Your message dated Tue, 28 Dec 2010 20:32:32 +0000
with message-id <[email protected]>
and subject line Bug#602420: fixed in bugzilla 3.6.2.0-4.2
has caused the Debian Bug report #602420,
regarding CVE-2010-3172 and CVE-2010-3764
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
602420: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=602420
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: bugzilla
Severity: important
Tags: security

Hi,
Please see http://www.bugzilla.org/security/3.2.8/.

I'm attaching the extracted fixes, please apply/upload once the
current upload has migrated to Squeeze.

Cheers,
        Moritz

-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-5-686 (SMP w/1 CPU core)
Locale: LANG=C, lc_ctype=de_de.iso-8859...@euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash
diff -urN --exclude=CVS --exclude='lib/CGI*' --exclude=docs --exclude=.bzr bugzilla-3.6.2/Bugzilla/CGI.pm bugzilla-3.6.3/Bugzilla/CGI.pm
--- bugzilla-3.6.2/Bugzilla/CGI.pm	2010-07-15 10:34:25.000000000 -0700
+++ bugzilla-3.6.3/Bugzilla/CGI.pm	2010-11-02 16:35:08.000000000 -0700
@@ -223,7 +221,8 @@
     }
 
     # Set the MIME boundary and content-type
-    my $boundary = $param{'-boundary'} || '------- =_aaaaaaaaaa0';
+    my $boundary = $param{'-boundary'}
+        || '------- =_' . generate_random_password(16);
     delete $param{'-boundary'};
     $self->{'separator'} = "\r\n--$boundary\r\n";
     $self->{'final_separator'} = "\r\n--$boundary--\r\n";
 

=== modified file 'Bugzilla/Constants.pm'
--- Bugzilla/Constants.pm       2010-08-06 02:30:01 +0000
+++ Bugzilla/Constants.pm       2010-10-24 21:50:43 +0000
@@ -543,6 +543,7 @@
         'datadir'     => "$libpath/$datadir",
         'attachdir'   => "$libpath/$datadir/attachments",
         'skinsdir'    => "$libpath/skins",
+        'graphsdir'   => "$libpath/graphs",
         # $webdotdir must be in the web server's tree somewhere. Even if you 
use a 
         # local dot, we output images to there. Also, if $webdotdir is 
         # not relative to the bugzilla root directory, you'll need to 

=== modified file 'Bugzilla/Install/Filesystem.pm'
--- Bugzilla/Install/Filesystem.pm      2010-07-13 23:03:47 +0000
+++ Bugzilla/Install/Filesystem.pm      2010-10-24 21:59:38 +0000
@@ -74,6 +74,7 @@
     my $extlib        = bz_locations()->{'ext_libpath'};
     my $skinsdir      = bz_locations()->{'skinsdir'};
     my $localconfig   = bz_locations()->{'localconfig'};
+    my $graphsdir     = bz_locations()->{'graphsdir'};
 
     # We want to set the permissions the same for all localconfig files
     # across all PROJECTs, so we do something special with $localconfig,
@@ -176,7 +177,7 @@
                                   dirs => $ws_dir_writeable },
          $webdotdir         => { files => $ws_writeable,
                                   dirs => $ws_dir_writeable },
-         graphs             => { files => $ws_writeable,
+         $graphsdir         => { files => $ws_writeable,
                                   dirs => $ws_dir_writeable },
 
          # Readable directories
@@ -228,7 +229,7 @@
         "$datadir/extensions"   => $ws_dir_readable,
         $attachdir              => $ws_dir_writeable,
         $extensionsdir          => $ws_dir_readable,
-        graphs                  => $ws_dir_writeable,
+        $graphsdir              => $ws_dir_writeable,
         $webdotdir              => $ws_dir_writeable,
         "$skinsdir/custom"      => $ws_dir_readable,
         "$skinsdir/contrib"     => $ws_dir_readable,
@@ -331,8 +332,17 @@
 # in a subdirectory.
 deny from all
 EOT
-
-
+        },
+
+        "$graphsdir/.htaccess" => { perms => $ws_readable, contents => <<EOT
+# Allow access to .png and .gif files.
+<FilesMatch (\\.gif|\\.png)\$>
+  Allow from all
+</FilesMatch>
+
+# And no directory listings, either.
+Deny from all
+EOT
         },
     );
 
