[bugzilla/el5] CVE-2011-3657 ; CVE-2011-3667
Xavier Bachelot
xavierb at fedoraproject.org
Fri Dec 30 11:15:25 UTC 2011
commit 45c89c1f4f44b1bd3798f544a33a25b09291d8ff
Author: Xavier Bachelot <xavier at bachelot.org>
Date: Thu Dec 29 23:25:46 2011 +0100
CVE-2011-3657 ; CVE-2011-3667
bugzilla-3.2.10-CVE-2011-3657.patch | 29 +++++
bugzilla-3.2.10-CVE-2011-3667.patch | 197 +++++++++++++++++++++++++++++++++++
bugzilla.spec | 11 ++-
3 files changed, 235 insertions(+), 2 deletions(-)
---
diff --git a/bugzilla-3.2.10-CVE-2011-3657.patch b/bugzilla-3.2.10-CVE-2011-3657.patch
new file mode 100644
index 0000000..30ad9d0
--- /dev/null
+++ b/bugzilla-3.2.10-CVE-2011-3657.patch
@@ -0,0 +1,29 @@
+=== modified file 'Bugzilla/Chart.pm'
+--- Bugzilla/Chart.pm 2010-07-06 00:42:57 +0000
++++ Bugzilla/Chart.pm 2011-10-27 13:19:40 +0000
+@@ -438,7 +438,7 @@
+
+ require Data::Dumper;
+ print "<pre>Bugzilla::Chart object:\n";
+- print Data::Dumper::Dumper($self);
++ print html_quote(Data::Dumper::Dumper($self));
+ print "</pre>";
+ }
+
+
+=== modified file 'report.cgi'
+--- report.cgi 2010-12-08 20:14:32 +0000
++++ report.cgi 2011-10-27 14:18:52 +0000
+@@ -293,9 +293,9 @@
+ if ($cgi->param('debug')) {
+ require Data::Dumper;
+ print "<pre>data hash:\n";
+- print Data::Dumper::Dumper(%data) . "\n\n";
++ print html_quote(Data::Dumper::Dumper(%data)) . "\n\n";
+ print "data array:\n";
+- print Data::Dumper::Dumper(@image_data) . "\n\n</pre>";
++ print html_quote(Data::Dumper::Dumper(@image_data)) . "\n\n</pre>";
+ }
+
+ # All formats point to the same section of the documentation.
+
diff --git a/bugzilla-3.2.10-CVE-2011-3667.patch b/bugzilla-3.2.10-CVE-2011-3667.patch
new file mode 100644
index 0000000..2647120
--- /dev/null
+++ b/bugzilla-3.2.10-CVE-2011-3667.patch
@@ -0,0 +1,197 @@
+=== modified file 'Bugzilla/User.pm'
+--- Bugzilla/User.pm 2011-12-08 23:20:02 +0000
++++ Bugzilla/User.pm 2011-12-27 14:59:07 +0000
+@@ -1852,6 +1852,32 @@
+ return 1;
+ }
+
++sub check_account_creation_enabled {
++ my $self = shift;
++
++ # If we're using e.g. LDAP for login, then we can't create a new account.
++ $self->authorizer->user_can_create_account
++ || ThrowUserError('auth_cant_create_account');
++
++ Bugzilla->params->{'createemailregexp'}
++ || ThrowUserError('account_creation_disabled');
++}
++
++sub check_and_send_account_creation_confirmation {
++ my ($self, $login) = @_;
++
++ $login = $self->check_login_name_for_creation($login);
++ my $creation_regexp = Bugzilla->params->{'createemailregexp'};
++
++ if ($login !~ /$creation_regexp/i) {
++ ThrowUserError('account_creation_restricted');
++ }
++
++ # Create and send a token for this new account.
++ require Bugzilla::Token;
++ Bugzilla::Token::issue_new_user_account_token($login);
++}
++
+ sub login_to_id {
+ my ($login, $throw_error) = @_;
+ my $dbh = Bugzilla->dbh;
+@@ -2355,6 +2381,17 @@
+ Takes a username as its only argument. Throws an error if there is no
+ user with that username. Returns a C<Bugzilla::User> object.
