Security announcement for cvs pulls of Bugzilla

David Miller justdave at
Tue Nov 19 12:46:21 UTC 2002

There have been a few security bugs fixed in Bugzilla in the last week.
The bugs listed here did NOT affect any released version of Bugzilla, but
only versions of Bugzilla pulled from CVS during the time periods listed
with each bug (+/- 15 minutes due to cvs-mirror lag).

If you pulled a copy of Bugzilla from CVS during one of the time periods
listed below, you are advised to update to the cvs-tip using the "cvs
update -AdP" command, then re-run

Bug 178841 - attachment file name field contained full path
2002/09/21 16:57:07 to 2002/11/09 01:23:07 US/Pacific

The patch which allowed downloading an attachment to suggest a filename to
be used for downloading (instead of attachment.cgi) also introduced the
capability to display and edit that attachment name on the edit attachments
page.  It was discovered that some older browsers violated the RFCs on file
uploads and submitted the entire local pathname for the file instead of
just the name of the file itself.  To be affected, an uploader of the
attachment would have to have been using one of those browsers which leaked
this information when the upload took place.  The patch checked in to fix
this causes to check all existing attachments for full paths
in their filenames, and removes the portion of the path prior to the
basename of the file, and also strips the pathname off if the browser
submits a file with a full pathname.

Bug 179491 - Search of attachments data didn't enforce insiders
2002/08/19 21:17:20 to 2002/11/12 01:58:02 US/Pacific

It was possible to search on attachment titles/status, and get results
even if you couldn't see the attachment. Only existence or absence could
be tested; the exact contents and description of the summary remained
hidden. This only affects installations who used the 'insidergroup'

Bug 180545 - people without editbugs could change product/component
2002/08/12 05:42:55 to 2002/11/18 04:27:34 US/Pacific

People who were not in the editbugs group could change the product or
component of a bug. This was a regression from the conversion to using ID
numbers instead of names for products and components internally.  The
routine which was checking the permissions was looking for changed to the
product name (which was no longer getting changes submitted for it) rather
than changes to the product ID number.  The change was still logged in the
activity log and mails were still sent out (as would happen with a
permitted user changing these fields).


Dave Miller      Project Leader, Bugzilla Bug Tracking System   

More information about the announce mailing list