Bug 1478587

Summary:	Bodhi: Javascript injection in detail view
Product:	[Fedora] Fedora	Reporter:	Marcel <emarci1993>
Component:	bodhi	Assignee:	Randy Barlow <randy>
Status:	CLOSED ERRATA	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	27	CC:	jeremy, lewk, puiterwijk, randy
Target Milestone:	---	Keywords:	Security
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:	bodhi-2.9.1-1.fc27 bodhi-2.9.1-1.fc26 bodhi-2.9.1-1.el7	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2017-08-20 18:28:21 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Marcel 2017-08-04 21:18:04 UTC

Description of problem:
It is possible to inject Javascript into the bodhi webclient.

Version-Release number of selected component (if applicable):
bodhi-2.8.1

How reproducible:
Always

Steps to Reproduce:
1. Open https://bodhi.fedoraproject.org/updates/FEDORA-2017-3c92db10b8
2. Go to tab "Bugs"

Actual results:
You'll see a bug "#1473091 should be optional"

Expected results:
"#1473091 <disk> <driver name=...> should be optional"

Additional info:
The bug summary in this view should be escaped, as the current behavior allows an attacker to create a bug with a summary like "<script src='...'>" and let visitors of bodhi load JS.

Comment 1 Patrick Uiterwijk 2017-08-10 14:29:58 UTC

This issue has been assigned CVE-2017-1002152.

Comment 2 Randy Barlow 2017-08-10 14:30:52 UTC

In order to take advantage of this, someone would need to set a Bugzilla subject field to text that contains JavaScript and get a packager to create an update that references that bug. Thus, it's more complex than simply typing the JS into Bugzilla's interface directly, and requires a user with elevated privileges (a packager) to perform an action. Certainly not impossible, but not simple either. Thanks for the report!

Comment 3 Randy Barlow 2017-08-10 15:54:13 UTC

Since this is filed publicly here, I have filed this upstream and we will track work on it there.

Comment 4 Jan Kurik 2017-08-15 06:37:57 UTC

This bug appears to have been reported against 'rawhide' during the Fedora 27 development cycle.
Changing version to '27'.

Comment 5 Fedora Update System 2017-08-15 22:30:18 UTC

bodhi-2.9.1-1.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-48f0384090

Comment 6 Fedora Update System 2017-08-15 22:40:51 UTC

bodhi-2.9.1-1.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-5344219d81

Comment 7 Fedora Update System 2017-08-18 20:21:46 UTC

bodhi-2.9.1-1.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-5344219d81

Comment 8 Fedora Update System 2017-08-19 18:52:06 UTC

bodhi-2.9.1-1.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-48f0384090

Comment 9 Fedora Update System 2017-08-20 18:28:21 UTC

bodhi-2.9.1-1.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.

Comment 10 Fedora Update System 2017-09-02 20:48:52 UTC

bodhi-2.9.1-1.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.