Debian Bug report logs - #395094
CVE-2006-545[3-5]: Multiple security issues in bugzilla

version graph

Package: bugzilla; Maintainer for bugzilla is Raphael Bossek <bossekr@debian.org>;

Reported by: Stefan Fritsch <sf@sfritsch.de>

Date: Tue, 24 Oct 2006 21:03:03 UTC

Severity: grave

Tags: confirmed, sarge, security

Fixed in version 2.22.1-1

Done: Steve Langasek <vorlon@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Alexis Sukrieh <sukria@debian.org>:
Bug#395094; Package bugzilla. Full text and rfc822 format available.

Acknowledgement sent to Stefan Fritsch <sf@sfritsch.de>:
New Bug report received and forwarded. Copy sent to Alexis Sukrieh <sukria@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Stefan Fritsch <sf@sfritsch.de>
To: submit@bugs.debian.org
Subject: CVE-2006-545[3-5]: Multiple security issues in bugzilla
Date: Tue, 24 Oct 2006 22:38:59 +0200
Package: bugzilla
Severity: grave
Tags: security

Several issues have beenfound in bugzilla:

CVE-2006-5455:
Cross-site request forgery (CSRF) vulnerability in editversions.cgi in
Bugzilla before 2.22.1 and 2.23.x before 2.23.3 allows user-assisted
remote attackers to create, modify, or delete arbitrary bug reports
via a crafted URL.

CVE-2006-5454:
Bugzilla 2.18.x before 2.18.6, 2.20.x before 2.20.3, 2.22.x before
2.22.1, and 2.23.x before 2.23.3 allow remote attackers to obtain (1)
the description of arbitrary attachments by viewing the attachment in
"diff" mode in attachment.cgi, and (2) the deadline field by viewing
the XML format of the bug in show_bug.cgi.

CVE-2006-5453:
Multiple cross-site scripting (XSS) vulnerabilities in Bugzilla 2.18.x
before 2.18.6, 2.20.x before 2.20.3, 2.22.x before 2.22.1, and 2.23.x
before 2.23.3 allow remote authenticated users to inject arbitrary web
script or HTML via (1) page headers using the H1, H2, and H3 HTML tags
in global/header.html.tmpl, (2) description fields of certain items in
various edit cgi scripts, and (3) the id parameter in
showdependencygraph.cgi.

Please mention the CVE ids in the changelog.



Information forwarded to debian-bugs-dist@lists.debian.org, Alexis Sukrieh <sukria@debian.org>:
Bug#395094; Package bugzilla. Full text and rfc822 format available.

Acknowledgement sent to Ben Hutchings <ben@decadent.org.uk>:
Extra info received and forwarded to list. Copy sent to Alexis Sukrieh <sukria@debian.org>. Full text and rfc822 format available.

Message #10 received at 395094@bugs.debian.org (full text, mbox):

From: Ben Hutchings <ben@decadent.org.uk>
To: 395094@bugs.debian.org
Subject: Re: CVE-2006-545[3-5]: Multiple security issues in bugzilla
Date: Tue, 31 Oct 2006 10:27:34 +0000
[Message part 1 (text/plain, inline)]
Upstream security advisory: http://www.bugzilla.org/security/2.18.5/

These are fixed in 2.22.1 which would be suitable for sid.

There is no upstream fix for the 2.16 series, as used in sarge.  I am
looking at the upstream fix for the 2.18 series to see whether it is
applicable or easily adaptable to 2.16.

Ben.

-- 
Ben Hutchings -- ben@decadentplace.org.uk shortened to ben@decadent.org.uk
If you've signed my GPG key, please send a signature on and to the new uid.
The world is coming to an end.  Please log off.
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Alexis Sukrieh <sukria@debian.org>:
Bug#395094; Package bugzilla. Full text and rfc822 format available.

Acknowledgement sent to Ben Hutchings <ben@decadent.org.uk>:
Extra info received and forwarded to list. Copy sent to Alexis Sukrieh <sukria@debian.org>. Full text and rfc822 format available.

