https://bugzilla.redhat.com/show_bug.cgi?id=1336671
Bug ID: 1336671 Summary: CVE-2016-2803 bugzilla: Cross-site-scripting in dependency graphs Product: Security Response Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team@redhat.com Reporter: anemec@redhat.com CC: bazanluis20@gmail.com, emmanuel@seyman.fr, itamar@ispbrasil.com.br, perl-devel@lists.fedoraproject.org, xavier@bachelot.org
A vulnerability was found in the bugzilla application. Due to an incorrect parsing of the image map generated by the dot script, a specially crafted bug summary could trigger XSS in dependency graphs.
External references:
https://bugzilla.mozilla.org/show_bug.cgi?id=1253263
References:
http://seclists.org/bugtraq/2016/May/72
Upstream fix:
https://git.mozilla.org/?p=bugzilla/bugzilla.git;a=commitdiff;h=dd61903
https://bugzilla.redhat.com/show_bug.cgi?id=1336671
Andrej Nemec anemec@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1336672 Depends On| |1336673 Depends On| |1336674
--- Comment #1 from Andrej Nemec anemec@redhat.com ---
Created bugzilla tracking bugs for this issue:
Affects: fedora-all [bug 1336672] Affects: epel-5 [bug 1336673] Affects: epel-6 [bug 1336674]
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1336672 [Bug 1336672] CVE-2016-2803 bugzilla: Cross-site-scripting in dependency graphs [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1336673 [Bug 1336673] CVE-2016-2803 bugzilla: Cross-site-scripting in dependency graphs [epel-5] https://bugzilla.redhat.com/show_bug.cgi?id=1336674 [Bug 1336674] CVE-2016-2803 bugzilla: Cross-site-scripting in dependency graphs [epel-6]
https://bugzilla.redhat.com/show_bug.cgi?id=1336671
--- Comment #2 from Fedora Update System updates@fedoraproject.org --- bugzilla-5.0.3-1.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
https://bugzilla.redhat.com/show_bug.cgi?id=1336671 Bug 1336671 depends on bug 1336672, which changed state.
Bug 1336672 Summary: CVE-2016-2803 bugzilla: Cross-site-scripting in dependency graphs [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1336672
What |Removed |Added ---------------------------------------------------------------------------- Status|ON_QA |CLOSED Resolution|--- |ERRATA
https://bugzilla.redhat.com/show_bug.cgi?id=1336671
--- Comment #3 from Fedora Update System updates@fedoraproject.org --- bugzilla-4.4.12-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
https://bugzilla.redhat.com/show_bug.cgi?id=1336671
--- Comment #4 from Fedora Update System updates@fedoraproject.org --- bugzilla-4.4.12-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
https://bugzilla.redhat.com/show_bug.cgi?id=1336671
Andrej Nemec anemec@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=moderate,public=2016 |impact=moderate,public=2016 |0516,reported=20160516,sour |0516,reported=20160516,sour |ce=bugtraq,cvss2=4.3/AV:N/A |ce=bugtraq,cvss2=4.3/AV:N/A |C:M/Au:N/C:N/I:P/A:N,cwe=CW |C:M/Au:N/C:N/I:P/A:N,cvss3= |E-79,fedora-all/bugzilla=af |6.1/CVSS:3.0/AV:N/AC:L/PR:N |fected,epel-5/bugzilla=affe |/UI:R/S:C/C:L/I:L/A:N,cwe=C |cted,epel-6/bugzilla=affect |WE-79,fedora-all/bugzilla=a |ed |ffected,epel-5/bugzilla=aff | |ected,epel-6/bugzilla=affec | |ted
https://bugzilla.redhat.com/show_bug.cgi?id=1336671 Bug 1336671 depends on bug 1336673, which changed state.
Bug 1336673 Summary: CVE-2016-2803 bugzilla: Cross-site-scripting in dependency graphs [epel-5] https://bugzilla.redhat.com/show_bug.cgi?id=1336673
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |EOL
https://bugzilla.redhat.com/show_bug.cgi?id=1336671 Bug 1336671 depends on bug 1336674, which changed state.
Bug 1336674 Summary: CVE-2016-2803 bugzilla: Cross-site-scripting in dependency graphs [epel-6] https://bugzilla.redhat.com/show_bug.cgi?id=1336674
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |WONTFIX
perl-devel@lists.fedoraproject.org