-
Committer:
Tobias Mueller
-
Date:
2014-10-07 16:24:40 UTC
-
Revision ID:
tobiasmue@gnome.org-20141007162440-cvr0q22p47xjp2jl
Backported relevant hunks of the CVE-2014-1573 patch
This is being tracked at
https://bugzilla.mozilla.org/show_bug.cgi?id=1075578
The hunks of the Attachment.pm reg. the contenttypemethod
needed to be adapted manually as they didn't fit out of the box.
But it was easy enough and it shouldn't break anything.
Some other hunks didn't not apply, but it seems that the architecture of
this Bugzilla 3 is sufficiently different so that the modifications are
not necessary. I.e. when creating attachments (e.g. in post_bug), we
apparently cannot provide a URL, so this cannot be an attack vector.
However, I don't really understand how the actual attachments (i.e. the
file contents of an upload) are created. So I am not able to assess
whether we are vulnerable here.
The buglist.pm hunks didn't apply for new Bugzilla::Product. We do not
use the CGI input directly, so I guess we are doing fine.
As far as I can see, the GroupCheck in editgroups.pm works as intended,
so we do not need to patch.