson 2013-02-20 11:47:27 CET
Just bumped to 4.2.5 (fixes CVE-2013-0785, CVE-2013-0786).
Comment 7 Oden Eriksson 2013-02-20 11:50:42 CET
And, for this bugzilla installation you need http://www.bugzilla.org/security/3.6.12/
Comment 8 Guillaume Rousse 2013-02-23 13:27:26 CET
Cauldron version has been updated, so I think this ticket can be closed. Also, I don't understand why I'm assigned to it, whereas the maintainer is supposed to be Olav...
Comment 9 David Walser 2013-02-23 14:29:41 CET
As this was pushed in Cauldron, the version can be changed, but as you can see from the comments, Oden has talked about an update for Mageia 2 also.  I guess he doesn't know how we use the whiteboard to indicate two versions.  This should be assigned to QA when the update for Mageia 2 is ready.
Comment 10 David Walser 2013-04-09 19:56:43 CEST
I see this was updated in MBS, but we haven't updated in Mageia 2 yet:
http://www.mandriva.com/en/support/security/advisories/mbs1/MDVSA-2013:066/

Oden, has an update been built for Mageia 2 that's ready to test?
Comment 11 Oden Eriksson 2013-04-10 08:32:19 CEST
[qateam@titan ~]$ rchp /mnt/BIG/mirror/mageia/mga2/SRPMS/core/updates_testing/bugzilla-4.2.5-0.1.mga2.src.rpm
* Wed 20 Feb 2013 07:00:00 AM EST oden <oden> 4.2.5-0.1.mga2
+ Revision: 399521
- 4.2.5 (fixes CVE-2013-0785, CVE-2013-0786)
- 4.2.4 (fixes CVE-2012-4199,4198,4189,4197,5475)

  + ovitters <ovitters>
    - new version 4.2.3 (security+bugfixes)
    - fix requirs (mga#6093)

  + fwang <fwang>
    - new version 4.2.1
Comment 12 David Walser 2013-04-10 16:20:24 CEST
Assigning to QA then.

Advisory will be copied from the MDV MBS advisory in Comment 10.
Comment 13 David Walser 2013-04-10 18:23:00 CEST
Advisory:
========================

Updated bugzilla packages fix security vulnerabilities:

The get_attachment_link function in Template.pm in Bugzilla 2.x and 3.x
before 3.6.10, 3.7.x and 4.0.x before 4.0.7, 4.1.x and 4.2.x before
4.2.2, and 4.3.x before 4.3.2 does not check whether an attachment
is private before presenting the attachment description within a
public comment, which allows remote attackers to obtain sensitive
description information by reading a comment (CVE-2012-1969).

Auth/Verify/LDAP.pm in Bugzilla 2.x and 3.x before 3.6.11, 3.7.x and
4.0.x before 4.0.8, 4.1.x and 4.2.x before 4.2.3, and 4.3.x before
4.3.3 does not restrict the characters in a username, which might
allow remote attackers to inject data into an LDAP directory via a
crafted login attempt (CVE-2012-3981).

Cross-site scripting (XSS) vulnerability in Bugzilla 4.1.x and
4.2.x before 4.2.4, and 4.3.x and 4.4.x before 4.4rc1, allows remote
attackers to inject arbitrary web script or HTML via a field value
that is not properly handled during construction of a tabular report,
as demonstrated by the Version field (CVE-2012-4189).

Bugzilla/Attachment.pm in attachment.cgi in Bugzilla 2.x and 3.x before
3.6.12, 3.7.x and 4.0.x before 4.0.9, 4.1.x and 4.2.x before 4.2.4,
and 4.3.x and 4.4.x before 4.4rc1 allows remote attackers to read
attachment descriptions from private bugs via an obsolete=1 insert
action (CVE-2012-4197).

The User.get method in Bugzilla/WebService/User.pm in Bugzilla 3.7.x
and 4.0.x before 4.0.9, 4.1.x and 4.2.x before 4.2.4, and 4.3.x
and 4.4.x before 4.4rc1 has a different outcome for a groups request
depending on whether a group exists, which allows remote authenticated
users to discover private group names by observing whether a call
throws an error (CVE-2012-4198).

template/en/default/bug/field-events.js.tmpl in Bugzilla 3.x before
3.6.12, 3.7.x and 4.0.x before 4.0.9, 4.1.x and 4.2.x before 4.2.4,
and 4.3.x and 4.4.x before 4.4rc1 generates JavaScript function
calls containing private product names or private component names
in certain circumstances involving custom-field visibility control,
which allows remote attackers to obtain sensitive information by
reading HTML source code (CVE-2012-4199).

Cross-site scripting (XSS) vulnerability in the Flash component
infrastructure in YUI 2.8.0 through 2.9.0, as used in Bugzilla 3.7.x
and 4.0.x before 4.0.9, 4.1.x and 4.2.x before 4.2.4, and 4.3.x and
4.4.x before 4.4rc1, allows remote attackers to inject arbitrary web
script or HTML via vectors related to swfstore.swf, a similar issue
to CVE-2010-4209 (CVE-2012-5883).

Cross-site scripting (XSS) vulnerability in show_bug.cgi in Bugzilla
before 3.6.13, 3.7.x and 4.0.x before 4.0.10, 4.1.x and 4.2.x before
4.2.5, and 4.3.x and 4.4.x before 4.4rc2 allows remote attackers to
inject arbitrary web script or HTML via the id parameter in conjunction
with an invalid value of the format parameter (CVE-2013-0785).

The Bugzilla::Search::build_subselect function in Bugzilla 2.x and 3.x
before 3.6.13 and 3.7.x and 4.0.x before 4.0.10 generates different
error messages for invalid product queries depending on whether a
product exists, which allows remote attackers to discover private
product names by using debug mode for a query (CVE-2013-0786).

The updated packages have upgraded to the 4.2.5 version which is not
vulnerable to these issues.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1969
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3981
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4189
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4197
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4198
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4199
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5883
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0785
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0786
http://www.bugzilla.org/security/3.6.11/
http://www.bugzilla.org/security/3.6.12/
http://www.mandriva.com/en/support/security/advisories/mbs1/MDVSA-2013:066/
========================

Updated packages in core/updates_testing:
========================
bugzilla-4.2.5-0.1.mga2
bugzilla-contrib-4.2.5-0.1.mga2

from bugzilla-4.2.5-0.1.mga2.src.rpm
Comment 14 claire robinson 2013-04-11 17:51:50 CEST
Testing complete mga2 32

Created mysql database with phpmyadmin

Ran /usr/share/bugzilla/bin/checksetup.pl

edited /etc/bugzilla/localconfig to add the database details

Ran /usr/share/bugzilla/bin/checksetup.pl again and performed the installation.

Logged in and created bugs, added attachments etc
logged out

Updated

Logged in and did the same
Comment 15 Dave Hodgins 2013-04-12 00:07:38 CEST
Testing x86-64 shortly.
Comment 16 Dave Hodgins 2013-04-12 00:33:21 CEST
Testing complete on x86-64.

Could someone from the sysadmin team push the srpm
bugzilla-4.2.5-0.1.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates.

Please see Comment 13 for the advisory.
Comment 17 Thomas Backlund 2013-04-18 00:22:19 CEST
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0117

Note You need to log in before you can comment on or make changes to this bug.