Articles / Debian: Security update for…

Debian: Security update for Bugzilla

Several vulnerabilities were discovered in Bugzilla, a web-based bug tracking system. By inserting particular strings into certain URLs, it was possible to inject both headers and content to any browser. Bugzilla has a “URL” field that can contain several types of URL, including “javascript:” and “data:” URLs. However, it does not make “javascript:” and “data:” URLs into clickable links, to protect against cross-site scripting attacks or other attacks. It was possible to bypass this protection by adding spaces into the URL in places that Bugzilla did not expect them. It was possible for a user to gain unauthorized access to any Bugzilla account in a very short amount of time (short enough that the attack is highly effective).

Various pages were vulnerable to Cross-Site Request Forgery attacks. Most of these issues are not as serious as previous CSRF vulnerabilities. When a user changes his email address, Bugzilla trusts a user-modifiable field for obtaining the current e-mail address to send a confirmation message to. If an attacker has access to the session of another user (for example, if that user left their browser window open in a public place), the attacker could alter this field to cause the email-change notification to go to their own address. For flagmails only, attachment descriptions with a newline in them could lead to the injection of crafted headers in email notifications when an attachment flag is edited.

Bugzilla uses an alternate host for attachments when viewing them in raw format to prevent cross-site scripting attacks. This alternate host is now also used when viewing patches in “Raw Unified” mode because Internet Explorer 8 and older, and Safari before 5.0.6 do content sniffing, which could lead to the execution of malicious code. Normally, a group name is confidential and is only visible to members of the group, and to non-members if the group is used in bugs. By crafting the URL when creating or editing a bug, it was possible to guess if a group existed or not, even for groups which weren’t used in bugs and so which were supposed to remain confidential.

Updated packages are available from security.debian.org.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -------------------------------------------------------------------------
Debian Security Advisory DSA-2322-1                   security@debian.org
http://www.debian.org/security/                        Jonathan Wiltshire
October 10, 2011                       http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : bugzilla
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE ID         : CVE-201-2979 CVE-2010-4567 CVE-2010-4568 CVE-2010-4572 
                CVE-2011-0046 CVE-2011-0048 CVE-2011-2379 CVE-2011-2380 
                CVE-2011-2381 CVE-2011-2978 

Several vulnerabilities were discovered in Bugzilla, a web-based bug
tracking system.

CVE-2010-4572

 By inserting particular strings into certain URLs, it was
 possible to inject both headers and content to any
 browser.

CVE-2010-4567, CVE-2011-0048

 Bugzilla has a "URL" field that can contain several types
 of URL, including "javascript:" and "data:" URLs. However,
 it does not make "javascript:" and "data:" URLs into
 clickable links, to protect against cross-site scripting
 attacks or other attacks. It was possible to bypass this
 protection by adding spaces into the URL in places that
 Bugzilla did not expect them. Also, "javascript:" and
 "data:" links were *always* shown as clickable to
 logged-out users.

CVE-2010-4568

 It was possible for a user to gain unauthorized access to
 any Bugzilla account in a very short amount of time (short
 enough that the attack is highly effective).

CVE-2011-0046

 Various pages were vulnerable to Cross-Site Request
 Forgery attacks. Most of these issues are not as serious
 as previous CSRF vulnerabilities.

CVE-2011-2978

 When a user changes his email address, Bugzilla trusts
 a user-modifiable field for obtaining the current e-mail
 address to send a confirmation message to. If an attacker
 has access to the session of another user (for example,
 if that user left their browser window open in a public
 place), the attacker could alter this field to cause
 the email-change notification to go to their own address.
 This means that the user would not be notified that his
 account had its email address changed by the attacker.

CVE-2011-2381

 For flagmails only, attachment descriptions with a newline
 in them could lead to the injection of crafted headers in
 email notifications when an attachment flag is edited.

CVE-2011-2379

 Bugzilla uses an alternate host for attachments when
 viewing them in raw format to prevent cross-site scripting
 attacks. This alternate host is now also used when viewing
 patches in "Raw Unified" mode because Internet Explorer 8
 and older, and Safari before 5.0.6 do content sniffing,
 which could lead to the execution of malicious code.

CVE-2011-2380 CVE-201-2979

 Normally, a group name is confidential and is only visible
 to members of the group, and to non-members if the group
 is used in bugs. By crafting the URL when creating or
 editing a bug, it was possible to guess if a group existed
 or not, even for groups which weren't used in bugs and so
 which were supposed to remain confidential.

For the oldstable distribution (lenny), it has not been practical to
backport patches to fix these bugs. Users of bugzilla on lenny are 
strongly advised to upgrade to the version in the squeeze distribution.

For the stable distribution (squeeze), these problems have been fixed in
version 3.6.2.0-4.4.

For the testing distribution (wheezy) and the unstable distribution (sid),
the bugzilla packages have been removed.

We recommend that you upgrade your bugzilla packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEARECAAYFAk6TGQMACgkQXm3vHE4uylrKoACgpP8nXm2Nj6cmEPNLL5n4VVqQ
cMsAoNuj8KxXmA437xUP1NZqnJrbWwFD
=kZIo
-----END PGP SIGNATURE-----
Screenshot

Project Spotlight

Kigo Video Converter Ultimate for Mac

A tool for converting and editing videos.

Screenshot

Project Spotlight

Kid3

An efficient tagger for MP3, Ogg/Vorbis, and FLAC files.