CVE-2012-0466

Conflicts:
	.gitignore
	bugzilla-rw-paths.patch
	bugzilla.spec
	sources

.cvsignore

@@ -1 +0,0 @@
-bugzilla-3.2.3.tar.gz

.gitignore

@@ -0,0 +1,2 @@
+bugzilla-3.2.6.tar.gz
+/bugzilla-3.2.10.tar.gz

Makefile

@@ -1,21 +0,0 @@
-# Makefile for source rpm: bugzilla
-# $Id$
-NAME := bugzilla
-SPECFILE = $(firstword $(wildcard *.spec))
-
-define find-makefile-common
-for d in common ../common ../../common ; do if [ -f $$d/Makefile.common ] ; then if [ -f $$d/CVS/Root -a -w $$/Makefile.common ] ; then cd $$d ; cvs -Q update ; fi ; echo "$$d/Makefile.common" ; break ; fi ; done
-endef
-
-MAKEFILE_COMMON := $(shell $(find-makefile-common))
-
-ifeq ($(MAKEFILE_COMMON),)
-# attept a checkout
-define checkout-makefile-common
-test -f CVS/Root && { cvs -Q -d $$(cat CVS/Root) checkout common && echo "common/Makefile.common" ; } || { echo "ERROR: I can't figure out how to checkout the 'common' module." ; exit -1 ; } >&2
-endef
-
-MAKEFILE_COMMON := $(shell $(checkout-makefile-common))
-endif
-
-include $(MAKEFILE_COMMON)

README.fedora.bugzilla

@@ -20,6 +20,6 @@ put in place after configuration is done.  The first is a daily cron job for
 statistics collection.  This is in the file "cron.daily" and can be enabled by
 simply copying this file to /etc/cron.daily/bugzilla (or any other file name
 in the /etc/cron.daily/ directory).  The second is the "whine" cron job,
-designed to run every 15 minutes.  To enable this job, simply coopy the
+designed to run every 15 minutes.  To enable this job, simply copy the
 cron.whine file to /etc/cron.d/bugzilla (or any othe filename within the
 /etc/cron.d/ directory).