@@ -358,10 +368,11 @@
     my %files = %{$fs->{create_files}};
 
     my $datadir = bz_locations->{'datadir'};
+    my $graphsdir = bz_locations->{'graphsdir'};
     # If the graphs/ directory doesn't exist, we're upgrading from
     # a version old enough that we need to update the $datadir/mining 
     # format.
-    if (-d "$datadir/mining" && !-d 'graphs') {
+    if (-d "$datadir/mining" && !-d $graphsdir) {
         _update_old_charts($datadir);
     }
 

=== modified file 'collectstats.pl'
--- collectstats.pl     2010-07-06 18:09:26 +0000
+++ collectstats.pl     2010-10-24 21:52:06 +0000
@@ -49,9 +49,12 @@
 # in the regenerate mode).
 $| = 1;
 
+my $datadir = bz_locations()->{'datadir'};
+my $graphsdir = bz_locations()->{'graphsdir'};
+
 # Tidy up after graphing module
 my $cwd = Cwd::getcwd();
-if (chdir("graphs")) {
+if (chdir($graphsdir)) {
     unlink <./*.gif>;
     unlink <./*.png>;
     # chdir("..") doesn't work if graphs is a symlink, see bug 429378
@@ -68,8 +71,6 @@
     $regenerate = 1;
 }
 
-my $datadir = bz_locations()->{'datadir'};
-
 my @myproducts = map {$_->name} Bugzilla::Product->get_all;
 unshift(@myproducts, "-All-");
 

=== modified file 'reports.cgi'
--- reports.cgi 2009-10-24 05:21:06 +0000
+++ reports.cgi 2010-10-24 21:50:43 +0000
@@ -45,31 +45,28 @@
 use Bugzilla::Error;
 use Bugzilla::Status;
 
+use File::Basename;
+use Digest::MD5 qw(md5_hex);
+
 # If we're using bug groups for products, we should apply those restrictions
 # to viewing reports, as well.  Time to check the login in that case.
 my $user = Bugzilla->login();
+my $cgi = Bugzilla->cgi;
+my $template = Bugzilla->template;
+my $vars = {};
 
 if (!Bugzilla->feature('old_charts')) {
     ThrowCodeError('feature_disabled', { feature => 'old_charts' });
 }
 
 my $dir       = bz_locations()->{'datadir'} . "/mining";
-my $graph_url = 'graphs';
-my $graph_dir = bz_locations()->{'libpath'} . '/' .$graph_url;
+my $graph_dir = bz_locations()->{'graphsdir'};
+my $graph_url = basename($graph_dir);
+my $product_name = $cgi->param('product') || '';
 
 Bugzilla->switch_to_shadow_db();
 
-my $cgi = Bugzilla->cgi;
-my $template = Bugzilla->template;
-my $vars = {};
-
-# We only want those products that the user has permissions for.
-my @myproducts;
-push( @myproducts, "-All-");
-# Extract product names from objects and add them to the list.
-push( @myproducts, map { $_->name } @{$user->get_selectable_products} );
-
-if (! defined $cgi->param('product')) {
+if (!$product_name) {
     # Can we do bug charts?
     (-d $dir && -d $graph_dir) 
       || ThrowCodeError('chart_dir_nonexistent',
@@ -87,51 +84,62 @@
         push(@datasets, $datasets);
     }
 
+    # We only want those products that the user has permissions for.
+    my @myproducts = ('-All-');
+    # Extract product names from objects and add them to the list.
+    push( @myproducts, map { $_->name } @{$user->get_selectable_products} );
+
     $vars->{'datasets'} = \...@datasets;
     $vars->{'products'} = \...@myproducts;
 
