Joined: 12 May 2004
|Posted: Sun Sep 30, 2007 9:26 pm Post subject: [ GLSA 200709-18 ] Bugzilla: Multiple vulnerabilities
|Gentoo Linux Security Advisory
Title: Bugzilla: Multiple vulnerabilities (GLSA 200709-18)
Date: September 30, 2007
Updated: May 28, 2009
Bugzilla contains several vulnerabilities, some of them possibly leading to the remote execution of arbitrary code.
Bugzilla is a web application designed to help with managing software development.
Vulnerable: < 3.0.1
Unaffected: >= 2.20.5 < 2.20.6
Unaffected: >= 2.22.3 < 2.22.4
Unaffected: >= 3.0.1
Unaffected: >= 2.22.5 < 2.22.6
Unaffected: >= 2.20.6 < 2.20.7
Architectures: All supported architectures
Masahiro Yamada found that from the 2.17.1 version, Bugzilla does not properly sanitize the content of the "buildid" parameter when filing bugs (CVE-2007-4543). The next two vulnerabilities only affect Bugzilla 2.23.3 or later, hence the stable Gentoo Portage tree does not contain these two vulnerabilities: Loic Minier reported that the "Email::Send::Sendmail()" function does not properly sanitise "from" email information before sending it to the "-f" parameter of /usr/sbin/sendmail (CVE-2007-4538), and Frederic Buclin discovered that the XML-RPC interface does not correctly check permissions in the time-tracking fields (CVE-2007-4539).
A remote attacker could trigger the "buildid" vulnerability by sending a specially crafted form to Bugzilla, leading to a persistent XSS, thus allowing for theft of credentials. With Bugzilla 2.23.3 or later, an attacker could also execute arbitrary code with the permissions of the web server by injecting a specially crafted "from" email address and gain access to normally restricted time-tracking information through the XML-RPC service.
There is no known workaround at this time.
All Bugzilla users should upgrade to the latest version:
|# emerge --sync
# emerge --ask --oneshot --verbose www-apps/bugzilla
Last edited by GLSA on Fri May 29, 2009 4:18 am; edited 2 times in total