bugzilla-3.2.10-CVE-2011-2379.patch

@@ -0,0 +1,240 @@
+=== modified file 'Bugzilla/Attachment/PatchReader.pm'
+--- Bugzilla/Attachment/PatchReader.pm	2008-06-29 22:35:28 +0000
++++ Bugzilla/Attachment/PatchReader.pm	2011-07-07 06:04:15 +0000
+@@ -37,6 +37,7 @@
+         $last_reader->sends_data_to(new PatchReader::DiffPrinter::raw());
+         # Actually print out the patch.
+         print $cgi->header(-type => 'text/plain',
++                           -x_content_type_options => "nosniff",
+                            -expires => '+3M');
+         disable_utf8();
+         $reader->iterate_string('Attachment ' . $attachment->id, $attachment->data);
+@@ -118,6 +119,7 @@
+         $last_reader->sends_data_to(new PatchReader::DiffPrinter::raw());
+         # Actually print out the patch.
+         print $cgi->header(-type => 'text/plain',
++                           -x_content_type_options => "nosniff",
+                            -expires => '+3M');
+         disable_utf8();
+     }
+
+=== modified file 'attachment.cgi'
+--- attachment.cgi	2009-09-30 08:53:25 +0000
++++ attachment.cgi	2011-07-21 06:21:26 +0000
+@@ -71,10 +71,13 @@
+ 
+ # Determine whether to use the action specified by the user or the default.
+ my $action = $cgi->param('action') || 'view';
++my $format = $cgi->param('format') || '';
+ 
+ # You must use the appropriate urlbase/sslbase param when doing anything
+-# but viewing an attachment.
+-if ($action ne 'view') {
++# but viewing an attachment, or a raw diff.
++if ($action ne 'view'
++    && (($action !~ /^(?:interdiff|diff)$/) || $format ne 'raw'))
++{
+     my $urlbase = Bugzilla->params->{'urlbase'};
+     my $sslbase = Bugzilla->params->{'sslbase'};
+     my $path_regexp = $sslbase ? qr/^(\Q$urlbase\E|\Q$sslbase\E)/ : qr/^\Q$urlbase\E/;
+@@ -172,7 +175,8 @@
+     # non-natural, so use the original value from $cgi in our exception
+     # message here.
+     detaint_natural($attach_id)
+-     || ThrowUserError("invalid_attach_id", { attach_id => $cgi->param($param) });
++      || ThrowUserError("invalid_attach_id",
++                        { attach_id => scalar $cgi->param($param) });
+   
+     # Make sure the attachment exists in the database.
+     my $attachment = Bugzilla::Attachment->get($attach_id)
+@@ -249,53 +253,71 @@
+                         { bug_id => $bugid });
+ }
+ 
+-################################################################################
+-# Functions
+-################################################################################
++# Gets the attachment object(s) generated by validateID, while ensuring
++# attachbase and token authentication is used when required.
++sub get_attachment {
++    my @field_names = @_ ? @_ : qw(id);
+ 
+-# Display an attachment.
+-sub view {
+-    my $attachment;
++    my %attachments;
+ 
+     if (use_attachbase()) {
+-        $attachment = validateID(undef, 1);
+-        # Replace %bugid% by the ID of the bug the attachment belongs to, if present.
++        # Load each attachment, and ensure they are all from the same bug
++        my $bug_id = 0;
++        foreach my $field_name (@field_names) {
++            my $attachment = validateID($field_name, 1);
++            if (!$bug_id) {
++                $bug_id = $attachment->bug_id;
++            } elsif ($attachment->bug_id != $bug_id) {
++                ThrowUserError('attachment_bug_id_mismatch');
++            }
++            $attachments{$field_name} = $attachment;
++        }
+         my $attachbase = Bugzilla->params->{'attachment_base'};
+-        my $bug_id = $attachment->bug_id;
+         $attachbase =~ s/%bugid%/$bug_id/;
+-        my $path = 'attachment.cgi?id=' . $attachment->id;
+-        # The user is allowed to override the content type of the attachment.
+-        if (defined $cgi->param('content_type')) {
+-            $path .= '&content_type=' . url_quote($cgi->param('content_type'));
+-        }
++        my @args = map { $_ . '=' . $attachments{$_}->id } @field_names;
++        my $cgi_params = $cgi->canonicalise_query(@field_names, 't',
++            'Bugzilla_login', 'Bugzilla_password');
++        push(@args, $cgi_params) if $cgi_params;
++        my $path = 'attachment.cgi?' . join('&', @args);
+ 
+         # Make sure the attachment is served from the correct server.
+         if ($cgi->self_url !~ /^\Q$attachbase\E/) {
+             # We couldn't call Bugzilla->login earlier as we first had to make sure
+             # we were not going to request credentials on the alternate host.
+             Bugzilla->login();
+-            if (attachmentIsPublic($attachment)) {
++            if (all_attachments_are_public(\%attachments)) {
+                 # No need for a token; redirect to attachment base.
+                 print $cgi->redirect(-location => $attachbase . $path);
+                 exit;
+             } else {
+                 # Make sure the user can view the attachment.
+-                check_can_access($attachment);
++                foreach my $field_name (@field_names) {
++                    check_can_access($attachments{$field_name});
++                }
+                 # Create a token and redirect.
+-                my $token = url_quote(issue_session_token($attachment->id));
++                my $token = url_quote(issue_session_token(pack_token_data(\%attachments)));
+                 print $cgi->redirect(-location => $attachbase . "$path&t=$token");
+                 exit;
+             }
+         } else {
+             # No need to validate the token for public attachments. We cannot request
+             # credentials as we are on the alternate host.
+-            if (!attachmentIsPublic($attachment)) {
++            if (!all_attachments_are_public(\%attachments)) {
+                 my $token = $cgi->param('t');
+-                my ($userid, undef, $token_attach_id) = Bugzilla::Token::GetTokenData($token);
+-                unless ($userid
+-                        && detaint_natural($token_attach_id)
+-                        && ($token_attach_id == $attachment->id))
+-                {
++                my ($userid, undef, $token_data) = Bugzilla::Token::GetTokenData($token);
++                my %token_data = unpack_token_data($token_data);
++                my $valid_token = 1;
++                foreach my $field_name (@field_names) {
++                    my $token_id = $token_data{$field_name};
++                    if (!$token_id
++                        || !detaint_natural($token_id)
++                        || $attachments{$field_name}->id != $token_id)
++                    {
++                        $valid_token = 0;
++                        last;
++                    }
++                }
++                unless ($userid && $valid_token) {
+                     # Not a valid token.
+                     print $cgi->redirect('-location' => correct_urlbase() . $path);
+                     exit;
+@@ -309,8 +331,48 @@
+     } else {
+         # No alternate host is used. Request credentials if required.
+         Bugzilla->login();
+-        $attachment = validateID();
+-    }
++        foreach my $field_name (@field_names) {
++            $attachments{$field_name} = validateID($field_name);
++        }
++    }
++
++    return wantarray
++        ? map { $attachments{$_} } @field_names
++        : $attachments{$field_names[0]};
++}
++
++sub all_attachments_are_public {
++    my $attachments = shift;
++    foreach my $field_name (keys %$attachments) {
++        if (!attachmentIsPublic($attachments->{$field_name})) {
++            return 0;
++        }
++    }
++    return 1;
++}
++
++sub pack_token_data {
++    my $attachments = shift;
++    return join(' ', map { $_ . '=' . $attachments->{$_}->id } keys %$attachments);
++}
++
++sub unpack_token_data {
++    my @token_data = split(/ /, shift || '');
++    my %data;
++    foreach my $token (@token_data) {
++        my ($field_name, $attach_id) = split('=', $token);
++        $data{$field_name} = $attach_id;
++    }
++    return %data;
++}
++
++################################################################################
++# Functions
++################################################################################
++
++# Display an attachment.
++sub view {
++    my $attachment = get_attachment();
+ 
+     # At this point, Bugzilla->login has been called if it had to.
+     my $contenttype = $attachment->contenttype;
+@@ -345,9 +407,14 @@
+ 
+ sub interdiff {
+     # Retrieve and validate parameters
+-    my $old_attachment = validateID('oldid');
+-    my $new_attachment = validateID('newid');
+     my $format = validateFormat('html', 'raw');
++    my($old_attachment, $new_attachment);
++    if ($format eq 'raw') {
++        ($old_attachment, $new_attachment) = get_attachment('oldid', 'newid');
++    } else {
++        $old_attachment = validateID('oldid');
++        $new_attachment = validateID('newid');
++    }
+     my $context = validateContext();
+ 
+     Bugzilla::Attachment::PatchReader::process_interdiff(
+@@ -356,8 +423,8 @@
+ 
+ sub diff {
+     # Retrieve and validate parameters
+-    my $attachment = validateID();
+     my $format = validateFormat('html', 'raw');
++    my $attachment = $format eq 'raw' ? get_attachment() : validateID();
+     my $context = validateContext();
+ 
+     # If it is not a patch, view normally.
+
+=== modified file 'contrib/fixperms.pl' (properties changed: -x to +x)
+=== modified file 'template/en/default/global/user-error.html.tmpl'
+--- template/en/default/global/user-error.html.tmpl	2010-11-02 23:12:13 +0000
++++ template/en/default/global/user-error.html.tmpl	2011-07-07 06:04:15 +0000
+@@ -102,6 +102,11 @@
+     [% terms.Bug %] aliases cannot be longer than 20 characters.
+     Please choose a shorter alias.
+ 
++  [% ELSIF error == "attachment_bug_id_mismatch" %]
++    [% title = "Invalid Attachments" %]
++    You tried to perform an action on attachments from different [% terms.bugs %].
++    This operation requires all attachments to be from the same [% terms.bug %].
++
+   [% ELSIF error == "auth_cant_create_account" %]
+     [% title = "Can't create accounts" %]
+     This site is using an authentication scheme which does not permit
+