     print $cgi->header();
-
-    $template->process('reports/old-charts.html.tmpl', $vars)
-      || ThrowTemplateError($template->error());
-    exit;
 }
 else {
-    my $product = $cgi->param('product');
-
     # For security and correctness, validate the value of the "product" form 
variable.
     # Valid values are those products for which the user has permissions which 
appear
     # in the "product" drop-down menu on the report generation form.
-    grep($_ eq $product, @myproducts)
-      || ThrowUserError("invalid_product_name", {product => $product});
-
-    # We've checked that the product exists, and that the user can see it
-    # This means that is OK to detaint
-    trick_taint($product);
-
-    defined($cgi->param('datasets')) || ThrowUserError('missing_datasets');
-
-    my $datasets = join('', $cgi->param('datasets'));
-
+    my ($product) = grep { $_->name eq $product_name } 
@{$user->get_selectable_products};
+    ($product || $product_name eq '-All-')
+      || ThrowUserError('invalid_product_name', {product => $product_name});
+
+    # Product names can change over time. Their ID cannot; so use the ID
+    # to generate the filename.
+    my $prod_id = $product ? $product->id : 0;
+
+    # Make sure there is something to plot.
+    my @datasets = $cgi->param('datasets');
+    scalar(@datasets) || ThrowUserError('missing_datasets');
+
+    if (grep { $_ !~ /^[A-Za-z0-9:_-]+$/ } @datasets) {
+        ThrowUserError('invalid_datasets', {'datasets' => \...@datasets});
+    }
+
+    # Filenames must not be guessable as they can point to products
+    # you are not allowed to see. Also, different projects can have
+    # the same product names.
+    my $key = Bugzilla->localconfig->{'site_wide_secret'};
+    my $project = bz_locations()->{'project'} || '';
+    my $image_file =  join(':', ($key, $project, $prod_id, @datasets));
+    # Wide characters cause md5_hex() to die.
+    if (Bugzilla->params->{'utf8'}) {
+        utf8::encode($image_file) if utf8::is_utf8($image_file);
+    }
     my $type = chart_image_type();
-    my $data_file = daily_stats_filename($product);
-    my $image_file = chart_image_name($data_file, $type, $datasets);
-    my $url_image = correct_urlbase() . "$graph_url/$image_file";
+    $image_file = md5_hex($image_file) . ".$type";
+    trick_taint($image_file);
 
     if (! -e "$graph_dir/$image_file") {
-        generate_chart("$dir/$data_file", "$graph_dir/$image_file", $type,
-                       $product, $datasets);
+        generate_chart($dir, "$graph_dir/$image_file", $type, $product, 
\...@datasets);
     }
 
-    $vars->{'url_image'} = $url_image;
+    $vars->{'url_image'} = "$graph_url/$image_file";
 
     print $cgi->header(-Content_Disposition=>'inline; 
filename=bugzilla_report.html');
-
-    $template->process('reports/old-charts.html.tmpl', $vars)
-      || ThrowTemplateError($template->error());
-    exit;
 }
 
+$template->process('reports/old-charts.html.tmpl', $vars)
+  || ThrowTemplateError($template->error());
+
 #####################
 #    Subroutines    #
 #####################
@@ -140,9 +148,8 @@
     my $dir = shift;
 
     my @datasets;
-    my $datafile = daily_stats_filename('-All-');
-    open(DATA, '<', "$dir/$datafile")
-      || ThrowCodeError('chart_file_open_fail', {filename => 
"$dir/$datafile"});
+    open(DATA, '<', "$dir/-All-")
+      || ThrowCodeError('chart_file_open_fail', {filename => "$dir/-All-"});
 
     while (<DATA>) {
         if (/^# fields?: (.+)\s*$/) {
@@ -154,12 +161,6 @@
     return @datasets;
 }
 
-sub daily_stats_filename {
-    my ($prodname) = @_;
-    $prodname =~ s/\//-/gs;
-    return $prodname;
-}
-
 sub chart_image_type {
     # what chart type should we be generating?
     my $testimg = Chart::Lines->new(2,2);
@@ -169,32 +170,12 @@
     return $type;
 }
 
