Operating System:

[WIN][UNIX/Linux]

Published:

24 December 2015

Protect yourself against future threats.

//Service

Phishing Take-Down

Drawing on our strong international CERT relationships we have a high success rate in delivering phishing take-downs.

Read more
Resources > Security Bulletins > ESB-2015.3238 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2015.3238
          Security advisory for Bugzilla 5.0.2, 4.4.11 and 4.2.16
                             24 December 2015

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Bugzilla
Publisher:         Bugzilla
Operating System:  UNIX variants (UNIX, Linux, OSX)
                   Windows
Impact/Access:     Cross-site Scripting     -- Remote with User Interaction
                   Access Confidential Data -- Remote/Unauthenticated      
Resolution:        Patch/Upgrade
CVE Names:         CVE-2015-8509 CVE-2015-8508 

Original Bulletin: 
   https://bugzilla.mozilla.org/show_bug.cgi?id=1221518
   https://bugzilla.mozilla.org/show_bug.cgi?id=1232785

- --------------------------BEGIN INCLUDED TEXT--------------------

Summary
=======

Bugzilla is a Web-based bug-tracking system used by a large number of
software projects. The following security issues have been discovered
in Bugzilla:

* Unfiltered HTML injected into a dependency graph could be used to
  create a cross-site scripting attack.

* Some web browsers incorrectly parse CSV files as valid JavaScript
  code which could lead to data leak.

All affected installations are encouraged to upgrade as soon as
possible.


Vulnerability Details
=====================

Class:       Cross-Site Scripting
Versions:    Bugzilla 2.6 to 4.2.15, 4.3.1 to 4.4.10, 4.5.1 to 5.0.1
Fixed In:    4.2.16, 4.4.11, 5.0.2
Description: During the generation of a dependency graph, the code for
             the HTML image map is generated locally if a local dot
             installation is used. With escaped HTML characters in a bug
             summary, it is possible to inject unfiltered HTML code in
             the map file which the CreateImagemap function generates.
             This could be used for a cross-site scripting attack.
References:  https://bugzilla.mozilla.org/show_bug.cgi?id=1221518
CVE Number:  CVE-2015-8508

Class:       Information Leak
Versions:    Bugzilla 2.17.1 to 4.2.15, 4.3.1 to 4.4.10, 4.5.1 to 5.0.1
Fixed In:    4.2.16, 4.4.11, 5.0.2
Description: If an external HTML page contains a <script> element with
             its src attribute pointing to a buglist in CSV format, some
             web browsers incorrectly try to parse the CSV file as valid
             JavaScript code. As the buglist is generated based on the
             privileges of the user logged into Bugzilla, the external
             page could collect confidential data contained in the CSV
             file.
References:  https://bugzilla.mozilla.org/show_bug.cgi?id=1232785
CVE Number:  CVE-2015-8509


Vulnerability Solutions
=======================

The fixes for these issues are included in the 4.2.16, 4.4.11 and 5.0.2
releases. Upgrading to a release with the relevant fixes will
protect your installation from possible exploits of these issues.

If you are unable to upgrade but would like to patch just the security
vulnerabilities, there are patches available for the issues at the
"References" URL for each vulnerability.

Full release downloads, patches to upgrade Bugzilla from previous
versions, and git upgrade instructions are available at:

  https://www.bugzilla.org/download/


Credits
=======

The Bugzilla team wish to thank the following people for their
assistance in locating, advising us of, and assisting us to fix these
issues:

Issue 1 reported by: Holger Fuhrmannek
Issue 2 reported by: Mario Gomes

Fixed by: Frédéric Buclin, Dylan William Hardison,
          David Lawrence, Gervase Markham


General information about the Bugzilla bug-tracking system can be found
at:

  https://www.bugzilla.org/

Comments and follow-ups can be directed to the mozilla.support.bugzilla
newsgroup or the support-bugzilla mailing list.
https://www.bugzilla.org/support/ has directions for accessing these
forums.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVntBzX6ZAP0PgtI9AQJ26A/6Aji3agufpvu2RU4pU4wT6129NH6o6Hdq
P9zZyWNecAi1gSA+hHledKk/JgbF5XhAXy320dGYcy+ObvtS/7fGGGyHGk0oSHWK
2MjXIGRfhSo5//V3mseO4xdG22rzSZkK631PUwx8LS11YaW9XvvasE14LRPjlFL6
fPUAohj5g2qJvvEUMg/xpXS5PCm4vj5I0t5vVZMiEJMbx/788KUJ01MloGxapAdT
w013u106afuIsL38jfEwmtJeKibrpav+klcf6/eiHMfy6asEEZPk5cQuKHJxVAjY
pV46TM9olKuQKj66c6pBPSEdVCcQKApKaSrSC/nu37iepz5KCH6Sy8tbZozIP8t3
Tl4lw0SBRjAYqdJUa8fORNqADU5wg0Jpm7tVobLs5BkggLbwibEd3dM4wZYhgMH5
OelLALFGfYHc051rhnvX//pZk9VyuZEQgUi/LslGsC4zXBjXcqHn5aZZETlmbm/t
FXDk+3Oy+Gojz/6IsJskGSpBXB4/CFsF02YAaqidZi4neHs0RqZpQNY27J3dcdQj
CKlmvL+x0XPGx2iGT6Yd33gT/FyrcJraauqtJTZ98YNuN8Fo18i2F+QhCHq7IJIX
DsCUae002V/apFPJCHCTEmsO8Ww/ZMndJNSv1ODw58jAEbnh39K9V4xbT6F01XUJ
rVVl20tWbBo=
=/d8D
-----END PGP SIGNATURE-----