+
++=item C<check_account_creation_enabled>
++
++Checks that users can create new user accounts, and throws an error
++if user creation is disabled.
++
++=item C<check_and_send_account_creation_confirmation($login)>
++
++If the user request for a new account passes validation checks, an email
++is sent to this user for confirmation. Otherwise an error is thrown
++indicating why the request has been rejected.
++
+ =item C<is_available_username>
+
+ Returns a boolean indicating whether or not the supplied username is
+
+=== modified file 'Bugzilla/WebService/Constants.pm'
+--- Bugzilla/WebService/Constants.pm 2011-08-04 20:10:54 +0000
++++ Bugzilla/WebService/Constants.pm 2011-12-27 15:00:16 +0000
+@@ -130,6 +130,7 @@
+ # User errors are 500-600.
+ account_exists => 500,
+ illegal_email_address => 501,
++ auth_cant_create_account => 501,
+ account_creation_disabled => 501,
+ account_creation_restricted => 501,
+ password_too_short => 502,
+
+=== modified file 'Bugzilla/WebService/User.pm'
+--- Bugzilla/WebService/User.pm 2011-02-14 07:42:09 +0000
++++ Bugzilla/WebService/User.pm 2011-12-27 15:04:12 +0000
+@@ -28,7 +28,6 @@
+ use Bugzilla::Error;
+ use Bugzilla::User;
+ use Bugzilla::Util qw(trim);
+-use Bugzilla::Token;
+
+ # Don't need auth to login
+ use constant LOGIN_EXEMPT => {
+@@ -91,18 +90,8 @@
+ my $email = trim($params->{email})
+ || ThrowCodeError('param_required', { param => 'email' });
+
+- my $createexp = Bugzilla->params->{'createemailregexp'};
+- if (!$createexp) {
+- ThrowUserError("account_creation_disabled");
+- }
+- elsif ($email !~ /$createexp/) {
+- ThrowUserError("account_creation_restricted");
+- }
+-
+- $email = Bugzilla::User->check_login_name_for_creation($email);
+-
+- # Create and send a token for this new account.
+- Bugzilla::Token::issue_new_user_account_token($email);
++ Bugzilla->user->check_account_creation_enabled;
++ Bugzilla->user->check_and_send_account_creation_confirmation($email);
+
+ return undef;
+ }
+@@ -396,15 +385,15 @@
+
+ =over
+
+-=item 500 (Illegal Email Address)
++=item 500 (Account Already Exists)
++
++An account with that email address already exists in Bugzilla.
++
++=item 501 (Illegal Email Address)
+
+ This Bugzilla does not allow you to create accounts with the format of
+ email address you specified. Account creation may be entirely disabled.
+
+-=item 501 (Account Already Exists)
+-
+-An account with that email address already exists in Bugzilla.
+-
+ =back
+
+ =back
+
+=== modified file 'createaccount.cgi'
+--- createaccount.cgi 2007-11-12 04:03:16 +0000
++++ createaccount.cgi 2011-12-27 14:53:38 +0000
+@@ -31,47 +31,24 @@
+ use Bugzilla;
+ use Bugzilla::Constants;
+ use Bugzilla::Error;
+-use Bugzilla::User;
+-use Bugzilla::BugMail;
+-use Bugzilla::Util;
+
+ # Just in case someone already has an account, let them get the correct footer
+ # on an error message. The user is logged out just after the account is
+ # actually created.
+-Bugzilla->login(LOGIN_OPTIONAL);
+-
+-my $dbh = Bugzilla->dbh;
++my $user = Bugzilla->login(LOGIN_OPTIONAL);
+ my $cgi = Bugzilla->cgi;
+ my $template = Bugzilla->template;
+-my $vars = {};
+-
+-$vars->{'doc_section'} = 'myaccount.html';
++my $vars = { doc_section => 'myaccount.html' };
+
+ print $cgi->header();
+
+-# If we're using LDAP for login, then we can't create a new account here.
