[Bug 1262404] New: CVE-2015-4499 bugzilla: Email address is not properly validated during registration

bugzilla at redhat.com bugzilla at redhat.com
Fri Sep 11 14:41:08 UTC 2015


https://bugzilla.redhat.com/show_bug.cgi?id=1262404

            Bug ID: 1262404
           Summary: CVE-2015-4499 bugzilla: Email address is not properly
                    validated during registration
           Product: Security Response
         Component: vulnerability
          Keywords: Security
          Severity: high
          Priority: high
          Assignee: security-response-team at redhat.com
          Reporter: amaris at redhat.com
                CC: bazanluis20 at gmail.com, emmanuel at seyman.fr,
                    itamar at ispbrasil.com.br,
                    perl-devel at lists.fedoraproject.org,
                    xavier at bachelot.org



As announced in http://seclists.org/bugtraq/2015/Sep/48 :

Login names (usually an email address) longer than 127 characters are silently
truncated in MySQL which could cause the domain name of the email address to be
corrupted. An attacker could use this vulnerability to create an account with
an email address different from the one originally requested. The login name
could then be automatically added to groups based on the group's regular
expression setting.

Upstream patches:

Fix for 4.2:
https://git.mozilla.org/?p=bugzilla/bugzilla.git;a=commitdiff;h=10b1fef
Fix for 4.4:
https://git.mozilla.org/?p=bugzilla/bugzilla.git;a=commitdiff;h=be1be8c
Fix for 5.0:
https://git.mozilla.org/?p=bugzilla/bugzilla.git;a=commitdiff;h=69386c5
Fix on master branch:
https://git.mozilla.org/?p=bugzilla/bugzilla.git;a=commitdiff;h=9d64d15

-- 
You are receiving this mail because:
You are on the CC list for the bug.


More information about the perl-devel mailing list