Bug 672853 (CVE-2010-4411, CVE-2010-4567, CVE-2010-4568, CVE-2010-4569, CVE-2010-4570, CVE-2010-4572, CVE-2011-0046, CVE-2011-0048)

Summary: bugzilla: multiple security issues
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: itamar, wnefal+redhatbugzilla
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-10-04 18:23:20 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 672856    
Bug Blocks:    

Description Tomas Hoger 2011-01-26 15:33:53 UTC
Bugzilla upstream has released updates fixing multiple security issues:

  http://www.bugzilla.org/security/3.2.9/

Quoting upstream advisory:

  Summary
  =======
  
  Bugzilla is a Web-based bug-tracking system used by a large number of
  software projects.
  
  Recently, Mozilla expanded its security bug bounty program to include web
  applications (http://www.mozilla.org/security/bug-bounty.html). As a result,
  several new security issues affecting Bugzilla were discovered:
  
  * A weakness in Bugzilla could allow a user to gain unauthorized access
    to another Bugzilla account.
  
  * A weakness in the Perl CGI.pm module allows injecting HTTP headers
    and content to users via several pages in Bugzilla.
  
  * The new user autocomplete functionality in Bugzilla 4.0 is vulnerable
    to a cross-site scripting attack.
  
  * The new automatic duplicate detection functionality in Bugzilla 4.0
    is vulnerable to a cross-site scripting attack.
  
  * If you put a harmful "javascript:" or "data:" URL into Bugzilla's
    "URL" field, then there are multiple situations in which Bugzilla
    will unintentionally make that link clickable.
  
  * Various pages lack protection against cross-site request forgeries.
  
  All affected installations are encouraged to upgrade as soon as
  possible.
  
  Vulnerability Details
  =====================
  
  Class:       Account Compromise
  Versions:    2.14 to 3.2.9, 3.4.9, 3.6.3, 4.0rc1
  Fixed In:    3.2.10, 3.4.10, 3.6.4, 4.0rc2
  Description: It was possible for a user to gain unauthorized access to
               any Bugzilla account in a very short amount of time (short
               enough that the attack is highly effective). This is a
               critical vulnerability that should be patched immediately
               by all Bugzilla installations.
  References:  https://bugzilla.mozilla.org/show_bug.cgi?id=621591
               https://bugzilla.mozilla.org/show_bug.cgi?id=619594
  CVE Number:  CVE-2010-4568
  
  Class:       HTTP Response Splitting
  Versions:    Every Version Before 3.2.10, 3.4.10, 3.6.4, 4.0rc2
  Fixed In:    3.2.10, 3.4.10, 3.6.4, 4.0rc2
  Description: By inserting particular strings into certain URLs, it was
               possible to inject both headers and content to any
               browser.
  References:  https://bugzilla.mozilla.org/show_bug.cgi?id=591165
               https://bugzilla.mozilla.org/show_bug.cgi?id=621572
               http://avatraxiom.livejournal.com/104105.html
               http://cwe.mitre.org/data/definitions/113.html
  CVE Number:  CVE-2010-2761, CVE-2010-4411, CVE-2010-4572
  
  Class:       Cross-Site Scripting
  Versions:    3.7.1 to 4.0rc1
  Fixed In:    4.0rc2
  Description: Bugzilla 3.7.x and 4.0rc1 have a new client-side
               autocomplete mechanism for all fields where a username
               is entered. This mechanism was vulnerable to a cross-site
               scripting attack.
  References:  https://bugzilla.mozilla.org/show_bug.cgi?id=619637
  CVE Number:  CVE-2010-4569
  
  Class:       Cross-Site Scripting
  Versions:    3.7.1 to 4.0rc1
  Fixed In:    4.0rc2
  Description: Bugzilla 3.7.x and 4.0rc1 have a new mechanism on the
               bug entry page for automatically detecting if the bug
               you are filing is a duplicate of another existing bug.
               This mechanism was vulnerable to a cross-site scripting
               attack.
  References:  https://bugzilla.mozilla.org/show_bug.cgi?id=619648
  CVE Number:  CVE-2010-4570
  