bugzilla-3.2.10-CVE-2011-2380.patch

@@ -0,0 +1,28 @@
+=== modified file 'Bugzilla/Bug.pm'
+--- Bugzilla/Bug.pm	2010-10-28 15:27:58 +0000
++++ Bugzilla/Bug.pm	2011-08-01 21:28:07 +0000
+@@ -1403,7 +1403,7 @@
+             || ThrowUserError("invalid_group_ID");
+ 
+         # This can only happen if somebody hacked the enter_bug form.
+-        ThrowCodeError("inactive_group", { name => $group->name })
++        ThrowCodeError("inactive_group", { group_id => $id })
+             unless $group->is_active;
+ 
+         my $membercontrol = $controls->{$id}
+
+=== modified file 'template/en/default/global/code-error.html.tmpl'
+--- template/en/default/global/code-error.html.tmpl	2010-12-30 16:50:29 +0000
++++ template/en/default/global/code-error.html.tmpl	2011-08-01 21:29:11 +0000
+@@ -217,8 +217,8 @@
+     A legal [% field FILTER html %] was not set.
+ 
+   [% ELSIF error == "inactive_group" %]
+-    Attempted to add [% terms.bug %] to the '[% name FILTER html %]'
+-    group, which is not used for [% terms.bugs %].
++    Attempted to add [% terms.abug %] to group ID [% group_id FILTER html %],
++    which is not used for [% terms.bugs %].
+ 
+   [% ELSIF error == "invalid_attach_id_to_obsolete" %]
+      The attachment number of one of the attachments you wanted to obsolete,
+

bugzilla-3.2.10-CVE-2011-2381.patch

@@ -0,0 +1,27 @@
+=== modified file 'Bugzilla/Template.pm'
+--- Bugzilla/Template.pm	2011-02-14 21:56:52 +0000
++++ Bugzilla/Template.pm	2011-07-06 14:44:21 +0000
+@@ -549,6 +549,9 @@
+             # as prefix. In addition it replaces a ' ' by a '_'.
+             css_class_quote => \&Bugzilla::Util::css_class_quote ,
+ 
++            # Removes control characters and trims extra whitespace.
++            clean_text => \&Bugzilla::Util::clean_text ,
++
+             quoteUrls => [ sub {
+                                my ($context, $bug) = @_;
+                                return sub {
+
+=== modified file 'template/en/default/request/email.txt.tmpl'
+--- template/en/default/request/email.txt.tmpl	2009-09-03 19:05:33 +0000
++++ template/en/default/request/email.txt.tmpl	2011-07-06 14:43:11 +0000
+@@ -50,7 +50,7 @@
+ To: [% to %]
+ Subject: [% flag.type.name %] [%+ subject_status %]: [[% terms.Bug %] [%+ bug.bug_id %]] [% bug.short_desc %]
+ [%- IF attachment %] :
+-  [Attachment [% attachment.id %]] [% attachment.description %][% END %]
++  [Attachment [% attachment.id %]] [% attachment.description FILTER clean_text %][% END %]
+ X-Bugzilla-Type: request
+ [%+ threadingmarker %]
+ 
+

bugzilla-3.2.10-CVE-2011-2976.patch

@@ -0,0 +1,96 @@
+=== modified file 'template/en/default/bug/navigate.html.tmpl'
+--- template/en/default/bug/navigate.html.tmpl	2008-01-28 01:21:11 +0000
++++ template/en/default/bug/navigate.html.tmpl	2011-05-26 19:06:35 +0000
+@@ -44,22 +44,24 @@
+   [% END %]
+ 
+ [% IF this_bug_idx != -1 %]
+-  <a href="show_bug.cgi?id=[% bug_list.first %]">First</a>
+-  <a href="show_bug.cgi?id=[% bug_list.last %]">Last</a>
++  <a href="show_bug.cgi?id=[% bug_list.first FILTER url_quote %]">First</a>
++  <a href="show_bug.cgi?id=[% bug_list.last FILTER url_quote %]">Last</a>
+ [% END %]
+ 
+   [% IF bug.bug_id %]
+     [% IF this_bug_idx != -1 %]
+       [% IF this_bug_idx > 0 %]
+         [% prev_bug = this_bug_idx - 1 %]
+-        <a href="show_bug.cgi?id=[% bug_list.$prev_bug %]">Prev</a>
++        <a href="show_bug.cgi?id=
++                 [%- bug_list.$prev_bug FILTER url_quote %]">Prev</a>
+       [% ELSE %]
+         <i><font color="#777777">Prev</font></i>
+       [% END %]
+ 
+       [% IF this_bug_idx + 1 < bug_list.size %]
+         [% next_bug = this_bug_idx + 1 %]
+-        <a href="show_bug.cgi?id=[% bug_list.$next_bug %]">Next</a>
++        <a href="show_bug.cgi?id=
++                 [%- bug_list.$next_bug FILTER url_quote %]">Next</a>
+       [% ELSE %]
+         <i><font color="#777777">Next</font></i>
+       [% END %]
+
+=== modified file 'template/en/default/filterexceptions.pl'
+--- template/en/default/filterexceptions.pl	2009-10-26 11:31:52 +0000
++++ template/en/default/filterexceptions.pl	2011-05-26 19:15:14 +0000
+@@ -250,10 +250,6 @@
+ ],
+ 
+ 'global/site-navigation.html.tmpl' => [
+-  'bug_list.first', 
+-  'bug_list.$prev_bug', 
+-  'bug_list.$next_bug', 
+-  'bug_list.last', 
+   'bug.bug_id', 
+   'bug.votes', 
+ ],
+@@ -300,13 +296,6 @@
+   '" spellcheck=\"$spellcheck\"" IF spellcheck',
+ ],
+ 
+-'bug/navigate.html.tmpl' => [
+-  'bug_list.first', 
+-  'bug_list.last', 
+-  'bug_list.$prev_bug', 
+-  'bug_list.$next_bug', 
+-],
+-
+ 'bug/show-multiple.html.tmpl' => [
+   'attachment.id', 
+   'flag.status',
+
+=== modified file 'template/en/default/global/site-navigation.html.tmpl'
+--- template/en/default/global/site-navigation.html.tmpl	2008-08-08 06:26:33 +0000
++++ template/en/default/global/site-navigation.html.tmpl	2011-05-26 19:16:12 +0000
+@@ -36,8 +36,10 @@
+   [% IF bug_list && bug_list.size > 0 %]
+     <link rel="Up" href="buglist.cgi?regetlastlist=1">
+ 
+-    <link rel="First" href="show_bug.cgi?id=[% bug_list.first %]">
+-    <link rel="Last" href="show_bug.cgi?id=[% bug_list.last %]">
++    <link rel="First" href="show_bug.cgi?id=
++                            [%- bug_list.first FILTER url_quote %]">
++    <link rel="Last" href="show_bug.cgi?id=
++                           [%- bug_list.last FILTER url_quote %]">
+ 
+     [% IF bug && bug.bug_id %]
+       [% current_bug_idx = lsearch(bug_list, bug.bug_id) %]
+@@ -45,12 +47,14 @@
+ 
+         [% IF current_bug_idx > 0 %]
+           [% prev_bug = current_bug_idx - 1 %]
+-          <link rel="Prev" href="show_bug.cgi?id=[% bug_list.$prev_bug %]">
++          <link rel="Prev" href="show_bug.cgi?id=
++                                 [%- bug_list.$prev_bug FILTER url_quote %]">
+         [% END %]
+ 
+         [% IF current_bug_idx + 1 < bug_list.size %]
+           [% next_bug = current_bug_idx + 1 %]
+-          <link rel="Next" href="show_bug.cgi?id=[% bug_list.$next_bug %]">
++          <link rel="Next" href="show_bug.cgi?id=
++                                 [%- bug_list.$next_bug FILTER url_quote %]">
+         [% END %]
+ 
+       [% END %]
+

