4.4.13, 5.0.4, and 5.0.6 Security Advisory

Tuesday, Sep 3rd, 2024

Summary
=======

Bugzilla is a Web-based bug-tracking system used by a large number of
software projects. The following security issues have been discovered
in Bugzilla:

* A malicious user could create an account on a third-party service
  such as GitHub which allows non-ASCII Unicode characters to be used
  in email addresses and use it to log into a Bugzilla account with
  lookalike ASCII characters in the email.

* Debugging code allowed XSS injection within the bug title
  when viewing charts and reports if a specific URL param was
  passed to enable the debugging code.

* Inserting specific multi-byte unicode characters into bug
  comments could cause email notifications about bug changes
  to fail.

All affected installations are encouraged to upgrade as soon as
possible.


Vulnerability Details
=====================

Class:       Authentication Bypass
Affected:    Versions 3.3.1 to 4.4.14, 4.5.1 to 5.0.4, 5.0.5 to 5.0.6,
             5.1.1 to 5.1.2, 5.3.2, git checkouts of "harmony" prior to
             5.9.1
Fixed In:    4.4.14, 5.0.4.1, 5.2, 5.3.3, 5.9.1
Description: When using external authentication against a third party
             service (such as GitHub) which allows non-ASCII Unicode
             characters to be used in email addresses, Bugzilla's email
             address match would normalize the email into ASCII before
             comparing when using MySQL as a back end, enabling someone
             to take over a Bugzilla account if they created a user with
             an email address which would match that way on such a third
             party service.
             We are not aware of any known exploits for versions prior to
             the "harmony" developer branch which has not yet been
             released, as prior to that there were no known
             authentication plugins for third party authentication for
             Bugzilla. However, we are patching the earlier supported
             versions to prevent it anyway just in case someone had
             written their own plugin that might be affected.
References:  https://bugzilla.mozilla.org/show_bug.cgi?id=1813629
CVE Number:  CVE-2023-4657


Class:       Cross-site Scripting (XSS)
Affected:    All versions before 4.4.14, 4.5.1 to 5.0.4, 5.0.5 to 5.0.6,
             5.1.1 to 5.1.2, 5.3.2, git checkouts of "harmony" prior to
             5.9.1
Fixed In:    4.4.14, 5.0.4.1, 5.2, 5.3.3, 5.9.1
Description: Debugging code allowed XSS injection within the bug title
             when viewing charts and reports if a specific URL param was
             passed to enable the debugging code.
             Passing the debug flag now forces an HTML content type
             regardless of the requsted type, and properly filters the
             debug output.
References:  https://bugzilla.mozilla.org/show_bug.cgi?id=1439260
CVE Number:  CVE-2023-5206


Class:       Denial of Service
Affected:    Versions 5.0.2 to 5.0.4, 5.0.5 to 5.0.6, 5.1.2, 5.3.2,
             git checkouts of "harmony" prior to 5.9.1
Fixed In:    5.0.4.1, 5.2, 5.3.3, 5.9.1
Description: Inserting specific multi-byte unicode characters into bug
             comments could cause email notifications about bug changes
             to fail.
References:  https://bugzilla.mozilla.org/show_bug.cgi?id=1880288


Vulnerability Solutions
=======================

The fix for these issues is included in the 4.4.14, 5.0.4.1, 5.2, 5.3.3, and 5.9.1
releases. Upgrading to a release with the relevant fix will
protect your installation from possible exploits of these issues.

If you are unable to upgrade but would like to patch just the security
vulnerability, there are patches available for the issues at the
"References" URL.

Full release downloads, patches to upgrade Bugzilla from previous
versions, and git upgrade instructions are available at:

  https://www.bugzilla.org/download/


A Note About Upgrade Paths
==========================

Bugzilla Versions within the 5.0.x range:
* Versions 5.0.4 and older should upgrade to 5.0.4.1
* Versions 5.0.5 and 5.0.6 should upgrade to 5.2 (which is equivalent to a
  point upgrade for you).

Other versions of Bugzilla should upgrade to the newest version within
the same branch.


Credits
=======

The Bugzilla team wish to thank the following people for their
assistance in locating, advising us of, and assisting us to fix this
issue:


Issue 1 Reporter: Aaryan9898
Issue 1 Fixed by: David Lawrence, David Miller


Issue 2 Reporter: Holger Fuhrmannek
Issue 2 Fixed by: David Miller


Issue 3 Reporter: Frédéric Buclin
Issue 3 Fixed by: Frédéric Buclin, David Miller

General information about the Bugzilla bug-tracking system can be found
at:

  https://www.bugzilla.org/

Comments and follow-ups can be directed to the support-bugzilla mailing list.
https://www.bugzilla.org/support/ has directions for accessing this forum.