[CVE-2008-4437] - Directory traversal vulnerability allows remote attackers to read arbitrary files via an XML file

Bug #281915 reported by Stefan Lesicnik on 2008-10-11
254
Affects Status Importance Assigned to Milestone
bugzilla (Debian)
Fix Released
Unknown
bugzilla (Ubuntu)
Undecided
Stefan Lesicnik
Dapper
Undecided
Unassigned
Gutsy
Medium
Stefan Lesicnik
Hardy
Medium
Stefan Lesicnik
Intrepid
Medium
Stefan Lesicnik

Bug Description

Binary package hint: bugzilla

Directory traversal vulnerability in importxml.pl in Bugzilla before 2.22.5, and 3.x before 3.0.5, when --attach_path is enabled, allows remote attackers to read arbitrary files via an XML file with a .. (dot dot) in the data element.
CVE-2008-4437

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4437

Changed in bugzilla:
assignee: nobody → stefanlsd
status: New → In Progress
Stefan Lesicnik (stefanlsd) wrote :

The patch is released by upstream and is a simple sanity check with regex to remove leading '/' from an open(). It was built and tested that the patch applies succesfully.

https://bugzilla.mozilla.org/show_bug.cgi?id=437169 are details and the patch.

Stefan Lesicnik (stefanlsd) wrote :

Debdiff Gutsy

Stefan Lesicnik (stefanlsd) wrote :

Debdiff Hardy

Stefan Lesicnik (stefanlsd) wrote :

Waiting for fix to bugzilla3 in Intrepid before applying CVE.
https://launchpad.net/bugs/280641

Changed in bugzilla:
status: Unknown → New
Stefan Lesicnik (stefanlsd) wrote :

Bugzilla 3 now builds correctly in Intrepid and attached is the CVE patch.

Stefan Lesicnik (stefanlsd) wrote :

Dapper is not affected.

Changed in bugzilla:
status: New → Fix Released
Changed in bugzilla:
status: New → In Progress
status: New → Invalid
status: New → In Progress
Changed in bugzilla:
assignee: nobody → stefanlsd
assignee: nobody → stefanlsd
Luca Falavigna (dktrkranz) wrote :

Debian should have fixed this by including 3.0.5.0-1, mind preparing a debdiff against it?

Kees Cook (kees) wrote :

Thanks for preparing these, they are building in the security queue now and should be published shortly.

Changed in bugzilla:
status: In Progress → Fix Committed
importance: Undecided → Medium
status: In Progress → Fix Committed
importance: Undecided → Medium
status: In Progress → Fix Committed
importance: Undecided → Medium
Kees Cook (kees) wrote :

3.2 has this fixed in Jaunty.

Changed in bugzilla:
status: In Progress → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package bugzilla - 3.0.4.1-2ubuntu1.1

---------------
bugzilla (3.0.4.1-2ubuntu1.1) intrepid-security; urgency=low

  * SECURITY UPDATE: Directory traversal vulnerability in importxml.pl in
    Bugzilla before 2.22.5, and 3.x before 3.0.5, when --attach_path
    is enabled, allows remote attackers to read arbitrary files via an
    XML file with a .. (dot dot) in the data element.(LP: #281915)
    - debian/maintenance/33_CVE-2008-4437.sh: upstream patch with regex
      to remove any leading path data from the filename.
    - CVE-2008-4437

 -- Stefan Lesicnik <email address hidden> Mon, 13 Oct 2008 11:52:24 +0200

Changed in bugzilla:
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package bugzilla - 2.22.1-2.2ubuntu1.7.10.1

---------------
bugzilla (2.22.1-2.2ubuntu1.7.10.1) gutsy-security; urgency=low

  * SECURITY UPDATE: Directory traversal vulnerability in importxml.pl in
    Bugzilla before 2.22.5, and 3.x before 3.0.5, when --attach_path
    is enabled, allows remote attackers to read arbitrary files via an
    XML file with a .. (dot dot) in the data element.(LP: #281915)
    - debian/patches/CVE-2008-4437.dpatch: upstream patch with regex
      to remove any leading path data from the filename.
    - CVE-2008-4437

 -- Stefan Lesicnik <email address hidden> Sat, 11 Oct 2008 21:56:21 +0200

Changed in bugzilla:
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package bugzilla - 2.22.1-2.2ubuntu1.8.04.1

---------------
bugzilla (2.22.1-2.2ubuntu1.8.04.1) hardy-security; urgency=low

  * SECURITY UPDATE: Directory traversal vulnerability in importxml.pl in
    Bugzilla before 2.22.5, and 3.x before 3.0.5, when --attach_path
    is enabled, allows remote attackers to read arbitrary files via an
    XML file with a .. (dot dot) in the data element.(LP: #281915)
    - debian/patches/CVE-2008-4437.dpatch: upstream patch with regex
      to remove any leading path data from the filename.
    - CVE-2008-4437

 -- Stefan Lesicnik <email address hidden> Sat, 11 Oct 2008 21:56:21 +0200

Changed in bugzilla:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.