Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: pu
Hi,
bugzilla had another two security updates that we should consider for stable,
they are no-dsa.
Debdiff attached, the unconventional version is a historical relic.
-- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (500,
'oldstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 3.1.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
diff -Nru bugzilla-3.6.2.0/debian/changelog bugzilla-3.6.2.0/debian/changelog
--- bugzilla-3.6.2.0/debian/changelog 2011-10-09 20:58:04.0 +0100
+++ bugzilla-3.6.2.0/debian/changelog 2012-01-07 14:22:10.0 +
@@ -1,3 +1,24 @@
+bugzilla (3.6.2.0-4.6) stable; urgency=low
+
+ * Non-maintainer upload.
+ * Add security patches:
+- 87_cve-2011-3657.sh
+ Tabular and graphical reports, as well as new charts have
+ a debug mode which displays raw data as plain text. This
+ text is not correctly escaped and a crafted URL could
+ use this vulnerability to inject code leading to XSS.
+- 88_cve-2011-3667.sh
+ The User.offer_account_by_email WebService method ignores
+ the user_can_create_account setting of the authentication
+ method and generates an email with a token in it which the
+ user can use to create an account. Depending on the
+ authentication method being active, this could allow the
+ user to log in using this account.
+ Installations where the createemailregexp parameter is
+ empty are not vulnerable to this issue.
+
+ -- Jonathan Wiltshire Sat, 07 Jan 2012 14:16:43 +
+
bugzilla (3.6.2.0-4.5) stable-security; urgency=low
* Non-maintainer upload.
diff -Nru bugzilla-3.6.2.0/debian/maintenance/87_cve-2011-3657.sh bugzilla-3.6.2.0/debian/maintenance/87_cve-2011-3657.sh
--- bugzilla-3.6.2.0/debian/maintenance/87_cve-2011-3657.sh 1970-01-01 01:00:00.0 +0100
+++ bugzilla-3.6.2.0/debian/maintenance/87_cve-2011-3657.sh 2012-01-07 14:12:58.0 +
@@ -0,0 +1,41 @@
+#!/bin/sh
+# CVE-2011-3657
+set -e
+
+echo "> $0 $*"
+
+cd "$1" && patch -p1 < "$0"
+
+exit 0
+
+Description: CVE-2011-3657
+Origin: http://bzr.mozilla.org/bugzilla/3.6/revision/7266
+Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=697699
+
+--- a/Bugzilla/Chart.pm 2009-08-17 22:59:52 +
b/Bugzilla/Chart.pm 2011-12-28 21:51:44 +
+@@ -438,7 +438,7 @@
+
+ require Data::Dumper;
+ print "Bugzilla::Chart object:\n";
+-print Data::Dumper::Dumper($self);
++print html_quote(Data::Dumper::Dumper($self));
+ print "";
+ }
+
+
+--- a/report.cgi 2010-12-08 20:16:46 +
b/report.cgi 2011-12-28 21:51:44 +
+@@ -307,9 +307,9 @@
+ if ($cgi->param('debug')) {
+ require Data::Dumper;
+ print "data hash:\n";
+-print Data::Dumper::Dumper(%data) . "\n\n";
++print html_quote(Data::Dumper::Dumper(%data)) . "\n\n";
+ print "data array:\n";
+-print Data::Dumper::Dumper(@image_data) . "\n\n";
++print html_quote(Data::Dumper::Dumper(@image_data)) . "\n\n";
+ }
+
+ # All formats point to the same section of the documentation.
+
diff -Nru bugzilla-3.6.2.0/debian/maintenance/88_cve-2011-3667.sh bugzilla-3.6.2.0/debian/maintenance/88_cve-2011-3667.sh
--- bugzilla-3.6.2.0/debian/maintenance/88_cve-2011-3667.sh 1970-01-01 01:00:00.0 +0100
+++ bugzilla-3.6.2.0/debian/maintenance/88_cve-2011-3667.sh 2012-01-07 14:15:43.0 +
@@ -0,0 +1,206 @@
+#!/bin/sh
+# CVE-2011-3667
+set -e
+
+echo "> $0 $*"
+
+cd "$1" && patch -p1 < "$0"
+
+exit 0
+
+Description: CVE-2011-3667
+Origin: http://bzr.mozilla.org/bugzilla/3.6/revision/7267
+Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=711714
+
+--- a/Bugzilla/User.pm 2010-02-18 00:16:31 +
b/Bugzilla/User.pm 2011-12-28 22:18:06 +
+@@ -1694,6 +1694,32 @@
+ return 1;
+ }
+
++sub check_account_creation_enabled {
++my $self = shift;
++
++# If we're using e.g. LDAP for login, then we can't create a new account.
++$self->authorizer->user_can_create_account
++ || ThrowUserError('auth_cant_create_account');
++
++Bugzilla->params->{'createemailregexp'}
++ || ThrowUserError('account_creation_disabled');
++}
++
++sub check_and_send_account_creation_confirmation {
++my ($self, $login) = @_;
++
++$login = $self->check_login_name_for_creation($login);
++my $creation_regexp = Bugzilla->params->{'createemailregexp'};
++
++if ($login !~ /$creation_regexp/i) {
++ThrowUserError('account_creation_restricted');
++}
++
++# Create and send a token for this new account.
++require Bugzilla::Token;
++Bugzilla::Token::issue_new_user_account_token($login);
++}
++
+ sub login_to_id {
+ my ($login, $throw_error) = @_;
+ my $dbh = Bugzilla->dbh;
+@@ -2196,6 +