Ubuntu
bugzilla package

[CVE-2008-4437] - Directory traversal vulnerability allows remote attackers to read arbitrary files via an XML file

Bug #281915 reported by Stefan Lesicnik
254
Affects Status Importance Assigned to Milestone
bugzilla (Debian)
Fix Released
Unknown
bugzilla (Ubuntu)
Fix Released
Undecided
Stefan Lesicnik
Dapper
Invalid
Undecided
Unassigned
Gutsy
Fix Released
Medium
Stefan Lesicnik
Hardy
Fix Released
Medium
Stefan Lesicnik
Intrepid
Fix Released
Medium
Stefan Lesicnik

Bug Description

Binary package hint: bugzilla

Directory traversal vulnerability in importxml.pl in Bugzilla before 2.22.5, and 3.x before 3.0.5, when --attach_path is enabled, allows remote attackers to read arbitrary files via an XML file with a .. (dot dot) in the data element.
CVE-2008-4437

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4437

Stefan Lesicnik (stefanlsd)
Changed in bugzilla:
assignee: nobody → stefanlsd
status: New → In Progress
Revision history for this message
Stefan Lesicnik (stefanlsd) wrote :

The patch is released by upstream and is a simple sanity check with regex to remove leading '/' from an open(). It was built and tested that the patch applies succesfully.

https://bugzilla.mozilla.org/show_bug.cgi?id=437169 are details and the patch.

Revision history for this message
Stefan Lesicnik (stefanlsd) wrote :

Debdiff Gutsy

Revision history for this message
Stefan Lesicnik (stefanlsd) wrote :

Debdiff Hardy

Revision history for this message
Stefan Lesicnik (stefanlsd) wrote :

Waiting for fix to bugzilla3 in Intrepid before applying CVE.
https://launchpad.net/bugs/280641

Bug Watch Updater (bug-watch-updater)
Changed in bugzilla:
status: Unknown → New
Revision history for this message
Stefan Lesicnik (stefanlsd) wrote :

Bugzilla 3 now builds correctly in Intrepid and attached is the CVE patch.

Revision history for this message
Stefan Lesicnik (stefanlsd) wrote :

Dapper is not affected.

Bug Watch Updater (bug-watch-updater)
Changed in bugzilla:
status: New → Fix Released
Stefan Lesicnik (stefanlsd)
Changed in bugzilla:
status: New → In Progress
status: New → Invalid
status: New → In Progress
Stefan Lesicnik (stefanlsd)
Changed in bugzilla:
assignee: nobody → stefanlsd
assignee: nobody → stefanlsd
Revision history for this message
Luca Falavigna (dktrkranz) wrote :

Debian should have fixed this by including 3.0.5.0-1, mind preparing a debdiff against it?

Revision history for this message
Kees Cook (kees) wrote :

Thanks for preparing these, they are building in the security queue now and should be published shortly.

Changed in bugzilla:
status: In Progress → Fix Committed
importance: Undecided → Medium
status: In Progress → Fix Committed
importance: Undecided → Medium
status: In Progress → Fix Committed
importance: Undecided → Medium
Revision history for this message
Kees Cook (kees) wrote :

3.2 has this fixed in Jaunty.

Changed in bugzilla:
status: In Progress → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package bugzilla - 3.0.4.1-2ubuntu1.1

---------------
bugzilla (3.0.4.1-2ubuntu1.1) intrepid-security; urgency=low

  * SECURITY UPDATE: Directory traversal vulnerability in importxml.pl in
    Bugzilla before 2.22.5, and 3.x before 3.0.5, when --attach_path
    is enabled, allows remote attackers to read arbitrary files via an
    XML file with a .. (dot dot) in the data element.(LP: #281915)
    - debian/maintenance/33_CVE-2008-4437.sh: upstream patch with regex
      to remove any leading path data from the filename.
    - CVE-2008-4437

 -- Stefan Lesicnik <email address hidden> Mon, 13 Oct 2008 11:52:24 +0200

Changed in bugzilla:
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package bugzilla - 2.22.1-2.2ubuntu1.7.10.1

---------------
bugzilla (2.22.1-2.2ubuntu1.7.10.1) gutsy-security; urgency=low

  * SECURITY UPDATE: Directory traversal vulnerability in importxml.pl in
    Bugzilla before 2.22.5, and 3.x before 3.0.5, when --attach_path
    is enabled, allows remote attackers to read arbitrary files via an
    XML file with a .. (dot dot) in the data element.(LP: #281915)
    - debian/patches/CVE-2008-4437.dpatch: upstream patch with regex
      to remove any leading path data from the filename.
    - CVE-2008-4437

 -- Stefan Lesicnik <email address hidden> Sat, 11 Oct 2008 21:56:21 +0200

Changed in bugzilla:
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package bugzilla - 2.22.1-2.2ubuntu1.8.04.1

---------------
bugzilla (2.22.1-2.2ubuntu1.8.04.1) hardy-security; urgency=low

  * SECURITY UPDATE: Directory traversal vulnerability in importxml.pl in
    Bugzilla before 2.22.5, and 3.x before 3.0.5, when --attach_path
    is enabled, allows remote attackers to read arbitrary files via an
    XML file with a .. (dot dot) in the data element.(LP: #281915)
    - debian/patches/CVE-2008-4437.dpatch: upstream patch with regex
      to remove any leading path data from the filename.
    - CVE-2008-4437

 -- Stefan Lesicnik <email address hidden> Sat, 11 Oct 2008 21:56:21 +0200

Changed in bugzilla:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.