[ GLSA 200709-18 ] Bugzilla: Multiple vulnerabilities

[GLSA]

Gentoo Linux Security Advisory

Title: Bugzilla: Multiple vulnerabilities (GLSA 200709-18)
Severity: high
Exploitable: remote
Date: September 30, 2007
Updated: May 28, 2009
Bug(s): #190112
ID: 200709-18

Synopsis

Bugzilla contains several vulnerabilities, some of them possibly leading to the remote execution of arbitrary code.

Background

Bugzilla is a web application designed to help with managing software development.

Affected Packages

Package: www-apps/bugzilla
Vulnerable: < 3.0.1
Unaffected: >= 2.20.5 < 2.20.6
Unaffected: >= 2.22.3 < 2.22.4
Unaffected: >= 3.0.1
Unaffected: >= 2.22.5 < 2.22.6
Unaffected: >= 2.20.6 < 2.20.7
Architectures: All supported architectures


Description

Masahiro Yamada found that from the 2.17.1 version, Bugzilla does not properly sanitize the content of the "buildid" parameter when filing bugs (CVE-2007-4543). The next two vulnerabilities only affect Bugzilla 2.23.3 or later, hence the stable Gentoo Portage tree does not contain these two vulnerabilities: Loic Minier reported that the "Email::Send::Sendmail()" function does not properly sanitise "from" email information before sending it to the "-f" parameter of /usr/sbin/sendmail (CVE-2007-4538), and Frederic Buclin discovered that the XML-RPC interface does not correctly check permissions in the time-tracking fields (CVE-2007-4539).

Impact

A remote attacker could trigger the "buildid" vulnerability by sending a specially crafted form to Bugzilla, leading to a persistent XSS, thus allowing for theft of credentials. With Bugzilla 2.23.3 or later, an attacker could also execute arbitrary code with the permissions of the web server by injecting a specially crafted "from" email address and gain access to normally restricted time-tracking information through the XML-RPC service.

Workaround

There is no known workaround at this time.

Resolution

All Bugzilla users should upgrade to the latest version: