GLSA-200709-18 : Bugzilla: Multiple vulnerabilities

This script is Copyright (C) 2007-2015 Tenable Network Security, Inc.

Synopsis :

The remote Gentoo host is missing one or more security-related

Description :

The remote host is affected by the vulnerability described in GLSA-200709-18
(Bugzilla: Multiple vulnerabilities)

Masahiro Yamada found that from the 2.17.1 version, Bugzilla does not
properly sanitize the content of the 'buildid' parameter when filing
bugs (CVE-2007-4543). The next two vulnerabilities only affect Bugzilla
2.23.3 or later, hence the stable Gentoo Portage tree does not contain
these two vulnerabilities: Loic Minier reported that the
'Email::Send::Sendmail()' function does not properly sanitise 'from'
email information before sending it to the '-f' parameter of
/usr/sbin/sendmail (CVE-2007-4538), and Frederic Buclin discovered that
the XML-RPC interface does not correctly check permissions in the
time-tracking fields (CVE-2007-4539).

Impact :

A remote attacker could trigger the 'buildid' vulnerability by sending
a specially crafted form to Bugzilla, leading to a persistent XSS, thus
allowing for theft of credentials. With Bugzilla 2.23.3 or later, an
attacker could also execute arbitrary code with the permissions of the
web server by injecting a specially crafted 'from' email address and
gain access to normally restricted time-tracking information through
the XML-RPC service.

Workaround :

There is no known workaround at this time.

See also :

Solution :

All Bugzilla users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose www-apps/bugzilla

Risk factor :

Medium / CVSS Base Score : 5.0

Family: Gentoo Local Security Checks

Nessus Plugin ID: 26216 (gentoo_GLSA-200709-18.nasl)

Bugtraq ID:

CVE ID: CVE-2007-4538