  Class:       Cross-Site Scripting
  Versions:    Every Version Before 3.2.10, 3.4.10, 3.6.4, 4.0rc2
  Fixed In:    3.2.10, 3.4.10, 3.6.4, 4.0rc2
  Description: Bugzilla has a "URL" field that can contain several types
               of URL, including "javascript:" and "data:" URLs. However,
               it does not make "javascript:" and "data:" URLs into
               clickable links, to protect against cross-site scripting
               attacks or other attacks. It was possible to bypass this
               protection by adding spaces into the URL in places that
               Bugzilla did not expect them. Also, "javascript:" and 
               "data:" links were *always* shown as clickable to
               logged-out users.
  References:  https://bugzilla.mozilla.org/show_bug.cgi?id=619588
               https://bugzilla.mozilla.org/show_bug.cgi?id=628034
  CVE Number:  CVE-2010-4567, CVE-2011-0048
  
  Class:       Cross-Site Request Forgery
  Versions:    Every Version Before 3.2.10, 3.4.10, 3.6.4, 4.0rc2
  Fixed In:    3.2.10, 3.4.10, 3.6.4, 4.0rc2
  Description: Various pages were vulnerable to Cross-Site Request 
               Forgery attacks. Most of these issues are not as serious
               as previous CSRF vulnerabilities. Some of these issues
               were only addressed on more recent branches of Bugzilla
               and not fixed in earlier branches, in order to avoid
               changing behavior that external applications may depend
               on. The links below in "References" describe which issues
               were fixed on which branches.
  References:  https://bugzilla.mozilla.org/show_bug.cgi?id=621090
               https://bugzilla.mozilla.org/show_bug.cgi?id=621105
               https://bugzilla.mozilla.org/show_bug.cgi?id=621107
               https://bugzilla.mozilla.org/show_bug.cgi?id=621108
               https://bugzilla.mozilla.org/show_bug.cgi?id=621109
               https://bugzilla.mozilla.org/show_bug.cgi?id=621110
  CVE Number:  CVE-2011-0046
  
  Vulnerability Solutions
  =======================
  
  The fixes for these issues are included in the 3.2.10, 3.4.10, 3.6.4,
  and 4.0rc2 releases. Upgrading to a release with the relevant fixes
  will protect your installation from possible exploits of these issues.
  
  If you are unable to upgrade but would like to patch just the
  individual security vulnerabilities, there are patches available for
  each issue at the bugzilla.mozilla.org "References" URLs for the
  vulnerabilities.
  
  Full release downloads, patches to upgrade Bugzilla from previous
  versions, and CVS/bzr upgrade instructions are available at:
  
    http://www.bugzilla.org/download/
  
  Credits
  =======
  
  The Bugzilla team wish to thank the following people/organizations for
  their assistance in locating, advising us of, and assisting us to fix
  this issue:
  
  Willem Pinckaers
  Anonymous ("mozilla11")
  Michal Zalewski
  Michael Brooks (Sitewatch)
  José A. Vázquez
  Reed Loden
  Frédéric Buclin
  Max Kanat-Alexander
  David Lawrence
  Mark Stosberg
  Byron Jones
  Guy Pyrzak
  
  We would especially like to thank Willem Pinckaers of Pine Digital
  Security for discovering--and providing a proof-of-concept exploit
  for--the rather complex but very serious Account Compromise issue.

Some of these issues are not applicable to bugzilla packages currently in Fedora and EPEL.  Additional, Fedora updates for F13 (bugzilla-3.4.10-1.fc13) and F14 (bugzilla-3.6.4-1.fc14) are already available in the testing repositories.

Comment 1 Tomas Hoger 2011-01-26 15:45:45 UTC
Created bugzilla tracking bugs for this issue

Affects: epel-all [bug 672856]