rpms/bugzilla/FC-4 bugzilla-bz212355-fixvuln.patch, NONE, 1.1 bugzilla.spec, 1.2, 1.3
John Berninger (jwb)
fedora-extras-commits at redhat.com
Fri Nov 10 00:54:43 UTC 2006
Author: jwb
Update of /cvs/extras/rpms/bugzilla/FC-4
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv7067
Modified Files:
bugzilla.spec
Added Files:
bugzilla-bz212355-fixvuln.patch
Log Message:
Fix vuln's in bz 212355
bugzilla-bz212355-fixvuln.patch:
--- NEW FILE bugzilla-bz212355-fixvuln.patch ---
diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/attachment.cgi bugzilla-2.22.1/attachment.cgi
--- bugzilla-2.22/attachment.cgi 2006-04-09 11:28:49.000000000 -0700
+++ bugzilla-2.22.1/attachment.cgi 2006-10-14 14:07:19.000000000 -0700
@@ -130,6 +130,7 @@
sub validateID
{
my $param = @_ ? $_[0] : 'id';
+ my $user = Bugzilla->user;
# If we're not doing interdiffs, check if id wasn't specified and
# prompt them with a page that allows them to choose an attachment.
@@ -151,18 +152,18 @@
|| ThrowUserError("invalid_attach_id", { attach_id => $cgi->param($param) });
# Make sure the attachment exists in the database.
- SendSQL("SELECT bug_id, isprivate FROM attachments WHERE attach_id = $attach_id");
+ SendSQL("SELECT bug_id, isprivate, submitter_id
+ FROM attachments WHERE attach_id = $attach_id");
MoreSQLData()
|| ThrowUserError("invalid_attach_id", { attach_id => $attach_id });
# Make sure the user is authorized to access this attachment's bug.
- (my $bugid, my $isprivate) = FetchSQLData();
+ my ($bugid, $isprivate, $submitter_id) = FetchSQLData();
ValidateBugID($bugid);
- if ($isprivate && Param("insidergroup")) {
- UserInGroup(Param("insidergroup"))
- || ThrowUserError("auth_failure", {action => "access",
- object => "attachment"});
+ if ($isprivate && $user->id != $submitter_id && !$user->is_insider) {
+ ThrowUserError("auth_failure", {action => "access",
+ object => "attachment"});
}
return ($attach_id,$bugid);
@@ -199,17 +200,23 @@
sub validateCanEdit
{
my ($attach_id) = (@_);
+ my $user = Bugzilla->user;
- # People in editbugs can edit all attachments
- return if UserInGroup("editbugs");
+ my $attachment = Bugzilla::Attachment->get($attach_id);
# Bug 97729 - the submitter can edit their attachments
- SendSQL("SELECT attach_id FROM attachments WHERE " .
- "attach_id = $attach_id AND submitter_id = " . Bugzilla->user->id);
+ return if ($attachment->attacher->id == $user->id);
- FetchSQLData()
- || ThrowUserError("illegal_attachment_edit",
- { attach_id => $attach_id });
+ # Only people in the insider group can view private attachments.
+ if ($attachment->isprivate && !$user->is_insider) {
+ ThrowUserError('illegal_attachment_edit', {attach_id => $attachment->id});
+ }
+
+ # People in editbugs can edit all attachments
+ return if UserInGroup("editbugs");
+
+ # If we come here, then this attachment cannot be seen by the user.
+ ThrowUserError('illegal_attachment_edit', { attach_id => $attachment->id });
}
sub validateCanChangeAttachment
@@ -393,7 +400,8 @@
my @obsolete_ids = ();
# Make sure the attachment id is valid and the user has permissions to view
- # the bug to which it is attached.
+ # the bug to which it is attached. Make sure also that the user can view
+ # the attachment itself.
foreach my $attachid ($cgi->param('obsolete')) {
my $vars = {};
$vars->{'attach_id'} = $attachid;
@@ -410,6 +418,9 @@
my ($bugid, $isobsolete, $description) = FetchSQLData();
+ # Check that the user can modify this attachment
+ validateCanEdit($attachid);
+
$vars->{'description'} = $description;
if ($bugid != $cgi->param('bugid'))
@@ -424,8 +435,6 @@
ThrowCodeError("attachment_already_obsolete", $vars);
}
- # Check that the user can modify this attachment
- validateCanEdit($attachid);
push(@obsolete_ids, $attachid);
}
@@ -759,28 +768,35 @@
}
else
{
- $vars->{other_patches} = [];
+ my @other_patches = ();
if ($::interdiffbin && $::diffpath) {
- # Get list of attachments on this bug.
+ # Get the list of attachments that the user can view in this bug.
+ my @attachments = @{Bugzilla::Attachment->get_attachments_by_bug($bugid)};
+ # Extract patches only.