bugzilla-3.2.10-CVE-2011-2978.patch

@@ -0,0 +1,13 @@
+=== modified file 'userprefs.cgi'
+--- userprefs.cgi	2009-02-02 19:21:09 +0000
++++ userprefs.cgi	2011-07-22 08:00:33 +0000
+@@ -120,7 +120,7 @@
+         && Bugzilla->params->{"allowemailchange"}
+         && $cgi->param('new_login_name'))
+     {
+-        my $old_login_name = $cgi->param('Bugzilla_login');
++        my $old_login_name = $user->login;
+         my $new_login_name = trim($cgi->param('new_login_name'));
+ 
+         if($old_login_name ne $new_login_name) {
+

bugzilla-3.2.10-CVE-2011-3657.patch

@@ -0,0 +1,29 @@
+=== modified file 'Bugzilla/Chart.pm'
+--- Bugzilla/Chart.pm	2010-07-06 00:42:57 +0000
++++ Bugzilla/Chart.pm	2011-10-27 13:19:40 +0000
+@@ -438,7 +438,7 @@
+     
+     require Data::Dumper;
+     print "<pre>Bugzilla::Chart object:\n";
+-    print Data::Dumper::Dumper($self);
++    print html_quote(Data::Dumper::Dumper($self));
+     print "</pre>";
+ }
+ 
+
+=== modified file 'report.cgi'
+--- report.cgi	2010-12-08 20:14:32 +0000
++++ report.cgi	2011-10-27 14:18:52 +0000
+@@ -293,9 +293,9 @@
+ if ($cgi->param('debug')) {
+     require Data::Dumper;
+     print "<pre>data hash:\n";
+-    print Data::Dumper::Dumper(%data) . "\n\n";
++    print html_quote(Data::Dumper::Dumper(%data)) . "\n\n";
+     print "data array:\n";
+-    print Data::Dumper::Dumper(@image_data) . "\n\n</pre>";
++    print html_quote(Data::Dumper::Dumper(@image_data)) . "\n\n</pre>";
+ }
+ 
+ # All formats point to the same section of the documentation.
+

