Fwd: [SECURITY] [DSA 218-1] New bugzilla packages fix cross site scripting problem

David Miller justdave at syndicomm.com
Thu Jan 9 10:29:39 UTC 2003


----- Begin Forwarded Text -----

Date: Mon, 30 Dec 2002 13:43:09 -0500
To: security at debian.org, joey at infodrom.org
From: David Miller <justdave at syndicomm.com>
Subject: Fwd: [SECURITY] [DSA 218-1] New bugzilla packages fix cross site
scripting problem
Cc:
Bcc:
X-Attachments:

Is there a reason this was worded the way it was?  "Bugzilla does not
properly sanitize any input submitted by users" without any additional
clarification in the same sentence (or even in the same paragraph) is an
outright lie, because input is validated hopefully everywhere.  The input
validation bug specifically-referenced in this advisory was fixed in
version 2.12 of Bugzilla (current stable version is 2.16.1), and the vast
majority of the input validation bugs were resolved prior to the previous
Debian package that you released.  Although you do clarify it in the
following paragraph, people who aren't using Bugzilla and just reading it
as an FYI would likely read the first paragraph and go on to the next
email, and this paints a falsely negative image of Bugzilla as a whole by
claiming we're not doing any input validation when we are.

Don't get me wrong, even one little HTML encoding issue like this is a
serious issue (which is why we sent out a security advisory of our own
about it when it was discovered), so I'm not trying to make light of the
issue.  I'm only concerned with your wording in the Debian advisory.

----- Begin Forwarded Text -----

Date: Mon, 30 Dec 2002 15:11:17 +0100 (CET)
From: joey at infodrom.org (Martin Schulze)
Subject: [SECURITY] [DSA 218-1] New bugzilla packages fix cross site
scripting problem
Mail-Followup-To: bugtraq at securityfocus.com
To: bugtraq at securityfocus.com
Resent-Date: Mon, 30 Dec 2002 08:17:26 -0600 (CST)
Resent-From: list at murphy.debian.org (SmartList)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 218-1                     security at debian.org
http://www.debian.org/security/                             Martin Schulze
December 30th, 2002                     http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package        : bugzilla
Vulnerability  : cross site scripting
Problem-Type   : remote
Debian-specific: no
BugTraq Id     : 6257

A cross site scripting vulnerability has been reported for Bugzilla, a
web-based bug tracking system.  Bugzilla does not properly sanitize
any input submitted by users.  As a result, it is possible for a
remote attacker to create a malicious link containing script code
which will be executed in the browser of a legitimate user, in the
context of the website running Bugzilla.  This issue may be exploited
to steal cookie-based authentication credentials from legitimate users
of the website running the vulnerable software.

This vulnerability only affects users who have the 'quips' feature
enabled and who upgraded from version 2.10 which did not exist inside
of Debian.  The Debian package history of Bugzilla starts with 1.13
and jumped to 2.13.  However, users could have installed version 2.10
prior to the Debian package.

For the current stable distribution (woody) this problem has been
fixed in version 2.14.2-0woody3.

The old stable distribution (potato) does not contain a Bugzilla
package.

For the unstable distribution (sid) this problem will be fixed soon.

We recommend that you upgrade your bugzilla packages.

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.0 alias woody
- --------------------------------

  Source archives:


http://security.debian.org/pool/updates/main/b/bugzilla/bugzilla_2.14.2-0woody3.dsc
      Size/MD5 checksum:      621 5cffc6c1cb27caabaeab50f09d1eaba4

http://security.debian.org/pool/updates/main/b/bugzilla/bugzilla_2.14.2-0woody3.diff.gz
      Size/MD5 checksum:    37296 cdb8158a7d72a439c8dd04e207721a10

http://security.debian.org/pool/updates/main/b/bugzilla/bugzilla_2.14.2.orig.tar.gz
      Size/MD5 checksum:   933766 0c60df541e63e33d92ac9ba0fbb05be3

  Architecture independent components:


http://security.debian.org/pool/updates/main/b/bugzilla/bugzilla-doc_2.14.2-0woody3_all.deb
      Size/MD5 checksum:   489566 6575c255a98a0bcea4b55b24c064215e

http://security.debian.org/pool/updates/main/b/bugzilla/bugzilla_2.14.2-0woody3_all.deb
      Size/MD5 checksum:   274178 79345c65df4c9ede183089f0d5601fd7


  These files will probably be moved into the stable distribution on
  its next revision.

