(Conectiva Issues Fix) Bugzilla May Disclose Data Summaries to Remote Users and Let Privileged Authenticated Users Execute Arbitrary SQL Commands
|
|
SecurityTracker Alert ID: 1008107 |
|
SecurityTracker URL: http://securitytracker.com/id/1008107
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Nov 5 2003
|
Impact:
Disclosure of user information, Execution of arbitrary code via network, Modification of user information
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): prior to 2.16.4; also the development snapshots prior to 2.17.5
|
Description:
Some security vulnerabilities were reported in Bugzilla. A remote user can gain access to certain data. A remote authenticated user with certain privileges can inject arbitrary SQL commands.
It is reported that a remote authenticated user with 'editproducts' privileges can assign a specially crafted name to a product to cause arbitrary SQL to be executed by the daily statistics cron job (collectstats.pl) [Bugzilla Bug ID 214290; http://bugzilla.mozilla.org/show_bug.cgi?id=214290]. Versions 2.16.3 and earlier are affected, but versions 2.17.1 and later are not.
It is also reported that a remote authenticated user with 'editkeywords' privileges can invoke a specially crafted version of a URL used to edit an existing keyword to cause arbitrary SQL to be executed [Bugzilla Bug ID 219044; http://bugzilla.mozilla.org/show_bug.cgi?id=219044]. Versions 2.16.3 and earlier and versions 2.17.1 through 2.17.4 are affected.
It is also reported that the software does not properly keep track of certain user privileges [Bugzilla Bug ID 219690; http://bugzilla.mozilla.org/show_bug.cgi?id=219690]. If the 'usebuggroups' parameter is set and a product is deleted, the software does not remove the privilege to add users to that group ID number, the report said. As a result, if the group ID number is later re-used, some users may already have privileges to add users to that group. Version 2.16.3 and earlier are affected.
It is also reported that a remote user can obtain the summary of a secure bug if the user knows the email address of a user that has voted on the secure bug [Bugzilla Bug ID 209376; http://bugzilla.mozilla.org/show_bug.cgi?id=209376].
Finally, it is reported that in versions 2.17.3 and 2.17.4, a remote user can gain access to component descriptions for a product that the user is not authorized to access [Bugzilla Bug ID 209742; http://bugzilla.mozilla.org/show_bug.cgi?id=209742].
|
Impact:
A remote user can gain access to data summaries and component descriptions in certain cases.
A remote user may be granted access to groups in certain cases.
A remote authenticated and privileged user may be able to execute arbitrary SQL commands.
|
Solution:
Conectiva has released a fix.
ftp://atualizacoes.conectiva.com.br/9/SRPMS/bugzilla-2.16.4-29154U90_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/bugzilla-2.16.4-29154U90_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/bugzilla-doc-2.16.4-29154U90_1cl.i386.rpm
|
Vendor URL: www.bugzilla.org/ (Links to External Site)
|
Cause:
Access control error, Input validation error
|
Underlying OS:
Linux (Conectiva)
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Wed, 5 Nov 2003 18:29:49 -0200
Subject: [conectiva-updates] [CLA-2003:774] Conectiva Security Announcement - bugzilla
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- --------------------------------------------------------------------------
CONECTIVA LINUX SECURITY ANNOUNCEMENT
- --------------------------------------------------------------------------
PACKAGE : bugzilla
SUMMARY : Fix for several vulnerabilities
DATE : 2003-11-05 18:27:00
ID : CLA-2003:774
RELEVANT
RELEASES : 9
- -------------------------------------------------------------------------
DESCRIPTION
Bugzilla[1] is a bug tracking system used by many software projects.
Several vulnerabilities have been announced[2] and are being fixed in
this update.
1. SQL injection in "collectstats.pl" [3]
An user with 'editproducts' privileges (usually an administrator) can
select arbitrary SQL commands to be run by the nightly statistics
cron job (collectstats.pl) by giving a product a carefully crafted
name.
2. SQL injection in "editkeywords" [4]
An user with 'editkeywords' privileges (usually an administrator) can
inject arbitrary SQL commands via the URL used to edit an existing
keyword.
3. Privilege mishandling [5]
When deleting products and the 'usebuggroups' parameter is on, the
privilege which allows someone to add people to the group which is
being deleted does not get removed, allowing users with that
privilege to get that privilege for the next group that is created
which reuses that group ID. This only allows someone who had been
granted privileges in the past to retain them.
4. Information leak [6]
If the email address of someone who has voted on a restricted ticket
is known, the summary of that ticket can be accessed by users which
would usually have no such privileges.
SOLUTION
It is recommended that all bugzilla users upgrade their packages.
IMPORTANT: after the upgrade, please run the following bugzilla
script:
/srv/www/default/html/bugzilla/checksetup.pl
This script will make all necessary adjustments for this upgrade as
well as alert about possible problems.
REFERENCES
1. http://www.bugzilla.org
2. http://www.bugzilla.org/security/2.16.3/
3. http://bugzilla.mozilla.org/show_bug.cgi?id=214290
4. http://bugzilla.mozilla.org/show_bug.cgi?id=219044
5. http://bugzilla.mozilla.org/show_bug.cgi?id=219690
6. http://bugzilla.mozilla.org/show_bug.cgi?id=209376
UPDATED PACKAGES
ftp://atualizacoes.conectiva.com.br/9/SRPMS/bugzilla-2.16.4-29154U90_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/bugzilla-2.16.4-29154U90_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/bugzilla-doc-2.16.4-29154U90_1cl.i386.rpm
ADDITIONAL INSTRUCTIONS
The apt tool can be used to perform RPM packages upgrades:
- run: apt-get update
- after that, execute: apt-get upgrade
Detailed instructions reagarding the use of apt and upgrade examples
can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en
- -------------------------------------------------------------------------
All packages are signed with Conectiva's GPG key. The key and instructions
on how to import it can be found at
http://distro.conectiva.com.br/seguranca/chave/?idioma=en
Instructions on how to check the signatures of the RPM packages can be
found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en
- -------------------------------------------------------------------------
All our advisories and generic update instructions can be viewed at
http://distro.conectiva.com.br/atualizacoes/?idioma=en
- -------------------------------------------------------------------------
Copyright (c) 2003 Conectiva Inc.
http://www.conectiva.com
- -------------------------------------------------------------------------
subscribe: conectiva-updates-subscribe@papaleguas.conectiva.com.br
unsubscribe: conectiva-updates-unsubscribe@papaleguas.conectiva.com.br
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE/qV2842jd0JmAcZARAjbAAKClP/7LsTacBJHUqE5KhgbqvVfDgACdHPgH
ZU/DP76tUuO3ZZui+bhS3rc=
=56J0
-----END PGP SIGNATURE-----
|
|
