Security advisory for Bugzilla 4.4.13, 5.0.4, and 5.0.6
David Miller
justdave at bugzilla.org
Tue Sep 3 18:25:21 UTC 2024
Summary
=======
Bugzilla is a Web-based bug-tracking system used by a large number of
software projects. The following security issues have been discovered
in Bugzilla:
* A malicious user could create an account on a third-party service
such as GitHub which allows non-ASCII Unicode characters to be used
in email addresses and use it to log into a Bugzilla account with
lookalike ASCII characters in the email.
* Debugging code allowed XSS injection within the bug title
when viewing charts and reports if a specific URL param was
passed to enable the debugging code.
* Inserting specific multi-byte unicode characters into bug
comments could cause email notifications about bug changes
to fail.
All affected installations are encouraged to upgrade as soon as
possible.
Vulnerability Details
=====================
Class: Authentication Bypass
Affected: Versions 3.3.1 to 4.4.14, 4.5.1 to 5.0.4, 5.0.5 to 5.0.6,
5.1.1 to 5.1.2, 5.3.2, git checkouts of "harmony" prior to
5.9.1
Fixed In: 4.4.14, 5.0.4.1, 5.2, 5.3.3, 5.9.1
Description: When using external authentication against a third party
service (such as GitHub) which allows non-ASCII Unicode
characters to be used in email addresses, Bugzilla's email
address match would normalize the email into ASCII before
comparing when using MySQL as a back end, enabling someone
to take over a Bugzilla account if they created a user with
an email address which would match that way on such a third
party service.
We are not aware of any known exploits for versions prior to
the "harmony" developer branch which has not yet been
released, as prior to that there were no known
authentication plugins for third party authentication for
Bugzilla. However, we are patching the earlier supported
versions to prevent it anyway just in case someone had
written their own plugin that might be affected.
References:https://bugzilla.mozilla.org/show_bug.cgi?id=1813629
CVE Number: CVE-2023-4657
Class: Cross-site Scripting (XSS)
Affected: All versions before 4.4.14, 4.5.1 to 5.0.4, 5.0.5 to 5.0.6,
5.1.1 to 5.1.2, 5.3.2, git checkouts of "harmony" prior to
5.9.1
Fixed In: 4.4.14, 5.0.4.1, 5.2, 5.3.3, 5.9.1
Description: Debugging code allowed XSS injection within the bug title
when viewing charts and reports if a specific URL param was
passed to enable the debugging code.
Passing the debug flag now forces an HTML content type
regardless of the requsted type, and properly filters the
debug output.
References:https://bugzilla.mozilla.org/show_bug.cgi?id=1439260
CVE Number: CVE-2023-5206
Class: Denial of Service
Affected: Versions 5.0.2 to 5.0.4, 5.0.5 to 5.0.6, 5.1.2, 5.3.2,
git checkouts of "harmony" prior to 5.9.1
Fixed In: 5.0.4.1, 5.2, 5.3.3, 5.9.1
Description: Inserting specific multi-byte unicode characters into bug
comments could cause email notifications about bug changes
to fail.
References:https://bugzilla.mozilla.org/show_bug.cgi?id=1880288
Vulnerability Solutions
=======================
The fix for these issues is included in the 4.4.14, 5.0.4.1, 5.2, 5.3.3, and 5.9.1
releases. Upgrading to a release with the relevant fix will
protect your installation from possible exploits of these issues.
If you are unable to upgrade but would like to patch just the security
vulnerability, there are patches available for the issues at the
"References" URL.
Full release downloads, patches to upgrade Bugzilla from previous
versions, and git upgrade instructions are available at:
https://www.bugzilla.org/download/
A Note About Upgrade Paths
==========================
Bugzilla Versions within the 5.0.x range:
* Versions 5.0.4 and older should upgrade to 5.0.4.1
* Versions 5.0.5 and 5.0.6 should upgrade to 5.2 (which is equivalent to a
point upgrade for you).
Other versions of Bugzilla should upgrade to the newest version within
the same branch.
Credits
=======
The Bugzilla team wish to thank the following people for their
assistance in locating, advising us of, and assisting us to fix this
issue:
Issue 1 Reporter: Aaryan9898
Issue 1 Fixed by: David Lawrence, David Miller
Issue 2 Reporter: Holger Fuhrmannek
Issue 2 Fixed by: David Miller
Issue 3 Reporter: Frédéric Buclin
Issue 3 Fixed by: Frédéric Buclin, David Miller
General information about the Bugzilla bug-tracking system can be found
at:
https://www.bugzilla.org/
Comments and follow-ups can be directed to the support-bugzilla mailing list.
https://www.bugzilla.org/support/ has directions for accessing this forum.
[Bugzilla Logo]
*Dave Miller*
Project Leader
*Bugzilla Project*
https://bugzilla.org/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bugzilla.org/pipermail/announce/attachments/20240903/ca03000c/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: C0nYK3XqVI0YRpqx.png
Type: image/png
Size: 7345 bytes
Desc: not available
URL: <http://lists.bugzilla.org/pipermail/announce/attachments/20240903/ca03000c/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xD1878300E71B4B8E.asc
Type: application/pgp-keys
Size: 2964 bytes
Desc: OpenPGP public key
URL: <http://lists.bugzilla.org/pipermail/announce/attachments/20240903/ca03000c/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 203 bytes
Desc: OpenPGP digital signature
URL: <http://lists.bugzilla.org/pipermail/announce/attachments/20240903/ca03000c/attachment.sig>
-------------- next part --------------
_______________________________________________
announce mailing list
announce at bugzilla.org
https://lists.bugzilla.org/listinfo/announce
More information about the announce
mailing list