bugzilla-3.2.10-CVE-2011-3667.patch

@@ -0,0 +1,197 @@
+=== modified file 'Bugzilla/User.pm'
+--- Bugzilla/User.pm	2011-12-08 23:20:02 +0000
++++ Bugzilla/User.pm	2011-12-27 14:59:07 +0000
+@@ -1852,6 +1852,32 @@
+     return 1;
+ }
+ 
++sub check_account_creation_enabled {
++    my $self = shift;
++
++    # If we're using e.g. LDAP for login, then we can't create a new account.
++    $self->authorizer->user_can_create_account
++      || ThrowUserError('auth_cant_create_account');
++
++    Bugzilla->params->{'createemailregexp'}
++      || ThrowUserError('account_creation_disabled');
++}
++
++sub check_and_send_account_creation_confirmation {
++    my ($self, $login) = @_;
++
++    $login = $self->check_login_name_for_creation($login);
++    my $creation_regexp = Bugzilla->params->{'createemailregexp'};
++
++    if ($login !~ /$creation_regexp/i) {
++        ThrowUserError('account_creation_restricted');
++    }
++
++    # Create and send a token for this new account.
++    require Bugzilla::Token;
++    Bugzilla::Token::issue_new_user_account_token($login);
++}
++
+ sub login_to_id {
+     my ($login, $throw_error) = @_;
+     my $dbh = Bugzilla->dbh;
+@@ -2355,6 +2381,17 @@
+ Takes a username as its only argument. Throws an error if there is no
+ user with that username. Returns a C<Bugzilla::User> object.
+ 
++=item C<check_account_creation_enabled>
++
++Checks that users can create new user accounts, and throws an error
++if user creation is disabled.
++
++=item C<check_and_send_account_creation_confirmation($login)>
++
++If the user request for a new account passes validation checks, an email
++is sent to this user for confirmation. Otherwise an error is thrown
++indicating why the request has been rejected.
++
+ =item C<is_available_username>
+ 
+ Returns a boolean indicating whether or not the supplied username is
+
+=== modified file 'Bugzilla/WebService/Constants.pm'
+--- Bugzilla/WebService/Constants.pm	2011-08-04 20:10:54 +0000
++++ Bugzilla/WebService/Constants.pm	2011-12-27 15:00:16 +0000
+@@ -130,6 +130,7 @@
+     # User errors are 500-600.
+     account_exists        => 500,
+     illegal_email_address => 501,
++    auth_cant_create_account    => 501,
+     account_creation_disabled   => 501,
+     account_creation_restricted => 501,
+     password_too_short    => 502,
+
+=== modified file 'Bugzilla/WebService/User.pm'
+--- Bugzilla/WebService/User.pm	2011-02-14 07:42:09 +0000
++++ Bugzilla/WebService/User.pm	2011-12-27 15:04:12 +0000
+@@ -28,7 +28,6 @@
+ use Bugzilla::Error;
+ use Bugzilla::User;
+ use Bugzilla::Util qw(trim);
+-use Bugzilla::Token;
+ 
+ # Don't need auth to login
+ use constant LOGIN_EXEMPT => {
+@@ -91,18 +90,8 @@
+     my $email = trim($params->{email})
+         || ThrowCodeError('param_required', { param => 'email' });
+ 
+-    my $createexp = Bugzilla->params->{'createemailregexp'};
+-    if (!$createexp) {
+-        ThrowUserError("account_creation_disabled");
+-    }
+-    elsif ($email !~ /$createexp/) {
+-        ThrowUserError("account_creation_restricted");
+-    }
+-
+-    $email = Bugzilla::User->check_login_name_for_creation($email);
+-
+-    # Create and send a token for this new account.
+-    Bugzilla::Token::issue_new_user_account_token($email);
++    Bugzilla->user->check_account_creation_enabled;
++    Bugzilla->user->check_and_send_account_creation_confirmation($email);
+ 
+     return undef;
+ }
+@@ -396,15 +385,15 @@
+ 
+ =over
+ 
+-=item 500 (Illegal Email Address)
++=item 500 (Account Already Exists)
++
++An account with that email address already exists in Bugzilla.
++
++=item 501 (Illegal Email Address)
+ 
+ This Bugzilla does not allow you to create accounts with the format of
+ email address you specified. Account creation may be entirely disabled.
+ 
+-=item 501 (Account Already Exists)
+-
+-An account with that email address already exists in Bugzilla.
+-
+ =back
+ 
+ =back
+
+=== modified file 'createaccount.cgi'
+--- createaccount.cgi	2007-11-12 04:03:16 +0000
++++ createaccount.cgi	2011-12-27 14:53:38 +0000
+@@ -31,47 +31,24 @@
+ use Bugzilla;
+ use Bugzilla::Constants;
+ use Bugzilla::Error;
+-use Bugzilla::User;
+-use Bugzilla::BugMail;
+-use Bugzilla::Util;
+ 
+ # Just in case someone already has an account, let them get the correct footer
+ # on an error message. The user is logged out just after the account is
+ # actually created.
+-Bugzilla->login(LOGIN_OPTIONAL);
+-
+-my $dbh = Bugzilla->dbh;
++my $user = Bugzilla->login(LOGIN_OPTIONAL);
+ my $cgi = Bugzilla->cgi;
+ my $template = Bugzilla->template;
+-my $vars = {};
+-
+-$vars->{'doc_section'} = 'myaccount.html';
++my $vars = { doc_section => 'myaccount.html' };
+ 
+ print $cgi->header();
+ 
+-# If we're using LDAP for login, then we can't create a new account here.
+-unless (Bugzilla->user->authorizer->user_can_create_account) {
+-    ThrowUserError("auth_cant_create_account");
+-}
+-
+-my $createexp = Bugzilla->params->{'createemailregexp'};
+-unless ($createexp) {
+-    ThrowUserError("account_creation_disabled");
+-}
+-
++$user->check_account_creation_enabled;
+ my $login = $cgi->param('login');
+ 
+ if (defined($login)) {
+-    $login = Bugzilla::User->check_login_name_for_creation($login);
++    $user->check_and_send_account_creation_confirmation($login);
+     $vars->{'login'} = $login;
+ 
+-    if ($login !~ /$createexp/) {
+-        ThrowUserError("account_creation_restricted");
+-    }
+-
+-    # Create and send a token for this new account.
+-    Bugzilla::Token::issue_new_user_account_token($login);
+-
+     $template->process("account/created.html.tmpl", $vars)
+       || ThrowTemplateError($template->error());
+     exit;
+
+=== modified file 'token.cgi'
+--- token.cgi	2010-05-20 15:38:16 +0000
++++ token.cgi	2011-12-27 14:55:57 +0000
+@@ -341,6 +341,7 @@
+ }
+
+ sub request_create_account {
++    Bugzilla->user->check_account_creation_enabled;
+     my (undef, $date, $login_name) = Bugzilla::Token::GetTokenData($::token);
+     $vars->{'token'} = $::token;
+     $vars->{'email'} = $login_name . Bugzilla->params->{'emailsuffix'};
+@@ -360,6 +361,7 @@
+ }
+
+ sub confirm_create_account {
++    Bugzilla->user->check_account_creation_enabled;
+     my (undef, undef, $login_name) = Bugzilla::Token::GetTokenData($::token);
+ 
+     my $password = $cgi->param('passwd1') || '';
+

