Version in base suite: 3.0.4.1-2+lenny1
Version in overlay suite: (not present)

Base version: bugzilla_3.0.4.1-2+lenny1
Target version: bugzilla_3.0.4.1-2+lenny2
Base file: /org/ftp.debian.org/ftp/pool/main/b/bugzilla/bugzilla_3.0.4.1-2+lenny1.dsc
Target file: /org/ftp.debian.org/queue/p-u-new/bugzilla_3.0.4.1-2+lenny2.dsc

 bugzilla-3.0.4.1/debian/changelog      |    8 ++++
 debian/maintenance/33_CVE-2009-3165.sh |   60 +++++++++++++++++++++++++++++++++
 2 files changed, 68 insertions(+)

diff -u bugzilla-3.0.4.1/debian/changelog bugzilla-3.0.4.1/debian/changelog
--- bugzilla-3.0.4.1/debian/changelog
+++ bugzilla-3.0.4.1/debian/changelog
@@ -1,3 +1,11 @@
+bugzilla (3.0.4.1-2+lenny2) stable-security; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * Fixed SQL injection vulnerability in the Bug.create WebService function
+    CVE-2009-3165, Closes: #547132
+
+ -- Giuseppe Iuculano <iuculano@debian.org>  Fri, 16 Oct 2009 18:59:23 +0200
+
 bugzilla (3.0.4.1-2+lenny1) testing-security; urgency=high
 
   * Non-maintainer upload by the Security Team.
only in patch2:
unchanged:
--- bugzilla-3.0.4.1.orig/debian/maintenance/33_CVE-2009-3165.sh
+++ bugzilla-3.0.4.1/debian/maintenance/33_CVE-2009-3165.sh
@@ -0,0 +1,60 @@
+#! /bin/sh
+set -e
+
+echo "$0 $*"
+
+cd $1
+patch -p0 < $0
+
+exit 0
+
+--- Bugzilla/WebService/Bug.pm	12 Feb 2008 01:35:13 -0000	1.4.2.4
++++ Bugzilla/WebService/Bug.pm	10 Sep 2009 01:15:12 -0000
+@@ -113,6 +113,8 @@
+     my %field_values;
+     foreach my $field (keys %$params) {
+         my $field_name = FIELD_MAP->{$field} || $field;
++        # Prevent SQL Injection via key names.
++        _check_valid_field($field);
+         $field_values{$field_name} = $params->{$field}; 
+     }
+ 
+@@ -172,6 +174,17 @@
+     return { values => \@result };
+ }
+ 
++sub _check_valid_field {
++    my $field = shift;
++    # We add qa_contact in manually because it should always be available in
++    # the API even if useqacontact is off.
++    my @valid_fields = (Bugzilla::Bug->fields, values %{ FIELD_MAP() }, 
++                        'qa_contact');
++    if (!grep($_ eq $field, @valid_fields)) {
++        ThrowCodeError('invalid_field_name', { field => $field });
++    }
++}
++
+ 1;
+ 
+ __END__
+@@ -450,6 +463,10 @@
+ 
+ You didn't specify a summary for the bug.
+ 
++=item 108 (Invalid Field Name)
++
++You specified a field that doesn't exist as an argument to this function.
++
+ =item 504 (Invalid User)
+ 
+ Either the QA Contact, Assignee, or CC lists have some invalid user
+@@ -461,6 +478,9 @@
+ 
+ =over
+ 
++=item Error 108 is only thrown by this function in the 3.0 branch, starting
++with B<3.0.9>.
++
+ =item Before B<3.0.4>, parameters marked as B<Defaulted> were actually
+ B<Required>, due to a bug in Bugzilla.
+