From 902b7144cf3fde7d325e44616e76540cdb5960b3 Mon Sep 17 00:00:00 2001 From: Itamar Reis Peixoto Date: Apr 06 2009 23:27:25 +0000 Subject: 3.2.3 fix CVE-2009-1213 --- diff --git a/.cvsignore b/.cvsignore index f09f584..6399c1b 100644 --- a/.cvsignore +++ b/.cvsignore @@ -1 +1 @@ -bugzilla-3.2.2.tar.gz +bugzilla-3.2.3.tar.gz diff --git a/bugzilla.spec b/bugzilla.spec index 8789999..1097a21 100644 --- a/bugzilla.spec +++ b/bugzilla.spec @@ -4,16 +4,15 @@ Summary: Bug tracking system URL: http://www.bugzilla.org/ Name: bugzilla -Version: 3.2.2 +Version: 3.2.3 Group: Applications/Publishing -Release: 2%{?dist} +Release: 1%{?dist} License: MPLv1.1 Source0: http://ftp.mozilla.org/pub/mozilla.org/webtools/bugzilla-%{version}.tar.gz Source1: bugzilla-httpd-conf Source2: README.fedora.bugzilla Patch0: bugzilla-rw-paths.patch -Patch1: maxpacket-mysql-3.2.patch -# patch1 from https://bugzilla.mozilla.org/show_bug.cgi?id=480001 + BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildArch: noarch Requires: webserver, patchutils, mod_perl, perl(SOAP::Lite), which @@ -42,7 +41,6 @@ Contributed scripts and functions for Bugzilla %prep %setup -q -n %{name}-%{version} %patch0 -p1 -%patch1 -p0 # Filter unwanted Requires found by /usr/lib/rpm/perldeps.pl: # create a wrapper script which runs the original perl_requires @@ -101,9 +99,9 @@ install -m 0644 -D -p %{SOURCE1} ${RPM_BUILD_ROOT}%{_sysconfdir}/httpd/conf.d/b rm -rf ${RPM_BUILD_ROOT} %post -pushd %{bzinstallprefix}/bugzilla > /dev/null +(pushd %{bzinstallprefix}/bugzilla > /dev/null ./checksetup.pl > /dev/null -popd > /dev/null +popd > /dev/null) %files %defattr(-,root,root,-) @@ -145,6 +143,9 @@ popd > /dev/null %{bzinstallprefix}/bugzilla/contrib %changelog +* Mon Apr 06 2009 Itamar Reis Peixoto 3.2.3-1 +- fix CVE-2009-1213 + * Thu Mar 05 2009 Itamar Reis Peixoto 3.2.2-2 - fix from BZ #474250 Comment #16, from Chris Eveleigh --> - add python BR for contrib subpackage diff --git a/import.log b/import.log index db3ebd1..33c53e3 100644 --- a/import.log +++ b/import.log @@ -1,2 +1,3 @@ bugzilla-3_0_8-1_fc11:F-9:bugzilla-3.0.8-1.fc11.src.rpm:1235878378 bugzilla-3_2_2-2_fc10:F-9:bugzilla-3.2.2-2.fc10.src.rpm:1236266726 +bugzilla-3_2_3-1_fc11:F-9:bugzilla-3.2.3-1.fc11.src.rpm:1239060269 diff --git a/maxpacket-mysql-3.2.patch b/maxpacket-mysql-3.2.patch deleted file mode 100644 index bf57151..0000000 --- a/maxpacket-mysql-3.2.patch +++ /dev/null @@ -1,198 +0,0 @@ -Index: Bugzilla/Config/Attachment.pm -=================================================================== -RCS file: /cvsroot/mozilla/webtools/bugzilla/Bugzilla/Config/Attachment.pm,v -retrieving revision 1.3.4.2 -diff -u -r1.3.4.2 Attachment.pm ---- Bugzilla/Config/Attachment.pm 2 Feb 2009 19:12:15 -0000 1.3.4.2 -+++ Bugzilla/Config/Attachment.pm 1 Mar 2009 23:56:15 -0000 -@@ -74,7 +74,7 @@ - name => 'maxattachmentsize', - type => 't', - default => '1000', -- checker => \&check_numeric -+ checker => \&check_maxattachmentsize - }, - - # The maximum size (in bytes) for patches and non-patch attachments. -Index: Bugzilla/Config/Common.pm -=================================================================== -RCS file: /cvsroot/mozilla/webtools/bugzilla/Bugzilla/Config/Common.pm,v -retrieving revision 1.21 -diff -u -r1.21 Common.pm ---- Bugzilla/Config/Common.pm 27 Mar 2008 00:23:41 -0000 1.21 -+++ Bugzilla/Config/Common.pm 1 Mar 2009 23:56:15 -0000 -@@ -50,7 +50,8 @@ - check_opsys check_shadowdb check_urlbase check_webdotbase - check_netmask check_user_verify_class check_image_converter - check_mail_delivery_method check_notification check_timezone check_utf8 -- check_bug_status check_smtp_auth -+ check_bug_status check_smtp_auth -+ check_maxattachmentsize - ); - - # Checking functions for the various values -@@ -320,6 +321,24 @@ - return ""; - } - -+sub check_maxattachmentsize { -+ my $check = check_numeric(@_); -+ return $check if $check; -+ my $size = shift; -+ my $dbh = Bugzilla->dbh; -+ if ($dbh->isa('Bugzilla::DB::Mysql')) { -+ my (undef, $max_packet) = $dbh->selectrow_array( -+ q{SHOW VARIABLES LIKE 'max\_allowed\_packet'}); -+ my $byte_size = $size * 1024; -+ if ($max_packet < $byte_size) { -+ return "You asked for a maxattachmentsize of $byte_size bytes," -+ . " but the max_allowed_packet setting in MySQL currently" -+ . " only allows packets up to $max_packet bytes"; -+ } -+ } -+ return ""; -+} -+ - sub check_notification { - my $option = shift; - my @current_version = -Index: Bugzilla/DB/Mysql.pm -=================================================================== -RCS file: /cvsroot/mozilla/webtools/bugzilla/Bugzilla/DB/Mysql.pm,v -retrieving revision 1.60.2.7 -diff -u -r1.60.2.7 Mysql.pm ---- Bugzilla/DB/Mysql.pm 7 Nov 2008 00:10:15 -0000 1.60.2.7 -+++ Bugzilla/DB/Mysql.pm 1 Mar 2009 23:56:15 -0000 -@@ -44,6 +44,7 @@ - use strict; - - use Bugzilla::Constants; -+use Bugzilla::Install::Util qw(install_string); - use Bugzilla::Util; - use Bugzilla::Error; - use Bugzilla::DB::Schema::Mysql; -@@ -97,20 +98,9 @@ - } - } - -- # The "comments" field of the bugs_fulltext table could easily exceed -- # MySQL's default max_allowed_packet. Also, MySQL should never have -- # a max_allowed_packet smaller than our max_attachment_size. However, -- # if we've already set a max_allowed_packet in MySQL bigger than all -- # of those, we should keep it. -- my (undef, $current_max_allowed) = $self->selectrow_array( -- q{SHOW VARIABLES LIKE 'max\_allowed\_packet'}); -- my $min_max_allowed_packet = MAX_COMMENTS * MAX_COMMENT_LENGTH; -- my $max_allowed_packet = max($min_max_allowed_packet, -- $current_max_allowed, -- # This parameter is not yet defined when the DB -- # is being built for the very first time. -- Bugzilla->params->{'maxattachmentsize'} || 0); -- $self->do("SET SESSION max_allowed_packet = $max_allowed_packet"); -+ # Allow large GROUP_CONCATs (largely for inserting comments -+ # into bugs_fulltext). -+ $self->do('SET SESSION group_concat_max_len = 128000000'); - - return $self; - } -@@ -244,6 +234,24 @@ - sub bz_setup_database { - my ($self) = @_; - -+ # The "comments" field of the bugs_fulltext table could easily exceed -+ # MySQL's default max_allowed_packet. Also, MySQL should never have -+ # a max_allowed_packet smaller than our max_attachment_size. So, we -+ # warn the user here if max_allowed_packet is too small. -+ my $min_max_allowed = MAX_COMMENTS * MAX_COMMENT_LENGTH; -+ my (undef, $current_max_allowed) = $self->selectrow_array( -+ q{SHOW VARIABLES LIKE 'max\_allowed\_packet'}); -+ # This parameter is not yet defined when the DB is being built for -+ # the very first time. The code below still works properly, however, -+ # because the default maxattachmentsize is smaller than $min_max_allowed. -+ my $max_attachment = (Bugzilla->params->{'maxattachmentsize'} || 