bugzilla-3.2.10-CVE-2012-0448.patch

@@ -0,0 +1,52 @@
+diff -Naur Bugzilla/Util.pm Bugzilla/Util.pm
+--- Bugzilla/Util.pm	2011-01-24 23:07:59.000000000 +0100
++++ Bugzilla/Util.pm	2012-02-01 09:17:53.414276564 +0100
+@@ -559,7 +559,7 @@
+ sub validate_email_syntax {
+     my ($addr) = @_;
+     my $match = Bugzilla->params->{'emailregexp'};
+-    my $ret = ($addr =~ /$match/ && $addr !~ /[\\\(\)<>&,;:"\[\] \t\r\n]/);
++    my $ret = ($addr =~ /$match/ && $addr !~ /[\\\(\)<>&,;:"\[\] \t\r\n\P{ASCII}]/);
+     if ($ret) {
+         # We assume these checks to suffice to consider the address untainted.
+         trick_taint($_[0]);
+diff -Naur editflagtypes.cgi editflagtypes.cgi
+--- editflagtypes.cgi	2009-02-02 20:01:12.000000000 +0100
++++ editflagtypes.cgi	2012-02-01 09:17:53.415276556 +0100
+@@ -578,7 +578,7 @@
+     # - do not contain any illegal character.
+     foreach my $address (@addresses) {
+         ($address =~ /^[\w\.\+\-=]+@[\w\.\-]+\.[\w\-]+$/
+-           && $address !~ /[\\\(\)<>&,;:"\[\] \t\r\n]/)
++           && $address !~ /[\\\(\)<>&,;:"\[\] \t\r\n\P{ASCII}]/)
+           || ThrowUserError('illegal_email_address',
+                             {addr => $address, default => 1});
+     }
+diff -Naur template/en/default/global/code-error.html.tmpl template/en/default/global/code-error.html.tmpl
+--- template/en/default/global/code-error.html.tmpl	2012-02-01 09:17:00.561730124 +0100
++++ template/en/default/global/code-error.html.tmpl	2012-02-01 09:17:53.415276556 +0100
+@@ -58,8 +58,7 @@
+     [% ELSE %]
+       [%+ Param('emailregexpdesc') %]
+     [% END %]
+-    It must also not contain any of these special characters:
+-    <tt>\ ( ) &amp; &lt; &gt; , ; : &quot; [ ]</tt>, or any whitespace.
++    It also must not contain any illegal characters.
+ 
+   [% ELSIF error == "authres_unhandled" %]
+     The result value of [% value FILTER html %] was not handled by
+diff -Naur template/en/default/global/user-error.html.tmpl template/en/default/global/user-error.html.tmpl
+--- template/en/default/global/user-error.html.tmpl	2012-02-01 09:17:00.557730158 +0100
++++ template/en/default/global/user-error.html.tmpl	2012-02-01 09:17:53.417276540 +0100
+@@ -748,9 +748,8 @@
+     [% ELSE %]
+       [%+ Param('emailregexpdesc') %]
+     [% END %]
+-    It must also not contain any of these special characters:
+-    <tt>\ ( ) &amp; &lt; &gt; , ; : &quot; [ ]</tt>, or any whitespace.
+-    
++    It also must not contain any illegal characters.
++
+   [% ELSIF error == "illegal_frequency" %]
+     [% title = "Too Frequent" %]
+     Unless you are an administrator, you may not create series which are 

bugzilla-3.2.10-CVE-2012-0466.patch

@@ -0,0 +1,84 @@
+=== modified file 'buglist.cgi'
+--- buglist.cgi	2012-04-17 18:41:05 +0000
++++ buglist.cgi	2012-04-18 12:06:08 +0000
+@@ -112,16 +112,6 @@
+     $cgi->param('ctype', "atom");
+ }
+ 
+-# The js ctype presents a security risk; a malicious site could use it  
+-# to gather information about secure bugs. So, we only allow public bugs to be
+-# retrieved with this format.
+-#
+-# Note that if and when this call clears cookies or has other persistent 
+-# effects, we'll need to do this another way instead.
+-if ((defined $cgi->param('ctype')) && ($cgi->param('ctype') eq "js")) {
+-    Bugzilla->logout_request();
+-}
+-
+ # An agent is a program that automatically downloads and extracts data
+ # on its user's behalf.  If this request comes from an agent, we turn off
+ # various aspects of bug list functionality so agent requests succeed
+
+=== modified file 'docs/en/xml/using.xml'
+--- docs/en/xml/using.xml	2011-01-28 16:30:29 +0000
++++ docs/en/xml/using.xml	2012-04-18 12:06:08 +0000
+@@ -659,16 +659,6 @@
+         </member>
+       </simplelist>
+       </para>
+-
+-      <para>
+-        If you would like to access the bug list from another program
+-        it is often useful to have the list returned in something other
+-        than HTML. By adding the ctype=type parameter into the bug list URL
+-        you can specify several alternate formats. Besides the types described
+-        above, the following formats are also supported: ECMAScript, also known
+-        as JavaScript (ctype=js), and Resource Description Framework RDF/XML
+-        (ctype=rdf).
+-      </para>
+     </section>
+ 
+     <section id="individual-buglists">
+
+=== removed file 'template/en/default/list/list.js.tmpl'
+--- template/en/default/list/list.js.tmpl	2007-08-20 23:24:38 +0000
++++ template/en/default/list/list.js.tmpl	1970-01-01 00:00:00 +0000
+@@ -1,37 +0,0 @@
+-[%# The contents of this file are subject to the Mozilla Public
+-  # License Version 1.1 (the "License"); you may not use this file
+-  # except in compliance with the License. You may obtain a copy of
+-  # the License at http://www.mozilla.org/MPL/
+-  #
+-  # Software distributed under the License is distributed on an "AS
+-  # IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+-  # implied. See the License for the specific language governing
+-  # rights and limitations under the License.
+-  #
+-  # The Original Code is the Bugzilla Bug Tracking System.
+-  #
+-  # The Initial Developer of the Original Code is Netscape Communications
+-  # Corporation. Portions created by Netscape are
+-  # Copyright (C) 1998 Netscape Communications Corporation. All
+-  # Rights Reserved.
+-  #
+-  # Contributor(s): Gervase Markham <gerv@gerv.net>
+-  #%]
+-
+-// Note: only publicly-accessible bugs (those not in any group) will be
+-// listed when using this JavaScript format. This is to prevent malicious
+-// sites stealing information about secure bugs.
+-  
+-bugs = new Array; 
+-
+-[% FOREACH bug = bugs %]
+-  bugs[[% bug.bug_id %]] = [ 
+-    [% FOREACH column = displaycolumns %]
+-      "[%- bug.$column FILTER js -%]"[% "," UNLESS loop.last %]
+-    [% END %]
+-  ];
+-[% END %]
+-
+-if (window.buglistCallback) {
+-  buglistCallback(bugs);
+-}
+