Message #15 received at 395094@bugs.debian.org (full text, mbox):

From: Ben Hutchings <ben@decadent.org.uk>
To: 395094@bugs.debian.org
Subject: Re: CVE-2006-545[3-5]: Multiple security issues in bugzilla
Date: Tue, 31 Oct 2006 10:27:47 +0000
[Message part 1 (text/plain, inline)]
Based on the advisory at http://www.bugzilla.org/security/2.18.5/ I
would say that:

CVE-2006-5455 corresponds to
https://bugzilla.mozilla.org/show_bug.cgi?id=281181

"Although technically this affects all versions of Bugzilla, it has only
been fixed on our most recent release (2.22.1 and our latest development
snapshot, 2.23.3), because the fix was too invasive to backport
further."

CVE-2006-5454 corresponds to
https://bugzilla.mozilla.org/show_bug.cgi?id=346086 and
https://bugzilla.mozilla.org/show_bug.cgi?id=346564

Doesn't apply to 2.16.7 (the version in sarge).

CVE-2006-5453 corresponds to
https://bugzilla.mozilla.org/show_bug.cgi?id=330555
https://bugzilla.mozilla.org/show_bug.cgi?id=206037 and
https://bugzilla.mozilla.org/show_bug.cgi?id=355728

Applies to both sarge and sid.  I am attaching the diffs from CVS that
are supposed to fix these individual bugs in the 2.18 branch, with paths
modified to match the release tarball.  These are based on the list at
http://bonsai.mozilla.org/cvsquery.cgi?mindate=2006-02-21+00:00&maxdate=2006-10-15+2:30&branch=BUGZILLA-2_18-BRANCH&module=Bugzilla&sortby=Date&date=explicit

I have adapted two of them to the version in sarge (2.16.7) and am
attaching those patches as well.  The third will require a fair bit more
work.

Ben.

-- 
Ben Hutchings -- ben@decadentplace.org.uk shortened to ben@decadent.org.uk
If you've signed my GPG key, please send a signature on and to the new uid.
The world is coming to an end.  Please log off.
[bugzilla-2.16.7-fix-330555.patch (text/x-patch, attachment)]
[bugzilla-2.16.7-fix-355728.patch (text/x-patch, attachment)]
[bugzilla-2.18.6-fix-206037.patch (text/x-patch, attachment)]
[bugzilla-2.18.6-fix-330555.patch (text/x-patch, attachment)]
[bugzilla-2.18.6-fix-355728.patch (text/x-patch, attachment)]
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#395094; Package bugzilla. Full text and rfc822 format available.

Acknowledgement sent to Alexis Sukrieh <sukria@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #20 received at 395094@bugs.debian.org (full text, mbox):

From: Alexis Sukrieh <sukria@debian.org>
To: Ben Hutchings <ben@decadent.org.uk>, 395094@bugs.debian.org
Subject: Re: Bug#395094: CVE-2006-545[3-5]: Multiple security issues in bugzilla
Date: Sat, 4 Nov 2006 00:24:11 +0100
tags 395094 + confirmed
thanks

* Ben Hutchings (ben@decadent.org.uk) :
> Upstream security advisory: http://www.bugzilla.org/security/2.18.5/
> 
> These are fixed in 2.22.1 which would be suitable for sid.

I'm working on the packaging of that new upstream release.
 
-- 
Alexis Sukrieh <sukria@sukria.net>
                                    0x1EE5DD34
Debian                   http://www.debian.org
Backup Manager   http://www.backup-manager.org



Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#395094; Package bugzilla. Full text and rfc822 format available.

