Bug 876701 (CVE-2012-4189, CVE-2012-4197, CVE-2012-4198, CVE-2012-4199, CVE-2012-5475, CVE-2012-5883, CVE-2012-5884)

Summary: CVE-2012-4189 CVE-2012-4197 CVE-2012-4198 CVE-2012-4199 CVE-2012-5475 CVE-2012-5883 CVE-2012-5884 bugzilla: multiple security flaws fixed in versions 3.6.12, 4.0.9, 4.2.4, and 4.4rc1
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: emmanuel, itamar, jlieskov, xavier
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-09-03 19:40:00 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Vincent Danen 2012-11-14 18:31:23 UTC 
New bugzilla releases were made available [1] that fix a number of security issues:

Class:       Information Leak
Versions:    3.3.4 to 3.6.11, 3.7.1 to 4.0.8, 4.1.1 to 4.2.3,
             4.3.1 to 4.3.3
Fixed In:    3.6.12, 4.0.9, 4.2.4, 4.4rc1
Description: If the visibility of a custom field is controlled by
             a product or a component of a product you cannot see,
             their names are disclosed in the JavaScript code
             generated for this custom field despite they should
             remain confidential.
References:  https://bugzilla.mozilla.org/show_bug.cgi?id=731178
CVE Number:  CVE-2012-4199

Class:       Information Leak
Versions:    3.7.1 to 4.0.8, 4.1.1 to 4.2.3, 4.3.1 to 4.3.3
Fixed In:    4.0.9, 4.2.4, 4.4rc1
Description: Calling the User.get method with a 'groups' argument leaks
             the existence of the groups depending on whether an error
             is thrown or not. This method now also throws an error if
             the user calling this method does not belong to these
             groups (independently of whether the groups exist or not).
References:  https://bugzilla.mozilla.org/show_bug.cgi?id=781850
CVE Number:  CVE-2012-4198

Class:       Cross-Site Scripting
Versions:    4.1.1 to 4.2.3, 4.3.1 to 4.3.3
Fixed In:    4.2.4, 4.4rc1
Description: Due to incorrectly filtered field values in tabular
             reports, it is possible to inject code leading to XSS.
References:  https://bugzilla.mozilla.org/show_bug.cgi?id=790296
CVE Number:  CVE-2012-4189

Class:       Information Leak
Versions:    2.16 to 3.6.11, 3.7.1 to 4.0.8, 4.1.1 to 4.2.3,
             4.3.1 to 4.3.3
Fixed In:    3.6.12, 4.0.9, 4.2.4, 4.4rc1
Description: Trying to mark an attachment in a bug you cannot see as
             obsolete discloses its description in the error message.
             The description of the attachment is now removed from
             the error message.
References:  https://bugzilla.mozilla.org/show_bug.cgi?id=802204
CVE Number:  CVE-2012-4197

Class:       Cross-Site Scripting
Versions:    3.7.1 to 4.0.8, 4.1.1 to 4.2.3, 4.3.1 to 4.3.3
Fixed In:    4.0.9, 4.2.4, 4.4rc1
Description: A vulnerability in swfstore.swf from YUI2 allows
             JavaScript injection exploits to be created against
             domains that host this affected YUI .swf file.
References:  https://bugzilla.mozilla.org/show_bug.cgi?id=808845
             http://yuilibrary.com/support/20121030-vulnerability/
CVE Number:  CVE-2012-5475


Upstream has released versions 3.6.12, 4.0.9, 4.2.4, and 4.4rc1 to correct these flaws.  Patches are available for each issue from the bugzilla links noted in the references above.


[1] http://www.bugzilla.org/security/3.6.11/
Comment 1 Jan Lieskovsky 2012-11-16 13:26:20 UTC 
==

Common Vulnerabilities and Exposures has rejected the CVE-2012-5475 identifier:

** REJECT **

DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2012-5881,
CVE-2012-5882, CVE-2012-5883. Reason: This candidate is a duplicate
of CVE-2012-5881, CVE-2012-5882, and CVE-2012-5883. Notes: All CVE
users should reference one or more of CVE-2012-5881, CVE-2012-5882,
and CVE-2012-5883 instead of this candidate. All references and
descriptions in this candidate have been removed to prevent accidental
usage.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5475

==

The description for CVE-2012-5881, CVE-2012-5882, and CVE-2012-5883 identifiers is as follows:

1) CVE-2012-5881:
Cross-site scripting (XSS) vulnerability in the Flash component
infrastructure in YUI 2.4.0 through 2.9.0 allows remote attackers to
inject arbitrary web script or HTML via vectors related to charts.swf,
a similar issue to CVE-2010-4207.

References:
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5881
  http://www.yuiblog.com/blog/2012/10/30/security-announcement-swf-vulnerability-in-yui-2/
  http://www.yuiblog.com/blog/2012/11/05/post-mortem-swf-vulnerability-in-yui-2/
  http://yuilibrary.com/support/20121030-vulnerability/

2) CVE-2012-5882:
Cross-site scripting (XSS) vulnerability in the Flash component
infrastructure in YUI 2.5.0 through 2.9.0 allows remote attackers to
inject arbitrary web script or HTML via vectors related to
uploader.swf, a similar issue to CVE-2010-4208.

References:
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5882
  http://www.yuiblog.com/blog/2012/10/30/security-announcement-swf-vulnerability-in-yui-2/
  http://www.yuiblog.com/blog/2012/11/05/post-mortem-swf-vulnerability-in-yui-2/
  http://yuilibrary.com/support/20121030-vulnerability/

3) CVE-2012-5883:
Cross-site scripting (XSS) vulnerability in the Flash component
infrastructure in YUI 2.8.0 through 2.9.0, as used in Bugzilla 3.7.x
and 4.0.x before 4.0.9, 4.1.x and 4.2.x before 4.2.4, and 4.3.x and
4.4.x before 4.4rc1, allows remote attackers to inject arbitrary web
script or HTML via vectors related to swfstore.swf, a similar issue to
CVE-2010-4209.

References:
  http://www.bugzilla.org/security/3.6.11/
  http://www.yuiblog.com/blog/2012/10/30/security-announcement-swf-vulnerability-in-yui-2/
  http://www.yuiblog.com/blog/2012/11/05/post-mortem-swf-vulnerability-in-yui-2/
  http://yuilibrary.com/support/20121030-vulnerability/
  https://bugzilla.mozilla.org/show_bug.cgi?id=808845
Comment 2 Jan Lieskovsky 2012-11-16 14:04:56 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2012-5884 to the following vulnerability:

The User.get method in Bugzilla/WebService/User.pm in Bugzilla 4.3.2 allows remote attackers to obtain sensitive information about the saved searches of arbitrary users via an XMLRPC request or a JSONRPC request, a different vulnerability than CVE-2012-4198.

References:
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5884
  https://bugzilla.mozilla.org/show_bug.cgi?id=697224
  https://bugzilla.mozilla.org/show_bug.cgi?id=781850
Comment 3 Vincent Danen 2013-09-03 19:40:00 UTC 
Just to note, CVE-2012-5881 and CVE-2012-5882 do not affect our shipped versions of Bugzilla in Fedora as they do not contain the vulnerable files.

Current Fedora also has version 4.2.6 which has these fixes.

Current EPEL is shipping versions of Bugzilla that are no longer supported upstream so it's difficult to say whether or not they are affected.