bugzilla-EL5-perl-versions.patch

@@ -0,0 +1,24 @@
+diff -ruNp a/bugzilla-3.2.4/Bugzilla/Constants.pm b/bugzilla-3.2.4/Bugzilla/Constants.pm
+--- a/bugzilla-3.2.4/Bugzilla/Constants.pm	2009-07-08 10:58:27.000000000 -0300
++++ b/bugzilla-3.2.4/Bugzilla/Constants.pm	2009-08-04 00:37:30.852896189 -0300
+@@ -387,7 +387,7 @@ use constant DB_MODULE => {
+                     # Disallow development versions
+                     blacklist => ['_'],
+                     # For UTF-8 support
+-                    version => '4.00',
++                    version => '3.00',
+                 },
+                 name => 'MySQL'},
+     'pg'    => {db => 'Bugzilla::DB::Pg', db_version => '8.00.0000',
+diff -ruNp a/bugzilla-3.2.4/Bugzilla/Install/Requirements.pm b/bugzilla-3.2.4/Bugzilla/Install/Requirements.pm
+--- a/bugzilla-3.2.4/Bugzilla/Install/Requirements.pm	2009-04-17 18:53:49.000000000 -0300
++++ b/bugzilla-3.2.4/Bugzilla/Install/Requirements.pm	2009-08-04 00:38:23.376893996 -0300
+@@ -62,7 +62,7 @@ sub REQUIRED_MODULES {
+         # Perl 5.10 requires CGI 3.33 due to a taint issue when
+         # uploading attachments, see bug 416382.
+         # Require CGI 3.21 for -httponly support, see bug 368502.
+-        version => (vers_cmp($perl_ver, '5.10') > -1) ? '3.33' : '3.21',
++        version => (vers_cmp($perl_ver, '5.10') > -1) ? '3.15' : '3.15',
+         # CGI::Carp in 3.46 and 3.47 breaks Template Toolkit
+         blacklist => ['^3\.46$', '^3\.47$'],
+     },

bugzilla-httpd-conf

@@ -1,8 +1,11 @@
+Alias /bugzilla/var/lib/bugzilla/data/webdot /var/lib/bugzilla/data/webdot
 Alias /bugzilla /usr/share/bugzilla
 
 <Directory /usr/share/bugzilla>
   AddHandler cgi-script .cgi
   Options +Indexes +ExecCGI +FollowSymLinks
-  DirectoryIndex index.cgi
+  DirectoryIndex index.cgi index.html
   AllowOverride Limit Options FileInfo
+  AddType application/vnd.mozilla.xul+xml .xul
+  AddType application/rdf+xml .rdf
 </Directory>

bugzilla-rw-paths.patch

@@ -11,8 +11,8 @@
 +        'datadir'     => "/var/lib/bugzilla/$datadir",
 +        'attachdir'   => "/var/lib/bugzilla/$datadir/attachments",
          'skinsdir'    => "$libpath/skins",
+         'graphsdir'   => "$libpath/graphs",
          # $webdotdir must be in the web server's tree somewhere. Even if you use a 
-         # local dot, we output images to there. Also, if $webdotdir is 
 @@ -475,8 +475,8 @@
          # change showdependencygraph.cgi to set image_url to the correct 
          # location.

bugzilla.spec

@@ -4,18 +4,37 @@
 Summary: Bug tracking system
 URL: http://www.bugzilla.org/
 Name: bugzilla
-Version: 3.2.3
+Version: 3.2.10
 Group: Applications/Publishing
-Release: 1%{?dist}
+Release: 5%{?dist}
 License: MPLv1.1
 Source0: http://ftp.mozilla.org/pub/mozilla.org/webtools/bugzilla-%{version}.tar.gz
 Source1: bugzilla-httpd-conf
 Source2: README.fedora.bugzilla
 Patch0: bugzilla-rw-paths.patch
+Patch1: bugzilla-EL5-perl-versions.patch
+Patch2: bugzilla-3.2.10-CVE-2011-2379.patch
+Patch3: bugzilla-3.2.10-CVE-2011-2380.patch
+Patch4: bugzilla-3.2.10-CVE-2011-2381.patch
+Patch5: bugzilla-3.2.10-CVE-2011-2976.patch
+Patch6: bugzilla-3.2.10-CVE-2011-2978.patch
+Patch7: bugzilla-3.2.10-CVE-2011-3657.patch
+Patch8: bugzilla-3.2.10-CVE-2011-3667.patch
+Patch9: bugzilla-3.2.10-CVE-2012-0448.patch
+Patch10: bugzilla-3.2.10-CVE-2012-0466.patch
 
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 BuildArch: noarch
 Requires: webserver, patchutils, mod_perl, perl(SOAP::Lite), which
+Requires: perl(CGI) >= 3.33
+Requires: perl(Date::Format) >= 2.21
+Requires: perl(File::Spec) >= 0.84
+Requires: perl(DBI) >= 1.41
+Requires: perl(Template) >= 2.15
+Requires: perl(Email::Send) >= 2.00
+Requires: perl(Email::MIME) >= 1.859
+Requires: perl(Email::MIME::Encodings) >= 1.313
+Requires: perl(Email::MIME::Modifier) >= 1.441
 
 %package doc
 Summary: Bugzilla documentation
@@ -39,8 +58,19 @@ Documentation distributed with the Bugzilla bug tracking system
 Contributed scripts and functions for Bugzilla
 