-sub chart_image_name {
-    my ($data_file, $type, $datasets) = @_;
-
-    # This routine generates a filename from the requested fields. The problem
-    # is that we have to check the safety of doing this. We can't just require
-    # that the fields exist, because what stats were collected could change
-    # over time (eg by changing the resolutions available)
-    # Instead, just require that each field name consists only of letters,
-    # numbers, underscores and hyphens.
-
-    if ($datasets !~ m/^[A-Za-z0-9:_-]+$/) {
-        ThrowUserError('invalid_datasets', {'datasets' => $datasets});
-    }
-
-    # Since we pass the tests, consider it OK
-    trick_taint($datasets);
-
-    # Cache charts by generating a unique filename based on what they
-    # show. Charts should be deleted by collectstats.pl nightly.
-    my $id = join ("_", split (":", $datasets));
-
-    return "${data_file}_${id}.$type";
-}
-
 sub generate_chart {
-    my ($data_file, $image_file, $type, $product, $datasets) = @_;
+    my ($dir, $image_file, $type, $product, $datasets) = @_;
+    $product = $product ? $product->name : '-All-';
+    my $data_file = $product;
+    $data_file =~ s/\//-/gs;
+    $data_file = $dir . '/' . $data_file;
 
     if (! open FILE, $data_file) {
         if ($product eq '-All-') {
@@ -205,7 +186,7 @@
 
     my @fields;
     my @labels = qw(DATE);
-    my %datasets = map { $_ => 1 } split /:/, $datasets;
+    my %datasets = map { $_ => 1 } @$datasets;
 
     my %data = ();
     while (<FILE>) {

=== modified file 'template/en/default/global/user-error.html.tmpl'
--- template/en/default/global/user-error.html.tmpl     2010-10-14 00:43:05 
+0000
+++ template/en/default/global/user-error.html.tmpl     2010-10-24 21:50:43 
+0000
@@ -919,7 +919,7 @@
 
   [% ELSIF error == "invalid_datasets" %]
     [% title = "Invalid Datasets" %]
-    Invalid datasets <em>[% datasets FILTER html %]</em>. Only digits,
+    Invalid datasets <em>[% datasets.join(":") FILTER html %]</em>. Only 
digits,
     letters and colons are allowed.
 
   [% ELSIF error == "invalid_format" %]

=== modified file 'template/en/default/reports/old-charts.html.tmpl'
--- template/en/default/reports/old-charts.html.tmpl    2007-11-12 04:03:16 
+0000
+++ template/en/default/reports/old-charts.html.tmpl    2010-10-24 21:50:43 
+0000
@@ -51,7 +51,7 @@
               [%# We cannot use translated statuses and resolutions from 
field-descs.none.html
                 # because old charts do not distinguish statuses from 
resolutions. %]
               [% FOREACH dataset = datasets %]
-                <option value="[% dataset.value FILTER html %]:"
+                <option value="[% dataset.value FILTER html %]"
                   [% " selected=\"selected\"" IF dataset.selected %]>
                   [% dataset.value FILTER html %]</option>
               [% END %]


--- End Message ---
--- Begin Message ---
Source: bugzilla
Source-Version: 3.6.2.0-4.2

We believe that the bug you reported is fixed in the latest version of
bugzilla, which is due to be installed in the Debian FTP archive:

