Bug 1123172 (CVE-2014-1546)

Summary: CVE-2014-1546 bugzilla: Cross Site Request Forgery issue with Bugzilla's JSONP endpoint
Product: [Other] Security Response Reporter: Murray McAllister <mmcallis>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: itamar, xavier
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: bugzilla 4.0.14, bugzilla 4.2.10, bugzilla 4.4.5, bugzilla 4.5.5 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-20 10:45:38 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1123173    
Bug Blocks:    

Description Murray McAllister 2014-07-25 04:29:31 UTC 
The upstream Bugzilla 4.0.14, 4.2.10, 4.4.5, 4.5.5 releases fix the following issue:

""
Adobe does not properly restrict the SWF file format,
which allows remote attackers to conduct cross-site
request forgery (CSRF) attacks against Bugzilla's JSONP
endpoint, possibly obtaining sensitive bug information,
via a crafted OBJECT element with SWF content satisfying
the character-set requirements of a callback API.

References:  https://bugzilla.mozilla.org/show_bug.cgi?id=1036213
""

The 3.2.10 and 3.4.14 versions in EPEL 5 and 6 appear too old to be affected.

Reference:

http://www.bugzilla.org/security/4.0.13/
Comment 1 Murray McAllister 2014-07-25 04:30:38 UTC 
Created bugzilla tracking bugs for this issue:

Affects: fedora-all [bug 1123173]
Comment 2 Tomas Hoger 2014-07-25 06:48:48 UTC 
Note that the issue was fixed in Adobe Flash, see CVE-2014-4671 (bug 1117588).  The fix in Flash should address the issue, with Bugzilla fix only providing protection to users running outdated Flash.

Details of the attack are in the following blog post:
http://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/

Other links can be found in bug 1117588 comment 4.
Comment 3 Fedora Update System 2014-08-01 06:02:58 UTC 
bugzilla-4.2.10-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 4 Fedora Update System 2014-08-07 15:33:38 UTC 
bugzilla-4.2.10-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.