Hi There I was going through Bugzilla code. I found one bug in "editproducts.cgi". fileName: editproducts.cgi # LineNumber : 651 "AND (groupset != 9223372036854710271)"); but as per my knowledge and as defined in globals.pl Admin bit munber is 9223372036854775807 So I think it can change admin's right while deleting a product when usebuggroups is ON. Correct me if I am wrong. Thanks & Regards R K Singh

This looks like a real error. The only differrence between these values is that the value in editproducts.cgi is missing the 2^16 bit. I'll be happy to make a patch if it is OK to write/submit a patch where the benefit is seen only by inspection and it is tested just to make sure it doesn't break anything.

Use $::admingroupset from globals.pol (or whatever the var is called)

Is this even still an issue? I think the groups rewrite fixed this (since there's a separate admin group which is inherited now instead of the admin being a member of every group)

joel: ping (see comment #3)

This would only impact the old bugzillas. The new group system already takes this into account during conversion. So, unless someone wants to fix this on the 2.16 branch, there is no change to make.

although it's admittedly a minor thing, it does meet the qualifications of a security problem, since the admin could accidently change his own privs. And the timing is perfect since we're going to be doing a 2.16.3 release shortly anyway.

This patch is against version 2.16.2. Do note that as mentioned in earlier comments, this problem is not present in 2.17.

From the standpoint of being worth an update, it should be included. There is no reason I can see for an advisory, though. This lets and admin lose privs rather than creating a hole.

mine

Checked in on BUGZILLA-2_16-BRANCH Checking in editproducts.cgi; /cvsroot/mozilla/webtools/bugzilla/editproducts.cgi,v <-- editproducts.cgi new revision: 1.24.2.3; previous revision: 1.24.2.2 done