+ @attachments = grep {$_->ispatch == 1} @attachments;
+ # We want them sorted from newer to older.
+ @attachments = sort { $b->id <=> $a->id } @attachments;
+
# Ignore the current patch, but select the one right before it
# chronologically.
- SendSQL("SELECT attach_id, description FROM attachments WHERE bug_id = $bugid AND ispatch = 1 ORDER BY creation_ts DESC");
my $select_next_patch = 0;
- while (my ($other_id, $other_desc) = FetchSQLData()) {
- if ($other_id eq $attach_id) {
- $select_next_patch = 1;
- } else {
- push @{$vars->{other_patches}}, { id => $other_id, desc => $other_desc, selected => $select_next_patch };
- if ($select_next_patch) {
- $select_next_patch = 0;
+ foreach my $attach (@attachments) {
+ if ($attach->id == $attach_id) {
+ $select_next_patch = 1;
+ }
+ else {
+ push(@other_patches, { 'id' => $attach->id,
+ 'desc' => $attach->description,
+ 'selected' => $select_next_patch });
+ $select_next_patch = 0;
}
- }
}
}
$vars->{bugid} = $bugid;
$vars->{attachid} = $attach_id;
$vars->{description} = $description;
+ $vars->{other_patches} = \@other_patches;
setup_template_patch_reader($last_reader, $format, $context);
# Actually print out the patch
$reader->iterate_string("Attachment $attach_id", $thedata);
@@ -795,37 +811,10 @@
my $bugid = $cgi->param('bugid');
ValidateBugID($bugid);
- # Retrieve the attachments from the database and write them into an array
- # of hashes where each hash represents one attachment.
- my $privacy = "";
- my $dbh = Bugzilla->dbh;
-
- if (Param("insidergroup") && !(UserInGroup(Param("insidergroup")))) {
- $privacy = "AND isprivate < 1 ";
+ my $attachments = Bugzilla::Attachment->get_attachments_by_bug($bugid);
+ foreach my $a (@$attachments) {
+ $a->{'isviewable'} = isViewable($a->contenttype);
}
- SendSQL("SELECT attach_id, " .
- $dbh->sql_date_format('creation_ts', '%Y.%m.%d %H:%i') . ",
- mimetype, description, ispatch, isobsolete, isprivate,
- LENGTH(thedata)
- FROM attachments
- INNER JOIN attach_data
- ON attach_id = id
- WHERE bug_id = $bugid $privacy
- ORDER BY attach_id");
- my @attachments; # the attachments array
- while (MoreSQLData())
- {
- my %a; # the attachment hash
- ($a{'attachid'}, $a{'date'}, $a{'contenttype'},
- $a{'description'}, $a{'ispatch'}, $a{'isobsolete'}, $a{'isprivate'},
- $a{'datasize'}) = FetchSQLData();
- $a{'isviewable'} = isViewable($a{'contenttype'});
- $a{'flags'} = Bugzilla::Flag::match({ 'attach_id' => $a{'attachid'},
- 'is_active' => 1 });
-
- # Add the hash representing the attachment to the array of attachments.
- push @attachments, \%a;
- }
# Retrieve the bug summary (for displaying on screen) and assignee.
SendSQL("SELECT short_desc, assigned_to FROM bugs " .
@@ -834,7 +823,7 @@
# Define the variables and functions that will be passed to the UI template.
$vars->{'bugid'} = $bugid;
- $vars->{'attachments'} = \@attachments;
+ $vars->{'attachments'} = $attachments;
$vars->{'bugassignee_id'} = $assignee_id;
$vars->{'bugsummary'} = $bugsummary;
$vars->{'GetBugLink'} = \&GetBugLink;
@@ -922,8 +911,9 @@
validateIsPatch();
validateDescription();
- if (($attachurl =~ /^(http|https|ftp):\/\/\S+/)
- && !(defined $cgi->upload('data'))) {
[...12227 lines suppressed...]
