A Bugzilla Security Advisory reports:
- Remote Information Disclosure:
An unprivileged user is normally not allowed to view
other users' group membership. But boolean charts
let the user use group-based pronouns, indirectly
disclosing group membership. This security fix
restricts the use of pronouns to groups the user
belongs to.
- Notification Bypass:
Normally, when a user is impersonated, he receives
an email informing him that he is being impersonated,
containing the identity of the impersonator. However,
it was possible to impersonate a user without this
notification being sent.
- Remote Information Disclosure:
An error message thrown by the "Reports" and "Duplicates"
page confirmed the non-existence of products, thus
allowing users to guess confidential product names.
(Note that the "Duplicates" page was not vulnerable
in Bugzilla 3.6rc1 and above though.)
- Denial of Service:
If a comment contained the phrases "bug X" or
"attachment X", where X was an integer larger than the
maximum 32-bit signed integer size, PostgreSQL would
throw an error, and any page containing that comment would
not be viewable. On most Bugzillas, any user can enter
a comment on any bug, so any user could have used this to
deny access to one or all bugs. Bugzillas running on
databases other than PostgreSQL are not affected.