bugzilla3-doc_3.6.2.0-4.2_all.deb
  to main/b/bugzilla/bugzilla3-doc_3.6.2.0-4.2_all.deb
bugzilla3_3.6.2.0-4.2_all.deb
  to main/b/bugzilla/bugzilla3_3.6.2.0-4.2_all.deb
bugzilla_3.6.2.0-4.2.debian.tar.gz
  to main/b/bugzilla/bugzilla_3.6.2.0-4.2.debian.tar.gz
bugzilla_3.6.2.0-4.2.dsc
  to main/b/bugzilla/bugzilla_3.6.2.0-4.2.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Mehdi Dogguy <[email protected]> (supplier of updated bugzilla package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 25 Dec 2010 22:25:55 +0100
Source: bugzilla
Binary: bugzilla3 bugzilla3-doc
Architecture: source all
Version: 3.6.2.0-4.2
Distribution: testing-proposed-updates
Urgency: low
Maintainer: Raphael Bossek <[email protected]>
Changed-By: Mehdi Dogguy <[email protected]>
Description: 
 bugzilla3  - web-based bug tracking system
 bugzilla3-doc - comprehensive guide to Bugzilla
Closes: 602420 602738
Changes: 
 bugzilla (3.6.2.0-4.2) testing-proposed-updates; urgency=low
 .
   * Non-maintainer upload.
   * Support for noninteractive mode in Debconf (Closes: #602738)
   * Add security patches (Closes: #602420):
     - 50_cve-2010-3172.sh fixes CVE-2010-3172
     - 70_cve-2010-3764.sh fixes CVE-2010-3764 (and remove 50_graphdir.sh)
Checksums-Sha1: 
 646820dceb4eba97f2e4f0d41108de6fbdd8d990 1821 bugzilla_3.6.2.0-4.2.dsc
 5b257770029c381d2e8d38f2ba9b7ed43a0d048c 101225 
bugzilla_3.6.2.0-4.2.debian.tar.gz
 fe09e4859c401d5b97994d008f23bdd5172d4876 2766674 bugzilla3_3.6.2.0-4.2_all.deb
 539e872a45917fad0c113adcdfc16e1df30e52d7 1416264 
bugzilla3-doc_3.6.2.0-4.2_all.deb
Checksums-Sha256: 
 34821efa063218188b23874af0ad3175ba9cbf91d934733b5fde9bc021c781ef 1821 
bugzilla_3.6.2.0-4.2.dsc
 463a11356c5d6fcd513f5a92b35011d594fc84c42f388fcaf76591867fc713ee 101225 
bugzilla_3.6.2.0-4.2.debian.tar.gz
 b1e6931978fefa4f0fc70897c4f797d47bba1d2d4b6e766f16a5c0c3fa236cb3 2766674 
bugzilla3_3.6.2.0-4.2_all.deb
 11b114db84db670515b2cb60be02868799c38f5b8db53da18240cbc175e235da 1416264 
bugzilla3-doc_3.6.2.0-4.2_all.deb
Files: 
 3dc19d5e71130cb62e3bc8a7e6736965 1821 web optional bugzilla_3.6.2.0-4.2.dsc
 2c54775d058c577f14a4769724556e31 101225 web optional 
bugzilla_3.6.2.0-4.2.debian.tar.gz
 72fb7410ebb9c315125ef6b9d6ecc40f 2766674 web optional 
bugzilla3_3.6.2.0-4.2_all.deb
 198da07cd93f4b18d3f017b928015995 1416264 doc optional 
bugzilla3-doc_3.6.2.0-4.2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBCAAGBQJNGkQTAAoJEDO+GgqMLtj/ND8P/3inT7IZg8LY53sxMpydBc7Y
ndXpXJ8wgdxpNiD+XIJY4Wex2oHfzkzYHKl54dNDVbFqPZK82e2QcLHxoXWNiakr
ehy2HUJfOqNyBVCJ4FCDT6X+777xgkOznPDXk+OHF/RVarF+EXneqSttgenUXjWW
I6ACnkz37qm7ijKkCJ0RY2S7kzVm4BvegUbyDAn9J+KLUDt02Ya2PXw5aV7JtDjA
DZKKQ8gFSTKj16XUgUJMjA3Ixg42Vnprm7ajrlllqGJ+HXKhR3YEewXN3wYUHaWZ
pLw8J34ic9Ed6V8fJ/k6mz2ZvZmiy47mDY7tiL49KOkxD6RWezdo0j0W1wxlkQKN
3HL6tWjYlLBXmbLXNgPDFhiuVOe0+TU79z0yRnRQ/Iv9UqXT1dAT+hYB0efj6DCG
5LID4JIIjA0BZ24oL5JY5GFQnHiJuuxjX/XkF7fh1CmF6i1M/pkTcBPnvhPK7kfX
jFl3eFhDz3dYCLkW5epjbrKtUkOSHNSrSu7BAFQ0d/9Ql4Sf9NWcgGeoipYXH5Mx
0k9lZeExsZwQ71o6xR5YH4lWv4nxfzXzhaue6TPX6q0LaFLlcz0nSQGkeRBbvmp+
hjHiTYJmhI+WnqbEfwWDePbjLnmmgWvlHiW4opkHmPLrCT7wJYKsmMrVWO5Mgroc
KFmB8QD2BF2EauzX5XfG
=s9rB
-----END PGP SIGNATURE-----



--- End Message ---

Reply via email to