~ubuntu-branches/debian/squeeze/bugzilla/squeeze

Viewing changes to debian/maintenance/81_cve-2010-4568.sh

Committer: Package Import Robot
Author(s): Jonathan Wiltshire
Date: 2012-01-07 14:16:43 UTC
Revision ID: package-import@ubuntu.com-20120107141643-1ch1qr3eany7set2

Tags: 3.6.2.0-4.5

* Non-maintainer upload.
* Add security patches:
  - 87_cve-2011-3657.sh
    Tabular and graphical reports, as well as new charts have
    a debug mode which displays raw data as plain text. This
    text is not correctly escaped and a crafted URL could
    use this vulnerability to inject code leading to XSS.
  - 88_cve-2011-3667.sh
    The User.offer_account_by_email WebService method ignores
    the user_can_create_account setting of the authentication
    method and generates an email with a token in it which the
    user can use to create an account. Depending on the
    authentication method being active, this could allow the
    user to log in using this account.
    Installations where the createemailregexp parameter is
    empty are not vulnerable to this issue.

files added:
debian/maintenance/79_cve-2010-4572.sh

debian/maintenance/80_cve-2010-4567_cve-2011-0048.sh

debian/maintenance/81_cve-2010-4568.sh

debian/maintenance/82_cve-2011-0046.sh

debian/maintenance/83_cve-2011-2978.sh

debian/maintenance/84_cve-2011-2381.sh

debian/maintenance/85_cve-2011-2380.sh

debian/maintenance/86_cve-2011-2379.sh

debian/maintenance/87_cve-2011-3657.sh

debian/maintenance/88_cve-2011-3667.sh

files modified:
debian/changelog

Show diffs side-by-side

added added

removed removed

debian/maintenance/81_cve-2010-4568.sh

#!/bin/sh

# CVE-2010-4568

set -e

echo "> $0 $*"

cd "$1" && patch -p1 < "$0"

exit 0

Description: improve the randomness of generate_random_password

CVE-2010-4568 Improve the randomness of generate_random_password, to protect

against an account compromise issue and other critical vulnerabilities.

Origin: http://bzr.mozilla.org/bugzilla/3.6/revision/7226

Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=621591

Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=611176

--- a/Bugzilla/Install/Localconfig.pm 2010-04-22 18:06:10 +0000

+++ b/Bugzilla/Install/Localconfig.pm 2011-01-24 21:48:17 +0000

@@ -205,7 +205,9 @@

{

name => 'site_wide_secret',

- default => sub { generate_random_password(256) },

+ # 64 characters is roughly the equivalent of a 384-bit key, which

+ # is larger than anybody would ever be able to brute-force.

+ default => sub { generate_random_password(64) },

desc => <<EOT

# This secret key is used by your installation for the creation and

# validation of encrypted tokens to prevent unsolicited changes,

@@ -323,7 +325,14 @@

my @new_vars;

foreach my $var (LOCALCONFIG_VARS) {

my $name = $var->{name};

- if (!defined $localconfig->{$name}) {

+ my $value = $localconfig->{$name};

+ # Regenerate site_wide_secret if it was made by our old, weak

+ # generate_random_password. Previously we used to generate

+ # a 256-character string for site_wide_secret.

+ $value = undef if ($name eq 'site_wide_secret' and defined $value

+ and length($value) == 256);

+ if (!defined $value) {

push(@new_vars, $name);

$var->{default} = &{$var->{default}} if ref($var->{default}) eq 'CODE';

if (exists $answer->{$name}) {

--- a/Bugzilla/Install/Requirements.pm 2011-01-21 21:16:42 +0000

+++ b/Bugzilla/Install/Requirements.pm 2011-01-24 21:48:17 +0000

@@ -288,6 +288,12 @@

version => '1.999022',

feature => ['mod_perl'],

+ {

+ package => 'Math-Random-Secure',

+ module => 'Math::Random::Secure',

+ version => '0.05',

+ feature => ['rand_security'],

+ },

);

my $extra_modules = _get_extension_requirements('OPTIONAL_MODULES');

--- a/Bugzilla/Util.pm 2010-04-02 23:34:46 +0000

+++ b/Bugzilla/Util.pm 2011-01-24 21:48:17 +0000

@@ -551,9 +551,56 @@

return $crypted_password;

}

+# If you want to understand the security of strings generated by this

+# function, here's a quick formula that will help you estimate:

+# We pick from 62 characters, which is close to 64, which is 2^6.

