[bugzilla/el6] CVE-2012-0466
Xavier Bachelot
xavierb at fedoraproject.org
Fri Apr 20 01:19:11 UTC 2012
commit 684bbcd5e5d2b62d01125b82de421cb225669d90
Author: Xavier Bachelot <xavier at bachelot.org>
Date: Fri Apr 20 02:32:34 2012 +0200
CVE-2012-0466
bugzilla-3.4.14-CVE-2012-0466.patch | 84 +++++++++++++++++++++++++++++++++++
bugzilla.spec | 7 +++-
2 files changed, 90 insertions(+), 1 deletions(-)
---
diff --git a/bugzilla-3.4.14-CVE-2012-0466.patch b/bugzilla-3.4.14-CVE-2012-0466.patch
new file mode 100644
index 0000000..7489b1f
--- /dev/null
+++ b/bugzilla-3.4.14-CVE-2012-0466.patch
@@ -0,0 +1,84 @@
+=== modified file 'buglist.cgi'
+--- buglist.cgi 2012-04-17 18:41:05 +0000
++++ buglist.cgi 2012-04-18 12:06:08 +0000
+@@ -112,16 +112,6 @@
+ $cgi->param('ctype', "atom");
+ }
+
+-# The js ctype presents a security risk; a malicious site could use it
+-# to gather information about secure bugs. So, we only allow public bugs to be
+-# retrieved with this format.
+-#
+-# Note that if and when this call clears cookies or has other persistent
+-# effects, we'll need to do this another way instead.
+-if ((defined $cgi->param('ctype')) && ($cgi->param('ctype') eq "js")) {
+- Bugzilla->logout_request();
+-}
+-
+ # An agent is a program that automatically downloads and extracts data
+ # on its user's behalf. If this request comes from an agent, we turn off
+ # various aspects of bug list functionality so agent requests succeed
+
+=== modified file 'docs/en/xml/using.xml'
+--- docs/en/xml/using.xml 2011-01-28 16:30:29 +0000
++++ docs/en/xml/using.xml 2012-04-18 12:06:08 +0000
+@@ -659,16 +659,6 @@
+ </member>
+ </simplelist>
+ </para>
+-
+- <para>
+- If you would like to access the bug list from another program
+- it is often useful to have the list returned in something other
+- than HTML. By adding the ctype=type parameter into the bug list URL
+- you can specify several alternate formats. Besides the types described
+- above, the following formats are also supported: ECMAScript, also known
+- as JavaScript (ctype=js), and Resource Description Framework RDF/XML
+- (ctype=rdf).
+- </para>
+ </section>
+
+ <section id="individual-buglists">
+
+=== removed file 'template/en/default/list/list.js.tmpl'
+--- template/en/default/list/list.js.tmpl 2007-08-20 23:24:38 +0000
++++ template/en/default/list/list.js.tmpl 1970-01-01 00:00:00 +0000
+@@ -1,37 +0,0 @@
+-[%# The contents of this file are subject to the Mozilla Public
+- # License Version 1.1 (the "License"); you may not use this file
+- # except in compliance with the License. You may obtain a copy of
+- # the License at http://www.mozilla.org/MPL/
+- #
+- # Software distributed under the License is distributed on an "AS
+- # IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+- # implied. See the License for the specific language governing
+- # rights and limitations under the License.
+- #
+- # The Original Code is the Bugzilla Bug Tracking System.
+- #
+- # The Initial Developer of the Original Code is Netscape Communications
+- # Corporation. Portions created by Netscape are
+- # Copyright (C) 1998 Netscape Communications Corporation. All
+- # Rights Reserved.
+- #
+- # Contributor(s): Gervase Markham <gerv at gerv.net>
+- #%]
+-
+-// Note: only publicly-accessible bugs (those not in any group) will be
+-// listed when using this JavaScript format. This is to prevent malicious
+-// sites stealing information about secure bugs.
+-
+-bugs = new Array;
+-
+-[% FOREACH bug = bugs %]
+- bugs[[% bug.bug_id %]] = [
+- [% FOREACH column = displaycolumns %]
+- "[%- bug.$column FILTER js -%]"[% "," UNLESS loop.last %]
+- [% END %]
+- ];
+-[% END %]
+-
+-if (window.buglistCallback) {
+- buglistCallback(bugs);
+-}
+
diff --git a/bugzilla.spec b/bugzilla.spec
index 17eda31..aec9bf7 100644
--- a/bugzilla.spec
+++ b/bugzilla.spec
@@ -6,12 +6,13 @@ URL: http://www.bugzilla.org/
Name: bugzilla
Version: 3.4.14
Group: Applications/Publishing
-Release: 1%{?dist}
+Release: 2%{?dist}
License: MPLv1.1
Source0: http://ftp.mozilla.org/pub/mozilla.org/webtools/bugzilla-%{version}.tar.gz
Source1: bugzilla-httpd-conf
Source2: README.fedora.bugzilla
Patch0: bugzilla-rw-paths.patch
+Patch1: bugzilla-3.4.14-CVE-2012-0466.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildArch: noarch
@@ -58,6 +59,7 @@ Contributed scripts and functions for Bugzilla
%prep
%setup -q -n %{name}-%{version}
%patch0 -p1
+%patch1 -p0
# Filter unwanted Requires found by /usr/lib/rpm/perldeps.pl:
# create a wrapper script which runs the original perl_requires
@@ -181,6 +183,9 @@ popd > /dev/null)
%{bzinstallprefix}/bugzilla/contrib/yp_nomail.sh
%changelog
+* Fri Apr 20 2012 Xavier Bachelot <xavier at bachelot.org> - 3.4.14-2
+- Add patch for CVE-2012-0466.
+
* Wed Feb 01 2012 Xavier Bachelot <xavier at bachelot.org> - 3.4.14-1
- Update to 3.4.14 : security fix for CVE-2012-0448.
More information about the scm-commits
mailing list