diff -u bugzilla-3.0.4.1/debian/changelog bugzilla-3.0.4.1/debian/changelog --- bugzilla-3.0.4.1/debian/changelog +++ bugzilla-3.0.4.1/debian/changelog @@ -1,3 +1,15 @@ +bugzilla (3.0.4.1-2ubuntu1.1) intrepid; urgency=low + + * SECURITY UPDATE: Directory traversal vulnerability in importxml.pl in + Bugzilla before 2.22.5, and 3.x before 3.0.5, when --attach_path + is enabled, allows remote attackers to read arbitrary files via an + XML file with a .. (dot dot) in the data element.(LP: #281915) + - debian/maintenance/33_CVE-2008-4437.sh: upstream patch with regex + to remove any leading path data from the filename. + - CVE-2008-4437 + + -- Stefan Lesicnik Mon, 13 Oct 2008 11:52:24 +0200 + bugzilla (3.0.4.1-2ubuntu1) intrepid; urgency=low * Merge from debian unstable, remaining changes: only in patch2: unchanged: --- bugzilla-3.0.4.1.orig/debian/maintenance/33_CVE-2008-4437.sh +++ bugzilla-3.0.4.1/debian/maintenance/33_CVE-2008-4437.sh @@ -0,0 +1,31 @@ +#! /bin/sh +# Fix for CVE 2008-4437 + +set -e + +echo "$0 $*" + +cd $1 +patch -p1 < $0 + +exit 0 + +diff -urNad bugzilla-2.22.1~/importxml.pl bugzilla-2.22.1/importxml.pl +--- bugzilla-2.22.1~/importxml.pl 2006-07-13 21:06:15.000000000 +0200 ++++ bugzilla-2.22.1/importxml.pl 2008-10-11 21:55:31.000000000 +0200 +@@ -415,8 +415,13 @@ + elsif ($encoding =~ /filename/) { + # read the attachment file + Error("attach_path is required", undef) unless ($attach_path); +- my $attach_filename = $attach_path . "/" . $attach->field('data'); +- open(ATTACH_FH, $attach_filename) or ++ ++ my $filename = $attach->field('data'); ++ # Remove any leading path data from the filename ++ $filename =~ s/(.*\/|.*\\)//gs; ++ ++ my $attach_filename = $attach_path . "/" . $filename; ++ open(ATTACH_FH, "<", $attach_filename) or + Error("cannot open $attach_filename", undef); + $attachment{'data'} = do { local $/; }; + close ATTACH_FH;