+-unless (Bugzilla->user->authorizer->user_can_create_account) {
+- ThrowUserError("auth_cant_create_account");
+-}
+-
+-my $createexp = Bugzilla->params->{'createemailregexp'};
+-unless ($createexp) {
+- ThrowUserError("account_creation_disabled");
+-}
+-
++$user->check_account_creation_enabled;
+ my $login = $cgi->param('login');
+
+ if (defined($login)) {
+- $login = Bugzilla::User->check_login_name_for_creation($login);
++ $user->check_and_send_account_creation_confirmation($login);
+ $vars->{'login'} = $login;
+
+- if ($login !~ /$createexp/) {
+- ThrowUserError("account_creation_restricted");
+- }
+-
+- # Create and send a token for this new account.
+- Bugzilla::Token::issue_new_user_account_token($login);
+-
+ $template->process("account/created.html.tmpl", $vars)
+ || ThrowTemplateError($template->error());
+ exit;
+
+=== modified file 'token.cgi'
+--- token.cgi 2010-05-20 15:38:16 +0000
++++ token.cgi 2011-12-27 14:55:57 +0000
+@@ -341,6 +341,7 @@
+ }
+
+ sub request_create_account {
++ Bugzilla->user->check_account_creation_enabled;
+ my (undef, $date, $login_name) = Bugzilla::Token::GetTokenData($::token);
+ $vars->{'token'} = $::token;
+ $vars->{'email'} = $login_name . Bugzilla->params->{'emailsuffix'};
+@@ -360,6 +361,7 @@
+ }
+
+ sub confirm_create_account {
++ Bugzilla->user->check_account_creation_enabled;
+ my (undef, undef, $login_name) = Bugzilla::Token::GetTokenData($::token);
+
+ my $password = $cgi->param('passwd1') || '';
+
diff --git a/bugzilla.spec b/bugzilla.spec
index 0d27db2..3063b6f 100644
--- a/bugzilla.spec
+++ b/bugzilla.spec
@@ -6,7 +6,7 @@ URL: http://www.bugzilla.org/
Name: bugzilla
Version: 3.2.10
Group: Applications/Publishing
-Release: 2%{?dist}
+Release: 3%{?dist}
License: MPLv1.1
Source0: http://ftp.mozilla.org/pub/mozilla.org/webtools/bugzilla-%{version}.tar.gz
Source1: bugzilla-httpd-conf
@@ -18,6 +18,8 @@ Patch3: bugzilla-3.2.10-CVE-2011-2380.patch
Patch4: bugzilla-3.2.10-CVE-2011-2381.patch
Patch5: bugzilla-3.2.10-CVE-2011-2976.patch
Patch6: bugzilla-3.2.10-CVE-2011-2978.patch
+Patch7: bugzilla-3.2.10-CVE-2011-3657.patch
+Patch8: bugzilla-3.2.10-CVE-2011-3667.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildArch: noarch
@@ -63,6 +65,8 @@ set -x
%patch4 -p0
%patch5 -p0
%patch6 -p0
+%patch7 -p0
+%patch8 -p0
# Filter unwanted Requires found by /usr/lib/rpm/perldeps.pl:
# create a wrapper script which runs the original perl_requires
@@ -100,7 +104,7 @@ for file in `find -type f -perm /664`; do
done
# Remove un-needed files
-find . -name *.orig -delete
+find . -name "*.orig" -delete
%install
mkdir -p ${RPM_BUILD_ROOT}/%{bzinstallprefix}/bugzilla
@@ -164,6 +168,9 @@ popd > /dev/null)
%{bzinstallprefix}/bugzilla/contrib
%changelog
+* Thu Dec 29 2011 Xavier Bachelot <xavier at bachelot.org> - 3.2.10-3
+- Add patches for CVE-2011-3657 and CVE-2011-3667.
+
* Thu Sep 15 2011 Xavier Bachelot <xavier at bachelot.org> - 3.2.10-2
- Add patches for CVE-2011-2379, CVE-2011-2380, CVE-2011-2381, CVE-2011-2978
and CVE-2011-2976.
More information about the scm-commits
mailing list