Acknowledgement sent to Alexis Sukrieh <sukria@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #25 received at 395094@bugs.debian.org (full text, mbox):

From: Alexis Sukrieh <sukria@debian.org>
To: Ben Hutchings <ben@decadent.org.uk>, 395094@bugs.debian.org
Subject: Re: Bug#395094: CVE-2006-545[3-5]: Multiple security issues in bugzilla
Date: Sat, 4 Nov 2006 00:27:20 +0100
* Ben Hutchings (ben@decadent.org.uk) :
> Based on the advisory at http://www.bugzilla.org/security/2.18.5/ I
> would say that:
[...]

Ben, thanks a lot for your work regarding that issue.
If you have an alioth account, feel free to ask Sean Finney to add you
to the webapps-common team, so you can commit to the bugzilla SVN repo.

I'm going to review and apply your patches as soon as possible.

Thanks again, your help is pretty welcome, as bugzilla really needs
attention, time and work.
 
Regards,

-- 
Alexis Sukrieh <sukria@sukria.net>
                                    0x1EE5DD34
Debian                   http://www.debian.org
Backup Manager   http://www.backup-manager.org



Tags added: confirmed Request was from Alexis Sukrieh <sukria@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#395094; Package bugzilla. Full text and rfc822 format available.

Acknowledgement sent to Alexis Sukrieh <sukria@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #32 received at 395094@bugs.debian.org (full text, mbox):

From: Alexis Sukrieh <sukria@debian.org>
To: 395094@bugs.debian.org
Cc: Stefan Fritsch <sf@sfritsch.de>, Ben Hutchings <ben@decadent.org.uk>
Subject: [bugzilla #395094] bug only affects sarge now
Date: Sat, 4 Nov 2006 01:25:19 +0100
tags 395094 + sarge
thanks

I've just uploaded bugzilla 2.22.1 to sid, urgency set to high.
That bug is now closed in sid.

We can focus on the sarge patches now.

-- 
Alexis Sukrieh <sukria@sukria.net>
                                    0x1EE5DD34
Debian                   http://www.debian.org
Backup Manager   http://www.backup-manager.org



Tags added: sarge Request was from Alexis Sukrieh <sukria@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Webapps Team <webapps-common-packages@lists.alioth.debian.org>:
Bug#395094; Package bugzilla. Full text and rfc822 format available.

Acknowledgement sent to Ben Hutchings <ben@decadent.org.uk>:
Extra info received and forwarded to list. Copy sent to Debian Webapps Team <webapps-common-packages@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #39 received at 395094@bugs.debian.org (full text, mbox):

From: Ben Hutchings <ben@decadent.org.uk>
To: 395094@bugs.debian.org
Subject: Re: CVE-2006-545[3-5]: Multiple security issues in bugzilla
Date: Tue, 07 Nov 2006 02:45:42 +0000
[Message part 1 (text/plain, inline)]
Here's the last patch.  The template changes are quite a bit different.
I think I got all the necessary changes (the # marks in
filterexceptions.pl were a clue!) but it's hard to be sure.  The test
suite shows no regressions after the three patches are applied, so the
templates do end up consistent with filterexceptions.pl.

Ben.

-- 
Ben Hutchings
It's easier to fight for one's principles than to live up to them.
[bugzilla-2.16.7-fix-206037.patch (text/x-patch, attachment)]
[signature.asc (application/pgp-signature, inline)]

Reply sent to Steve Langasek <vorlon@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Stefan Fritsch <sf@sfritsch.de>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #44 received at 395094-done@bugs.debian.org (full text, mbox):

From: Steve Langasek <vorlon@debian.org>
To: 395094-done@bugs.debian.org
Subject: Re: CVE-2006-545[3-5]: Multiple security issues in bugzilla
Date: Wed, 8 Nov 2006 06:20:48 -0800
Version: 2.22.1-1

This bug has been fixed in testing and unstable with the upload of version
2.22.1-1, so I'm closing it (with a Version: pseudoheader) to document this
status as completely as possible.

The bug still affects the version of bugzilla in sarge.

Cheers,
-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon@debian.org                                   http://www.debian.org/



Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 27 Jun 2007 06:07:27 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 24 15:53:00 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.