-
---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security
dists/stable/updates/main
Mailing list: debian-security-announce at lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE+EFQEW5ql+IAeqTIRAqyqAKCr6J0B7jWLVY3/H8kJ61eL7ntgcgCfTcV3
pl4aGLA23/PJZbH5Ie/H/ZY=
=SVah
-----END PGP SIGNATURE-----
----- End Forwarded Text -----

-- 
Dave Miller      Project Leader, Bugzilla Bug Tracking System
http://www.justdave.net/             http://www.bugzilla.org/
----- End Forwarded Text -----

###############################################################
###############################################################

----- Begin Forwarded Text -----

Date: Mon, 30 Dec 2002 20:43:26 +0100
From: Martin Schulze <joey at infodrom.org>
To: David Miller <justdave at syndicomm.com>
Cc: security at debian.org
Subject: Re: Fwd: [SECURITY] [DSA 218-1] New bugzilla packages fix cross
site scripting problem
Mime-Version: 1.0
User-Agent: Mutt/1.4i

David Miller wrote:
> Is there a reason this was worded the way it was?  "Bugzilla does not
> properly sanitize any input submitted by users" without any additional
> clarification in the same sentence (or even in the same paragraph) is an
> outright lie, because input is validated hopefully everywhere.  The input
> validation bug specifically-referenced in this advisory was fixed in

The Debian advisory reports about the problem and explains it.  In the
next paragraph it is written that this only affects users with quips
turned on and upgraded from one particular old version.  I don't see
that this is wrong, but if it is, please tell me where exactly it is
wrong.

You've quoted "Bugzilla does not properly sanitize any input submitted
by users" without the explanation that followed.  Well, if you cut off
one sentence, it may be used for anything and you can't blame us for
that.

Fortunately (or not, as you may claim), this paragraph is copied from
BugTraq:

   Reportedly, Bugzilla does not properly sanitize any input submitted
   by users. As a result, it is possible for a remote attacker to
   create a malicious link containing script code which will be
   executed in the browser of a legitimate user, in the context of the
   website running Bugzilla.

> version 2.12 of Bugzilla (current stable version is 2.16.1), and the vast
> majority of the input validation bugs were resolved prior to the previous

According to BugTraq, this problem was fixed in 2.14.4 and 2.16.1 and
not in 2.12, but BugTraq may be wrong, of course.  However, this was
my source of information.

> Debian package that you released.  Although you do clarify it in the
> following paragraph, people who aren't using Bugzilla and just reading it
> as an FYI would likely read the first paragraph and go on to the next
> email, and this paints a falsely negative image of Bugzilla as a whole by
> claiming we're not doing any input validation when we are.

I'm sorry, but I can't save ourselves from people who can't read or
don't want to read.

> Don't get me wrong, even one little HTML encoding issue like this is a
> serious issue (which is why we sent out a security advisory of our own
> about it when it was discovered), so I'm not trying to make light of the

Unfortunately I can't disagree.

> issue.  I'm only concerned with your wording in the Debian advisory.

I'd be happy to receive an improvement and update the text on the web.