%]
@@ -52,7 +52,7 @@
<a name="[% keyword.name FILTER html %]">
[% keyword.name FILTER html %]</a>
</th>
- <td>[% keyword.description %]</td>
+ <td>[% keyword.description FILTER html_light %]</td>
<td align="right">
[% IF keyword.bugcount > 0 %]
<a href="buglist.cgi?keywords=[% keyword.name FILTER url_quote %]">
diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/template/en/default/request/email.txt.tmpl bugzilla-2.22.1/template/en/default/request/email.txt.tmpl
--- bugzilla-2.22/template/en/default/request/email.txt.tmpl 2005-12-29 16:32:37.000000000 -0800
+++ bugzilla-2.22.1/template/en/default/request/email.txt.tmpl 2006-07-05 19:20:08.000000000 -0700
@@ -61,7 +61,7 @@
[%- FILTER bullet = wrap(80) %]
[% USE Bugzilla %]
-[% IF Bugzilla.cgi.param("comment").length > 0 %]
+[% IF Bugzilla.cgi.param("comment") && Bugzilla.cgi.param("comment").length > 0 %]
------- Additional Comments from [% user.identity %]
[%+ Bugzilla.cgi.param("comment") %]
[% END %]
diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/template/en/default/search/boolean-charts.html.tmpl bugzilla-2.22.1/template/en/default/search/boolean-charts.html.tmpl
--- bugzilla-2.22/template/en/default/search/boolean-charts.html.tmpl 2004-12-10 16:27:45.000000000 -0800
+++ bugzilla-2.22.1/template/en/default/search/boolean-charts.html.tmpl 2006-06-07 14:34:35.000000000 -0700
@@ -46,7 +46,7 @@
<p>
<strong>
- Advanced Searching Using Boolean Charts:
+ <a name="chart">Advanced Searching Using Boolean Charts</a>:
</strong>
</p>
diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/template/en/default/search/search-create-series.html.tmpl bugzilla-2.22.1/template/en/default/search/search-create-series.html.tmpl
--- bugzilla-2.22/template/en/default/search/search-create-series.html.tmpl 2005-04-11 15:34:50.000000000 -0700
+++ bugzilla-2.22.1/template/en/default/search/search-create-series.html.tmpl 2006-05-22 17:22:29.000000000 -0700
@@ -33,7 +33,7 @@
[% PROCESS global/header.html.tmpl
title = "Create New Data Set"
- onload = "selectProduct(document.forms['chartform']);"
+ onload = "doOnSelectProduct(0);"
javascript = js_data
javascript_urls = [ "js/productform.js" ]
%]
diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/template/en/default/whine/schedule.html.tmpl bugzilla-2.22.1/template/en/default/whine/schedule.html.tmpl
--- bugzilla-2.22/template/en/default/whine/schedule.html.tmpl 2005-09-12 07:03:01.000000000 -0700
+++ bugzilla-2.22.1/template/en/default/whine/schedule.html.tmpl 2006-10-14 15:05:59.000000000 -0700
@@ -82,6 +82,7 @@
<input type="submit" value="Update / Commit" name="commit"
style="visibility: hidden">
<input type="hidden" name="update" value="1">
+<input type="hidden" name="token" value="[% token FILTER html %]">
[% FOREACH event = events %]
diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/testserver.pl bugzilla-2.22.1/testserver.pl
--- bugzilla-2.22/testserver.pl 2006-01-05 03:07:01.000000000 -0800
+++ bugzilla-2.22.1/testserver.pl 2006-07-24 23:21:07.000000000 -0700
@@ -14,7 +14,7 @@
# Contributor(s): Joel Peshkin <bugreport at peshkin.net>
# Byron Jones <byron at glob.com.au>
-# testserver.pl is involked with the baseurl of the Bugzilla installation
+# testserver.pl is invoked with the baseurl of the Bugzilla installation
# as its only argument. It attempts to troubleshoot as many installation
# issues as possible.
@@ -194,6 +194,14 @@
print "TEST-FAILED Chart returned: $@\n";
}
}
+
+ eval 'use Template::Plugin::GD::Image';
+ if ($@) {
+ print "TEST-FAILED Template::Plugin::GD is not installed.\n";
+ }
+ else {
+ print "TEST-OK Template::Plugin::GD is installed.\n";
+ }
}
sub fetch {
diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/token.cgi bugzilla-2.22.1/token.cgi
--- bugzilla-2.22/token.cgi 2005-10-24 16:11:55.000000000 -0700
+++ bugzilla-2.22.1/token.cgi 2006-09-22 16:25:51.000000000 -0700
@@ -67,9 +67,8 @@
$::token = $cgi->param('t');
# Make sure the token contains only valid characters in the right amount.
- # Validate password will throw an error if token is invalid
+ # ValidatePassword will throw an error if token is invalid
ValidatePassword($::token);
- trick_taint($::token); # Only used in placeholders
Bugzilla::Token::CleanTokenTable();
@@ -98,9 +97,11 @@
# If the user is requesting a password change, make sure they submitted
# their login name and it exists in the database, and that the DB module is in
-# the list of allowed verification methids.
+# the list of allowed verification methods.
+my $login_name;
if ( $::action eq 'reqpw' ) {
- defined $cgi->param('loginname')
+ $login_name = $cgi->param('loginname');
+ defined $login_name
|| ThrowUserError("login_needed_for_password_change");
# check verification methods
@@ -108,27 +109,25 @@
ThrowUserError("password_change_requests_not_allowed");
}
- # Make sure the login name looks like an email address.