 %prep
+set -x
 %setup -q -n %{name}-%{version}
 %patch0 -p1
+%patch1 -p2
+%patch2 -p0
+%patch3 -p0
+%patch4 -p0
+%patch5 -p0
+%patch6 -p0
+%patch7 -p0
+%patch8 -p0
+%patch9 -p0
+%patch10 -p0
 
 # Filter unwanted Requires found by /usr/lib/rpm/perldeps.pl:
 # create a wrapper script which runs the original perl_requires
@@ -77,6 +107,8 @@ for file in `find -type f -perm /664`; do
   fi
 done
 
+# Remove un-needed files
+find . -name "*.orig" -delete
 
 %install
 mkdir -p ${RPM_BUILD_ROOT}/%{bzinstallprefix}/bugzilla
@@ -88,7 +120,7 @@ cd %{bzinstallprefix}/bugzilla
 ./collectstats.pl
 EOM
 echo "0-59/15 * * * * apache cd %{bzinstallprefix}/bugzilla && env LANG=C %{bzinstallprefix}/bugzilla/whine.pl" > ${RPM_BUILD_ROOT}/%{bzinstallprefix}/bugzilla/cron.whine
-rm -f ${RPM_BUILD_ROOT}/%{bzinstallprefix}/bugzilla/{README,QUICKSTART,UPGRADING,UPGRADING-pre-2.8}
+rm -f ${RPM_BUILD_ROOT}/%{bzinstallprefix}/bugzilla/README
 mkdir -p ${RPM_BUILD_ROOT}/%{_datadir}/doc/%{name}-%{version}
 cp %{SOURCE2} ./README.fedora
 mkdir -p ${RPM_BUILD_ROOT}/%{bzdatadir}
@@ -104,7 +136,7 @@ rm -rf ${RPM_BUILD_ROOT}
 popd > /dev/null)
 
 %files
-%defattr(-,root,root,-)
+%defattr(-,root,apache,-)
 %dir %{bzinstallprefix}/bugzilla
 %{bzinstallprefix}/bugzilla/*.cgi
 %{bzinstallprefix}/bugzilla/*.pl
@@ -126,9 +158,6 @@ popd > /dev/null)
 %config(noreplace) %{_sysconfdir}/httpd/conf.d/bugzilla.conf
 %defattr(-,root,root,-)
 %doc README
-%doc QUICKSTART
-%doc UPGRADING
-%doc UPGRADING-pre-2.8
 %doc README.fedora
 %dir %{bzdatadir}
 %defattr(0750,root,apache,-)
@@ -143,6 +172,45 @@ popd > /dev/null)
 %{bzinstallprefix}/bugzilla/contrib
 
 %changelog
+* Fri Apr 20 2012 Xavier Bachelot <xavier@bachelot.org> - 3.2.10-5
+- Add patch for CVE-2012-0466.
+- Drop version requirement downgrade for perl(Email::MIME) and
+  perl(Email::MIME::Modifier).
+
+* Wed Feb 01 2012 Xavier Bachelot <xavier@bachelot.org> - 3.2.10-4
+- Add patch for CVE-2012-0448.
+
+* Thu Dec 29 2011 Xavier Bachelot <xavier@bachelot.org> - 3.2.10-3
+- Add patches for CVE-2011-3657 and CVE-2011-3667.
+
+* Thu Sep 15 2011 Xavier Bachelot <xavier@bachelot.org> - 3.2.10-2
+- Add patches for CVE-2011-2379, CVE-2011-2380, CVE-2011-2381, CVE-2011-2978
+  and CVE-2011-2976.
+- Fix httpd conf (RHBZ#736579, RHBZ #736584).
+- Fix typo in doc (RHBZ#736581).
+- Fix files ownership (RHBZ#736583).
+
+* Tue May 03 2011 Xavier Bachelot <xavier@bachelot.org> - 3.2.10-1
+- Update to 3.2.10 for CVE-2010-4411, CVE-2010-4567, CVE-2010-4568,
+  CVE-2010-4569, CVE-2010-4570, CVE-2010-4572, CVE-2011-0046, CVE-2011-0048)
+
+* Tue Feb 02 2010 Emmanuel Seyman <emmanuel.seyman@club-internet.fr> - 3.2.6-2
+- Use Linux requirements, not Windows'
+
+* Mon Feb 01 2010 Emmanuel Seyman <emmanuel.seyman@club-internet.fr> - 3.2.6-1
+- Update to 3.2.6 (CVE-2009-3989, CVE-2009-3387)
+- Specify Perl module versions in the Requires (fixes #524309)
+- Add an alias to make $webdotdir a working path (fixes #458848)
+
+* Fri Sep 11 2009 Emmanuel Seyman <emmanuel.seyman@club-internet.fr> - 3.2.5-1
+- Update to 3.2.5 (CVE-2009-3125, CVE-2009-3165 and CVE-2009-3166)
+
+* Tue Aug 04 2009 Itamar Reis Peixoto <itamar@ispbrasil.com.br> - 3.2.4-2
+- fix EL-5 perl dependencies bz#515158
+
+* Wed Jul 08 2009 Itamar Reis Peixoto <itamar@ispbrasil.com.br> - 3.2.4-1
+- fix https://bugzilla.mozilla.org/show_bug.cgi?id=495257
+
 * Mon Apr 06 2009 Itamar Reis Peixoto <itamar@ispbrasil.com.br> 3.2.3-1
 - fix CVE-2009-1213
 

import.log

@@ -1,3 +0,0 @@
-bugzilla-3_0_8-1_fc11:HEAD:bugzilla-3.0.8-1.fc11.src.rpm:1235878106
-bugzilla-3_2_2-2_fc10:HEAD:bugzilla-3.2.2-2.fc10.src.rpm:1236265998
-bugzilla-3_2_3-1_fc11:HEAD:bugzilla-3.2.3-1.fc11.src.rpm:1239059931

sources

@@ -1 +1 @@
-fcc8f64fec821e76718fbda13e232b59  bugzilla-3.2.3.tar.gz
+dd9d8e142f5e8d5a352fb87a9afebc48  bugzilla-3.2.10.tar.gz