+# So 8 characters is (2^6)^8 == 2^48 combinations. Just multiply 6

+# by the number of characters you generate, and that gets you the equivalent

+# strength of the string in bits.

sub generate_random_password {

my $size = shift || 10; # default to 10 chars if nothing specified

- return join("", map{ ('0'..'9','a'..'z','A'..'Z')[rand 62] } (1..$size));

+ my $rand;

+ if (Bugzilla->feature('rand_security')) {

+ $rand = \&Math::Random::Secure::irand;

+ }

+ else {

+ # For details on why this block works the way it does, see bug 619594.

+ # (Note that we don't do this if Math::Random::Secure is installed,

+ # because we don't need to.)

+ my $counter = 0;

+ $rand = sub {

+ # If we regenerate the seed every 5 characters, our seed is roughly

+ # as strong (in terms of bit size) as our randomly-generated

+ # string itself.

+ _do_srand() if ($counter % 5) == 0;

+ $counter++;

+ return int(rand $_[0]);

+ };

+ }

+ return join("", map{ ('0'..'9','a'..'z','A'..'Z')[$rand->(62)] }

+ (1..$size));

100

101

+sub _do_srand {

102

+ # On Windows, calling srand over and over in the same process produces

103

+ # very bad results. We need a stronger seed.

104

+ if (ON_WINDOWS) {

105

+ require Win32;

106

+ # GuidGen generates random data via Windows's CryptGenRandom

107

+ # interface, which is documented as being cryptographically secure.

108

+ my $guid = Win32::GuidGen();

109

+ # GUIDs look like:

110

+ # {09531CF1-D0C7-4860-840C-1C8C8735E2AD}

111

+ $guid =~ s/[-{}]+//g;

112

+ # Get a 32-bit integer using the first eight hex digits.

113

+ my $seed = hex(substr($guid, 0, 8));

114

+ srand($seed);

115

+ return;

116

+ }

117

118

+ # On *nix-like platforms, this uses /dev/urandom, so the seed changes

119

+ # enough on every invocation.

120

+ srand();

121

}

122

123

sub validate_email_syntax {

124

125

--- a/mod_perl.pl 2010-02-01 21:39:54 +0000

126

+++ b/mod_perl.pl 2011-01-24 21:48:17 +0000

127

@@ -46,6 +46,9 @@

128

use Bugzilla::Template ();

129

use Bugzilla::Util ();

130

131

+# For PerlChildInitHandler

132

+eval { require Math::Random::Secure };

133

134

my ($sizelimit, $maxrequests) = ('', '');

135

if (Bugzilla::Constants::ON_WINDOWS) {

136

$maxrequests = "MaxRequestsPerChild 25";

137

@@ -64,8 +67,14 @@

138

my $server = Apache2::ServerUtil->server;

139

my $conf = <<EOT;

140

$maxrequests

141

-# Make sure each httpd child receives a different random seed (bug 476622)

142

-PerlChildInitHandler "sub { srand(); }"

143

+# Make sure each httpd child receives a different random seed (bug 476622).

144

+# Math::Random::Secure has one srand that needs to be called for

145

+# every process, and Perl has another. (Various Perl modules still use

146

+# the built-in rand(), even though we only use Math::Random::Secure in

147

+# Bugzilla itself, so we need to srand() both of them.) However,

148

+# Math::Random::Secure may not be installed, so we call its srand in an

149

+# eval.

150

+PerlChildInitHandler "sub { eval { Math::Random::Secure::srand() }; srand(); }"

151

152

AddHandler perl-script .cgi

153

# No need to PerlModule these because they're already defined in mod_perl.pl

154

155

--- a/template/en/default/setup/strings.txt.pl 2010-10-26 21:08:21 +0000

156

+++ b/template/en/default/setup/strings.txt.pl 2011-01-24 21:48:17 +0000

157

@@ -62,6 +62,7 @@

158

feature_mod_perl => 'mod_perl',

159

feature_moving => 'Move Bugs Between Installations',

160

feature_patch_viewer => 'Patch Viewer',

161

+ feature_rand_security => 'Improve cookie and token security',

162

feature_smtp_auth => 'SMTP Authentication',

163

feature_updates => 'Automatic Update Notifications',

164

feature_xmlrpc => 'XML-RPC Interface',

165

Older »