Date: Wednesday, November 5, 2014 @ 16:34:50 Author: alucryd Revision: 121959
FS#42683: mantisbt 1.2.17-3 Added: mantisbt/trunk/CVE-2014-8554.patch Modified: mantisbt/trunk/PKGBUILD ---------------------+ CVE-2014-8554.patch | 35 +++++++++++++++++++++++++++++++++++ PKGBUILD | 14 +++++++++++--- 2 files changed, 46 insertions(+), 3 deletions(-) Added: CVE-2014-8554.patch =================================================================== --- CVE-2014-8554.patch (rev 0) +++ CVE-2014-8554.patch 2014-11-05 15:34:50 UTC (rev 121959) @@ -0,0 +1,35 @@ +From 99ffb0afaff3409d0eaec78ac963214da0d2a079 Mon Sep 17 00:00:00 2001 +From: Damien Regad <[email protected]> +Date: Thu, 30 Oct 2014 15:31:36 +0100 +Subject: [PATCH] SQL injection in mc_project_get_attachments() + +This is a follow-up on CVE-2014-1609 / issue #16880. + +Edwin Gozeling and Wim Visser from ITsec Security Services BV +(http://www.itsec.nl) discovered that the fix in #16880 did not fully +address the problem. Their research demonstrate that using a specially +crafted project id parameter, an attacker could still perform an SQL +injection. + +The same issue was also reported by Paul Richards in issue #17823. + +This patch fixes the problem by typecasting the Project ID parameter +to Integer. + +Fixes #17812, CVE-2014-8554 +--- + api/soap/mc_project_api.php | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/api/soap/mc_project_api.php b/api/soap/mc_project_api.php +index 8e6aae9..fe57b7b 100644 +--- a/api/soap/mc_project_api.php ++++ b/api/soap/mc_project_api.php +@@ -655,6 +655,7 @@ function mc_project_get_attachments( $p_username, $p_password, $p_project_id ) { + return mci_soap_fault_login_failed(); + } + ++ $p_project_id = (int)$p_project_id; + $g_project_override = $p_project_id; + + # Check if project documentation feature is enabled. Modified: PKGBUILD =================================================================== --- PKGBUILD 2014-11-05 15:23:45 UTC (rev 121958) +++ PKGBUILD 2014-11-05 15:34:50 UTC (rev 121959) @@ -7,7 +7,7 @@ pkgname=mantisbt pkgver=1.2.17 -pkgrel=2 +pkgrel=3 pkgdesc='Web-based issue tracking system' arch=('any') url='http://www.mantisbt.org/' @@ -22,9 +22,17 @@ 'php-pgsql: PostgreSQL database') backup=('etc/webapps/mantisbt/config_inc.php') install='mantisbt.install' -source=("http://downloads.sourceforge.net/mantisbt/mantisbt-${pkgver}.tar.gz";) -sha256sums=('4305295a1d3910516b6fa238e03e710c0bb5b30a01b3a908865799096207b243') +source=("http://downloads.sourceforge.net/mantisbt/mantisbt-${pkgver}.tar.gz"; + 'CVE-2014-8554.patch') +sha256sums=('4305295a1d3910516b6fa238e03e710c0bb5b30a01b3a908865799096207b243' + '3183477bcc3b69fc969b9d9502070816b2f8bd1ec387d02805b1bd901b471908') +prepare() { + cd mantisbt-${pkgver} + + patch -Np1 -i ../CVE-2014-8554.patch +} + package() { install -dm 755 "${pkgdir}"/{etc,usr/share}/webapps/mantisbt cp -dr --no-preserve='ownership' mantisbt-${pkgver}/* "${pkgdir}"/usr/share/webapps/mantisbt
