Launchpad.net

Launchpad Home
Code
Bugs
Blueprints
Translations
Answers

CVE 2010-0180

Install/Filesystem.pm in Bugzilla 3.5.1 through 3.6 and 3.7, when use_suexec is enabled, uses world-readable permissions for the localconfig files, which allows local users to read sensitive configuration fields, as demonstrated by the database password field and the site_wide_secret field.

Related bugs and status

CVE-2010-0180 (Candidate) is related to these bugs:

Bug #415451: Please upgrade bugzilla to version 3.4.6

Summary				In	Importance	Status
	415451	Please upgrade bugzilla to version 3.4.6		bugzilla (Ubuntu)	Wishlist	Fix Released
	415451	Please upgrade bugzilla to version 3.4.6		bugzilla (Debian)	Unknown	Fix Released

Bug #606309: Sync bugzilla 3.4.7.0-1 (universe) from Debian unstable (main)

Summary				In	Importance	Status
	606309	Sync bugzilla 3.4.7.0-1 (universe) from Debian unstable (main)		bugzilla (Ubuntu)	Wishlist	Fix Released

See the

CVE page on Mitre.org for more details.

References

CONFIRM: http://www.bugzilla.or...
CONFIRM: https://bugzilla.mozil...
BID: 41144
SECUNIA: 40300
VUPEN: ADV-2010-1595