- validate_email_syntax($cgi->param('loginname'))
- || ThrowUserError('illegal_email_address',
- {addr => $cgi->param('loginname')});
+ validate_email_syntax($login_name)
+ || ThrowUserError('illegal_email_address', {addr => $login_name});
- my $loginname = $cgi->param('loginname');
- trick_taint($loginname); # Used only in a placeholder
my ($user_id) = $dbh->selectrow_array('SELECT userid FROM profiles WHERE ' .
$dbh->sql_istrcmp('login_name', '?'),
- undef, $loginname);
+ undef, $login_name);
$user_id || ThrowUserError("account_inexistent");
}
# If the user is changing their password, make sure they submitted a new
# password and that the new password is valid.
+my $password;
if ( $::action eq 'chgpw' ) {
- defined $cgi->param('password')
+ $password = $cgi->param('password');
+ defined $password
&& defined $cgi->param('matchpassword')
|| ThrowUserError("require_new_password");
- ValidatePassword($cgi->param('password'), $cgi->param('matchpassword'));
+ ValidatePassword($password, $cgi->param('matchpassword'));
}
################################################################################
@@ -140,13 +139,13 @@
# that variable and runs the appropriate code.
if ($::action eq 'reqpw') {
- requestChangePassword();
+ requestChangePassword($login_name);
} elsif ($::action eq 'cfmpw') {
confirmChangePassword();
} elsif ($::action eq 'cxlpw') {
cancelChangePassword();
} elsif ($::action eq 'chgpw') {
- changePassword();
+ changePassword($password);
} elsif ($::action eq 'cfmem') {
confirmChangeEmail();
} elsif ($::action eq 'cxlem') {
@@ -167,7 +166,8 @@
################################################################################
sub requestChangePassword {
- Bugzilla::Token::IssuePasswordToken($cgi->param('loginname'));
+ my ($login_name) = @_;
+ Bugzilla::Token::IssuePasswordToken($login_name);
$vars->{'message'} = "password_change_request";
@@ -194,11 +194,11 @@
}
sub changePassword {
+ my ($password) = @_;
my $dbh = Bugzilla->dbh;
# Create a crypted version of the new password
- my $cryptedpassword = bz_crypt($cgi->param('password'));
- trick_taint($cryptedpassword); # Used only in a placeholder
+ my $cryptedpassword = bz_crypt($password);
# Get the user's ID from the tokens table.
my ($userid) = $dbh->selectrow_array('SELECT userid FROM tokens
diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/votes.cgi bugzilla-2.22.1/votes.cgi
--- bugzilla-2.22/votes.cgi 2005-10-24 16:11:55.000000000 -0700
+++ bugzilla-2.22.1/votes.cgi 2006-10-13 06:01:57.000000000 -0700
@@ -358,7 +358,8 @@
$dbh->bz_unlock_tables();
$vars->{'type'} = "votes";
- $vars->{'mailrecipients'} = { 'changer' => $who };
+ $vars->{'mailrecipients'} = { 'changer' => Bugzilla->user->login };
+ $vars->{'title_tag'} = 'change_votes';
foreach my $bug_id (@updated_bugs) {
$vars->{'id'} = $bug_id;
Index: bugzilla.spec
===================================================================
RCS file: /cvs/extras/rpms/bugzilla/FC-4/bugzilla.spec,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- bugzilla.spec 27 Jun 2006 12:53:05 -0000 1.2
+++ bugzilla.spec 10 Nov 2006 00:54:12 -0000 1.3
@@ -6,13 +6,14 @@
Name: bugzilla
Version: 2.22
Group: Applications/Publishing
-Release: 6%{?dist}
+Release: 7%{?dist}
License: MPL
Source0: http://ftp.mozilla.org/pub/mozilla.org/webtools/bugzilla-%{version}.tar.gz
Source1: bugzilla-httpd-conf
Source2: README.fedora.bugzilla
Patch0: bugzilla-data-dir.patch
Patch1: bugzilla-config-path.patch
+Patch2: bugzilla-bz212355-fixvuln.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildArch: noarch
Requires: smtpdaemon, webserver, graphviz, patchutils
@@ -40,6 +41,7 @@
%setup -q -n %{name}-%{version}
%patch0 -p1
%patch1 -p1
+%patch2 -p1
# Filter unwanted Requires:
cat << \EOF > %{name}-req
@@ -125,6 +127,9 @@
%{bzinstallprefix}/bugzilla/contrib
%changelog
+* Wed Nov 8 2006 John Berninger <johnw at berningeronline dot net> - 2.22-7
+- Bz 212355 - fix multiple vulns
+
* Tue Jun 26 2006 John Berninger <johnw at berningeronline dot net> - 2.22-6
- Clean up BugzillaEmail requires (filter it out)
More information about the scm-commits
mailing list