Security advisory for Bugzilla 4.4rc1, 4.2.4, 4.0.9 and 3.6.12

2012-11-18T00:00:00
ID SECURITYVULNS:DOC:28767
Type securityvulns
Reporter Securityvulns
Modified 2012-11-18T00:00:00

Description

Summary

Bugzilla is a Web-based bug-tracking system used by a large number of software projects. The following security issues have been discovered in Bugzilla:

  • Confidential product and component names can be disclosed to unauthorized users if they are used to control the visibility of a custom field.

  • When calling the 'User.get' WebService method with a 'groups' argument, it is possible to check if the given group names exist or not.

  • Due to incorrectly filtered field values in tabular reports, it is possible to inject code which can lead to XSS.

  • When trying to mark an attachment in a bug you cannot see as obsolete, the description of the attachment is disclosed in the error message.

  • A vulnerability in swfstore.swf from YUI2 can lead to XSS.

All affected installations are encouraged to upgrade as soon as possible.

Vulnerability Details

Class: Information Leak Versions: 3.3.4 to 3.6.11, 3.7.1 to 4.0.8, 4.1.1 to 4.2.3, 4.3.1 to 4.3.3 Fixed In: 3.6.12, 4.0.9, 4.2.4, 4.4rc1 Description: If the visibility of a custom field is controlled by a product or a component of a product you cannot see, their names are disclosed in the JavaScript code generated for this custom field despite they should remain confidential. References: https://bugzilla.mozilla.org/show_bug.cgi?id=731178 CVE Number: CVE-2012-4199

Class: Information Leak Versions: 3.7.1 to 4.0.8, 4.1.1 to 4.2.3, 4.3.1 to 4.3.3 Fixed In: 4.0.9, 4.2.4, 4.4rc1 Description: Calling the User.get method with a 'groups' argument leaks the existence of the groups depending on whether an error is thrown or not. This method now also throws an error if the user calling this method does not belong to these groups (independently of whether the groups exist or not). References: https://bugzilla.mozilla.org/show_bug.cgi?id=781850 CVE Number: CVE-2012-4198

Class: Cross-Site Scripting Versions: 4.1.1 to 4.2.3, 4.3.1 to 4.3.3 Fixed In: 4.2.4, 4.4rc1 Description: Due to incorrectly filtered field values in tabular reports, it is possible to inject code leading to XSS. References: https://bugzilla.mozilla.org/show_bug.cgi?id=790296 CVE Number: CVE-2012-4189

Class: Information Leak Versions: 2.16 to 3.6.11, 3.7.1 to 4.0.8, 4.1.1 to 4.2.3, 4.3.1 to 4.3.3 Fixed In: 3.6.12, 4.0.9, 4.2.4, 4.4rc1 Description: Trying to mark an attachment in a bug you cannot see as obsolete discloses its description in the error message. The description of the attachment is now removed from the error message. References: https://bugzilla.mozilla.org/show_bug.cgi?id=802204 CVE Number: CVE-2012-4197

Class: Cross-Site Scripting Versions: 3.7.1 to 4.0.8, 4.1.1 to 4.2.3, 4.3.1 to 4.3.3 Fixed In: 4.0.9, 4.2.4, 4.4rc1 Description: A vulnerability in swfstore.swf from YUI2 allows JavaScript injection exploits to be created against domains that host this affected YUI .swf file. References: https://bugzilla.mozilla.org/show_bug.cgi?id=808845 http://yuilibrary.com/support/20121030-vulnerability/ CVE Number: CVE-2012-5475

Vulnerability Solutions

The fixes for these issues are included in the 3.6.12, 4.0.9, 4.2.4 and 4.4rc1 releases. Upgrading to a release with the relevant fixes will protect your installation from possible exploits of these issues.

If you are unable to upgrade but would like to patch just the individual security vulnerabilities, there are patches available for each issue at the "References" URL for each vulnerability.

Full release downloads, patches to upgrade Bugzilla from previous versions, and CVS/bzr upgrade instructions are available at:

http://www.bugzilla.org/download/

Credits

The Bugzilla team wish to thank the following people/organizations for their assistance in locating, advising us of, and assisting us to fix this issue:

Frйdйric Buclin David Lawrence Gervase Markham Mateusz Goik

General information about the Bugzilla bug-tracking system can be found at:

http://www.bugzilla.org/

Comments and follow-ups can be directed to the mozilla.support.bugzilla newsgroup or the support-bugzilla mailing list. http://www.bugzilla.org/support/ has directions for accessing these forums.