0) * 1024; -+ my $needed_max_allowed = max($min_max_allowed, $max_attachment); -+ if ($current_max_allowed < $needed_max_allowed) { -+ warn install_string('max_allowed_packet', -+ { current => $current_max_allowed, -+ needed => $needed_max_allowed }) . "\n"; -+ } -+ - # Make sure the installation has InnoDB turned on, or we're going to be - # doing silly things like making foreign keys on MyISAM tables, which is - # hard to fix later. We do this up here because none of the code below -Index: Bugzilla/Install/DB.pm -=================================================================== -RCS file: /cvsroot/mozilla/webtools/bugzilla/Bugzilla/Install/DB.pm,v -retrieving revision 1.51.2.2 -diff -u -r1.51.2.2 DB.pm ---- Bugzilla/Install/DB.pm 27 Aug 2008 15:22:10 -0000 1.51.2.2 -+++ Bugzilla/Install/DB.pm 1 Mar 2009 23:56:15 -0000 -@@ -3009,11 +3009,6 @@ - if (UNIVERSAL::can($dbh, 'sql_group_concat')) { - print "Populating bugs_fulltext..."; - print " (this can take a long time.)\n"; -- # XXX This hack should probably be moved elsewhere. -- if ($dbh->isa('Bugzilla::DB::Mysql')) { -- $dbh->do('SET SESSION group_concat_max_len = 128000000'); -- $dbh->do('SET SESSION max_allowed_packet = 128000000'); -- } - $dbh->do( - q{INSERT INTO bugs_fulltext (bug_id, short_desc, comments, - comments_noprivate) -Index: docs/en/xml/installation.xml -=================================================================== -RCS file: /cvsroot/mozilla/webtools/bugzilla/docs/en/xml/installation.xml,v -retrieving revision 1.157.2.6 -diff -u -r1.157.2.6 installation.xml ---- docs/en/xml/installation.xml 8 Jan 2009 23:44:22 -0000 1.157.2.6 -+++ docs/en/xml/installation.xml 1 Mar 2009 23:56:15 -0000 -@@ -778,6 +778,28 @@ - improving your installation's security. - - -+ -+
-+ Allow large attachments and many comments -+ -+ By default, MySQL will only allow you to insert things -+ into the database that are smaller than 64KB. Attachments -+ may be larger than this. Also, Bugzilla combines all comments -+ on a single bug into one field for full-text searching, and the -+ combination of all comments on a single bug are very likely to -+ be larger than 64KB. -+ -+ To change MySQL's default, you need to edit your MySQL -+ configuration file, which is usually /etc/my.cnf -+ on Linux. We recommend that you allow at least 4MB packets by -+ adding the "max_allowed_packet" parameter to your MySQL -+ configuration in the "[mysqld]" section, like this: -+ -+ [mysqld] -+# Allow packets up to 4MB -+max_allowed_packet=4M -+ -+
- -
- Allow small words in full-text indexes -Index: template/en/default/setup/strings.txt.pl -=================================================================== -RCS file: /cvsroot/mozilla/webtools/bugzilla/template/en/default/setup/strings.txt.pl,v -retrieving revision 1.8 -diff -u -r1.8 strings.txt.pl ---- template/en/default/setup/strings.txt.pl 28 Jan 2008 00:54:59 -0000 1.8 -+++ template/en/default/setup/strings.txt.pl 1 Mar 2009 23:56:15 -0000 -@@ -52,6 +52,12 @@ - - EOT - install_module => 'Installing ##module## version ##version##...', -+ max_allowed_packet => < "found v##ver##", - module_not_found => "not found", - module_ok => 'ok', - diff --git a/sources b/sources index 56c909f..afc4623 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -ad9eca21b6bafdd7a9a34e4c1b55281e bugzilla-3.2.2.tar.gz +fcc8f64fec821e76718fbda13e232b59 bugzilla-3.2.3.tar.gz