Regards,

	Joey

-- 
Life is a lot easier when you have someone to share it with.  -- Sean Perry
----- End Forwarded Text -----

###############################################################
###############################################################

----- Begin Forwarded Text -----

Date: Mon, 30 Dec 2002 15:23:55 -0500
To: Martin Schulze <joey at infodrom.org>
From: David Miller <justdave at syndicomm.com>
Subject: Re: Fwd: [SECURITY] [DSA 218-1] New bugzilla packages fix cross
site scripting problem
Cc: security at debian.org
Bcc:
X-Attachments:

On 12/30/02 8:43 PM +0100, Martin Schulze wrote:

> You've quoted "Bugzilla does not properly sanitize any input submitted
> by users" without the explanation that followed.  Well, if you cut off
> one sentence, it may be used for anything and you can't blame us for
> that.

It doesn't refute that claim anywhere in that paragraph, either.

> Fortunately (or not, as you may claim), this paragraph is copied from
> BugTraq:
>
>    Reportedly, Bugzilla does not properly sanitize any input submitted
>    by users. As a result, it is possible for a remote attacker to
>    create a malicious link containing script code which will be
>    executed in the browser of a legitimate user, in the context of the
>    website running Bugzilla.

The above paragraph does not appear anywhere in my local archives of
Bugtraq, so I must have missed that one.  We certainly never said anything
like that in our security advisory
(http://online.securityfocus.com/archive/1/301316).  I did locate the page
in question on the SecurityFocus website, and will mail a correction to
them as well.  That page did, however, have the two paragraphs in the
opposite order, which as silly as it sounds, changes the context a bit. :)

>> version 2.12 of Bugzilla (current stable version is 2.16.1), and the vast
>> majority of the input validation bugs were resolved prior to the previous
>
> According to BugTraq, this problem was fixed in 2.14.4 and 2.16.1 and
> not in 2.12, but BugTraq may be wrong, of course.  However, this was
> my source of information.

The input validation error was fixed in version 2.12.  The already existing
data in the database placed there before the input validation was put in
place was not corrected at that time, nor was the output when presenting
that data back to the user escaped properly.  The escaping of the data
output is what was corrected in 2.17.1 (2.14.4 and 2.16.1 are both still
vulnerable if not patched).  Bugtraq has this correct on their site.

> I'm sorry, but I can't save ourselves from people who can't read or
> don't want to read.

Yeah, don't I know it :(

>> issue.  I'm only concerned with your wording in the Debian advisory.
>
> I'd be happy to receive an improvement and update the text on the web.

Let's see, removing the word "any" from that sentence would probably be
plenty. :)  That or add "for quips" on the end of the sentence.  The latter
would probably be more accurate in this case.  And since the input
sanitizing was fixed in an older version, and not in this most recent one,
changing the "does" to "did" would probably help, too.

"Bugzilla did not properly sanitize any input submitted by users for use in
quips."
-- 
Dave Miller      Project Leader, Bugzilla Bug Tracking System
http://www.justdave.net/             http://www.bugzilla.org/
----- End Forwarded Text -----

###############################################################
###############################################################

----- Begin Forwarded Text -----

Date: Mon, 30 Dec 2002 21:51:27 +0100
From: Martin Schulze <joey at infodrom.org>
To: David Miller <justdave at syndicomm.com>
Subject: Re: Fwd: [SECURITY] [DSA 218-1] New bugzilla packages fix cross
site scripting problem
Mime-Version: 1.0
User-Agent: Mutt/1.4i

David Miller wrote:
> "Bugzilla did not properly sanitize any input submitted by users for use in
> quips."

Ok, except for the tense.

Regards,

	Joey

-- 
Life is a lot easier when you have someone to share it with.  -- Sean Perry
----- End Forwarded Text -----

###############################################################
###############################################################

I took this last one to mean he was doing it.  I didn't look.
SecurityFocus fixed theirs within an hour when I pointed it out to them.

Debian's still has the original (incorrect) wording.
http://www.debian.org/security/2002/dsa-218
-- 
Dave Miller      Project Leader, Bugzilla Bug Tracking System
http://www.justdave.net/             http://www.bugzilla.org/



More information about the developers mailing list