[bugzilla/el6] CVE-2012-0466

Xavier Bachelot xavierb at fedoraproject.org
Fri Apr 20 01:19:11 UTC 2012 

commit 684bbcd5e5d2b62d01125b82de421cb225669d90
Author: Xavier Bachelot <xavier at bachelot.org>
Date:   Fri Apr 20 02:32:34 2012 +0200

    CVE-2012-0466

 bugzilla-3.4.14-CVE-2012-0466.patch |   84 +++++++++++++++++++++++++++++++++++
 bugzilla.spec                       |    7 +++-
 2 files changed, 90 insertions(+), 1 deletions(-)
---
diff --git a/bugzilla-3.4.14-CVE-2012-0466.patch b/bugzilla-3.4.14-CVE-2012-0466.patch
new file mode 100644
index 0000000..7489b1f
--- /dev/null
+++ b/bugzilla-3.4.14-CVE-2012-0466.patch
@@ -0,0 +1,84 @@
+=== modified file 'buglist.cgi'
+--- buglist.cgi	2012-04-17 18:41:05 +0000
++++ buglist.cgi	2012-04-18 12:06:08 +0000
+@@ -112,16 +112,6 @@
+     $cgi->param('ctype', "atom");
+ }
+ 
+-# The js ctype presents a security risk; a malicious site could use it  
+-# to gather information about secure bugs. So, we only allow public bugs to be
+-# retrieved with this format.
+-#
+-# Note that if and when this call clears cookies or has other persistent 
+-# effects, we'll need to do this another way instead.
+-if ((defined $cgi->param('ctype')) && ($cgi->param('ctype') eq "js")) {
+-    Bugzilla->logout_request();
+-}
+-
+ # An agent is a program that automatically downloads and extracts data
+ # on its user's behalf.  If this request comes from an agent, we turn off
+ # various aspects of bug list functionality so agent requests succeed
+
+=== modified file 'docs/en/xml/using.xml'
+--- docs/en/xml/using.xml	2011-01-28 16:30:29 +0000
++++ docs/en/xml/using.xml	2012-04-18 12:06:08 +0000
+@@ -659,16 +659,6 @@
+         </member>
+       </simplelist>
+       </para>
+-
+-      <para>
+-        If you would like to access the bug list from another program
+-        it is often useful to have the list returned in something other
+-        than HTML. By adding the ctype=type parameter into the bug list URL
+-        you can specify several alternate formats. Besides the types described
+-        above, the following formats are also supported: ECMAScript, also known
+-        as JavaScript (ctype=js), and Resource Description Framework RDF/XML
+-        (ctype=rdf).
+-      </para>
+     </section>
+ 
+     <section id="individual-buglists">
+
+=== removed file 'template/en/default/list/list.js.tmpl'
+--- template/en/default/list/list.js.tmpl	2007-08-20 23:24:38 +0000
++++ template/en/default/list/list.js.tmpl	1970-01-01 00:00:00 +0000
+@@ -1,37 +0,0 @@
+-[%# The contents of this file are subject to the Mozilla Public
+-  # License Version 1.1 (the "License"); you may not use this file
+-  # except in compliance with the License. You may obtain a copy of
+-  # the License at http://www.mozilla.org/MPL/
+-  #
+-  # Software distributed under the License is distributed on an "AS
+-  # IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+-  # implied. See the License for the specific language governing
+-  # rights and limitations under the License.
+-  #
+-  # The Original Code is the Bugzilla Bug Tracking System.
+-  #
+-  # The Initial Developer of the Original Code is Netscape Communications
+-  # Corporation. Portions created by Netscape are
+-  # Copyright (C) 1998 Netscape Communications Corporation. All
+-  # Rights Reserved.
+-  #
+-  # Contributor(s): Gervase Markham <gerv at gerv.net>
+-  #%]
+-
+-// Note: only publicly-accessible bugs (those not in any group) will be
+-// listed when using this JavaScript format. This is to prevent malicious
+-// sites stealing information about secure bugs.
+-  
+-bugs = new Array; 
+-
+-[% FOREACH bug = bugs %]
+-  bugs[[% bug.bug_id %]] = [ 
+-    [% FOREACH column = displaycolumns %]
+-      "[%- bug.$column FILTER js -%]"[% "," UNLESS loop.last %]
+-    [% END %]
+-  ];
+-[% END %]
+-
+-if (window.buglistCallback) {
+-  buglistCallback(bugs);
+-}
+
diff --git a/bugzilla.spec b/bugzilla.spec
index 17eda31..aec9bf7 100644
--- a/bugzilla.spec
+++ b/bugzilla.spec
@@ -6,12 +6,13 @@ URL: http://www.bugzilla.org/
 Name: bugzilla
 Version: 3.4.14
 Group: Applications/Publishing
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: MPLv1.1
 Source0: http://ftp.mozilla.org/pub/mozilla.org/webtools/bugzilla-%{version}.tar.gz
 Source1: bugzilla-httpd-conf
 Source2: README.fedora.bugzilla
 Patch0: bugzilla-rw-paths.patch
+Patch1: bugzilla-3.4.14-CVE-2012-0466.patch
 
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 BuildArch: noarch
@@ -58,6 +59,7 @@ Contributed scripts and functions for Bugzilla
 %prep
 %setup -q -n %{name}-%{version}
 %patch0 -p1
+%patch1 -p0
 
 # Filter unwanted Requires found by /usr/lib/rpm/perldeps.pl:
 # create a wrapper script which runs the original perl_requires
@@ -181,6 +183,9 @@ popd > /dev/null)
 %{bzinstallprefix}/bugzilla/contrib/yp_nomail.sh
 
 %changelog
+* Fri Apr 20 2012 Xavier Bachelot <xavier at bachelot.org> - 3.4.14-2
+- Add patch for CVE-2012-0466.
+
 * Wed Feb 01 2012 Xavier Bachelot <xavier at bachelot.org> - 3.4.14-1
 - Update to 3.4.14 : security fix for CVE-2012-0448.

More information about the scm-commits mailing list