Date: Wednesday, November 12, 2014 @ 15:58:00 Author: alucryd Revision: 122442
FS#42761: mantisbt 1.2.17-4 Added: mantisbt/trunk/CVE-2014-7146.patch mantisbt/trunk/CVE-2014-8598.patch Modified: mantisbt/trunk/PKGBUILD ---------------------+ CVE-2014-7146.patch | 65 ++++++++++++++++ CVE-2014-8598.patch | 203 ++++++++++++++++++++++++++++++++++++++++++++++++++ PKGBUILD | 12 ++ 3 files changed, 277 insertions(+), 3 deletions(-) Added: CVE-2014-7146.patch =================================================================== --- CVE-2014-7146.patch (rev 0) +++ CVE-2014-7146.patch 2014-11-12 14:58:00 UTC (rev 122442) @@ -0,0 +1,65 @@ +From bed19db954359043515300c995ebc40ebb97265a Mon Sep 17 00:00:00 2001 +From: Damien Regad <[email protected]> +Date: Sat, 1 Nov 2014 19:45:47 +0100 +Subject: [PATCH] XML Import: Fix php code injection vulnerability + +Egidio Romano discovered a vulnerability in the XML import plugin. + +User input passed through the "description" field (and the "issuelink" +attribute) of the uploaded XML file isn't properly sanitized before +being used in a call to the preg_replace() function which uses the 'e' +modifier. This can be exploited to inject and execute arbitrary PHP code +when the Import/Export plugin is installed. + +This fix is a partial backport from a master branch commit which has +been confirmed as addressing the issue (84017535f8718685d755d58af7a39d80f52ffca8) +excluding changes not relevant to fixing the security issue, including +subsequent fixes (aea1a348043979e75a6cc021e4a0a7f8d3bb7211, +4350b4d4f0ee4fba423edcae1cd2117dc1e2d63b). + +Fixes #17725 (CVE-2014-7146) +--- + plugins/XmlImportExport/ImportXml.php | 29 ++++++++++++++++++++--------- + 1 file changed, 20 insertions(+), 9 deletions(-) + +diff --git a/plugins/XmlImportExport/ImportXml.php b/plugins/XmlImportExport/ImportXml.php +index 590f898..09ccc8d 100644 +--- a/plugins/XmlImportExport/ImportXml.php ++++ b/plugins/XmlImportExport/ImportXml.php +@@ -102,16 +102,27 @@ public function import( ) { + + echo " Done\n"; + +- $importedIssues = $this->itemsMap_->getall( 'issue' ); +- printf( "Processing cross-references for %s issues...", count( $importedIssues ) ); +- foreach( $importedIssues as $oldId => $newId ) { +- $bugData = bug_get( $newId, true ); +- +- $bugLinkRegexp = '/(^|[^\w])(' . preg_quote( $this->source_->issuelink, '/' ) . ')(\d+)\b/e'; +- $replacement = '"\\1" . $this->getReplacementString( "\\2", "\\3" )'; ++ # replace bug references ++ $t_imported_issues = $this->itemsMap_->getall( 'issue' ); ++ printf( 'Processing cross-references for %s issues...', count( $t_imported_issues ) ); ++ foreach( $t_imported_issues as $t_old_id => $t_new_id ) { ++ $t_bug = bug_get( $t_new_id, true ); ++ $t_content_replaced = false; ++ $t_bug_link_regexp = '/(^|[^\w])(' . preg_quote( $this->source_->issuelink, '/' ) . ')(\d+)\b/'; ++ ++ # replace links in description ++ preg_match_all( $t_bug_link_regexp, $t_bug->description, $t_matches ); ++ if( is_array( $t_matches[3] ) && count( $t_matches[3] ) > 0 ) { ++ $t_content_replaced = true; ++ foreach ( $t_matches[3] as $t_old_id2 ) { ++ $t_bug->description = str_replace( $this->source_->issuelink . $t_old_id2, $this->getReplacementString( $this->source_->issuelink, $t_old_id2 ), $t_bug->description ); ++ } ++ } + +- $bugData->description = preg_replace( $bugLinkRegexp, $replacement, $bugData->description ); +- $bugData->update( true, true ); ++ if( $t_content_replaced ) { ++ # only update bug if necessary (otherwise last update date would be unnecessarily overwritten) ++ $t_bug->update( true ); ++ } + } + echo " Done\n"; + } Added: CVE-2014-8598.patch =================================================================== --- CVE-2014-8598.patch (rev 0) +++ CVE-2014-8598.patch 2014-11-12 14:58:00 UTC (rev 122442) @@ -0,0 +1,203 @@ +From 80a15487cda89afb00ce866da8e24d76808dcdb4 Mon Sep 17 00:00:00 2001 +From: Damien Regad <[email protected]> +Date: Fri, 17 Oct 2014 17:21:25 +0200 +Subject: [PATCH] XML plugin: Add config page with access thresholds + +Prior to this, any user of a MantisBT instance with the XML +Import/Export plugin enabled and knowing the URL to the plugin's import +page could upload an XML file and insert data without restriction, +regardless of their access level. + +This vulnerability is particularly dangerous when used in combination +with the one described in issue #17725 (CVE-2014-7146) as it makes for a +very simple and easily accessible vector for PHP code injection attacks. + +There was also no access check when exporting data, which could allow an +attacker to gain access to confidential information (disclosure of all +bug-related data, including usernames). + +Fixes #17780 (CVE-2014-8598) +--- + plugins/XmlImportExport/XmlImportExport.php | 16 +++++++- + plugins/XmlImportExport/lang/strings_english.txt | 7 ++++ + plugins/XmlImportExport/pages/config.php | 27 +++++++++++++ + plugins/XmlImportExport/pages/config_page.php | 48 ++++++++++++++++++++++++ + plugins/XmlImportExport/pages/export.php | 2 + + plugins/XmlImportExport/pages/import.php | 2 + + 6 files changed, 101 insertions(+), 1 deletion(-) + create mode 100644 plugins/XmlImportExport/pages/config.php + create mode 100644 plugins/XmlImportExport/pages/config_page.php + +diff --git a/plugins/XmlImportExport/XmlImportExport.php b/plugins/XmlImportExport/XmlImportExport.php +index 63e254e..20ea3c2 100644 +--- a/plugins/XmlImportExport/XmlImportExport.php ++++ b/plugins/XmlImportExport/XmlImportExport.php +@@ -39,7 +39,7 @@ class XmlImportExportPlugin extends MantisPlugin { + function register( ) { + $this->name = plugin_lang_get( 'title' ); + $this->description = plugin_lang_get( 'description' ); +- $this->page = ''; ++ $this->page = "config_page"; + + $this->version = '1.0'; + $this->requires = array( +@@ -54,6 +54,17 @@ function register( ) { + /** + * Default plugin configuration. + */ ++ public function config() { ++ return array( ++ "import_threshold" => ADMINISTRATOR, ++ "export_threshold" => DEVELOPER, ++ ); ++ } ++ ++ /** ++ * Plugin hooks ++ * @return array ++ */ + function hooks( ) { + $hooks = array( + 'EVENT_MENU_MANAGE' => 'import_issues_menu', +@@ -67,6 +78,9 @@ function import_issues_menu( ) { + } + + function export_issues_menu( ) { ++ if( !access_has_project_level( plugin_config_get( 'export_threshold' ) ) ) { ++ return array(); ++ } + return array( '<a href="' . plugin_page( 'export' ) . '">' . plugin_lang_get( 'export' ) . '</a>', ); + } + +diff --git a/plugins/XmlImportExport/lang/strings_english.txt b/plugins/XmlImportExport/lang/strings_english.txt +index 775ad76..e595228 100644 +--- a/plugins/XmlImportExport/lang/strings_english.txt ++++ b/plugins/XmlImportExport/lang/strings_english.txt +@@ -35,7 +35,14 @@ $s_plugin_XmlImportExport_description = 'Adds XML based import and export capabi + $s_plugin_XmlImportExport_import = 'Import issues'; + $s_plugin_XmlImportExport_export = 'XML Export'; + ++$s_plugin_XmlImportExport_config_title = 'XML Import/Export Access Levels Configuration'; ++$s_plugin_XmlImportExport_import_threshold = 'Import issues'; ++$s_plugin_XmlImportExport_export_threshold = 'Export issues'; ++ ++$s_plugin_XmlImportExport_action_update = 'Update'; ++ + $s_plugin_XmlImportExport_importing_in_project = 'Importing issues in project:'; ++ + $s_plugin_XmlImportExport_import_options = 'Import options'; + + $s_plugin_XmlImportExport_cross_references = 'Cross references'; +diff --git a/plugins/XmlImportExport/pages/config.php b/plugins/XmlImportExport/pages/config.php +new file mode 100644 +index 0000000..19587c8 +--- /dev/null ++++ b/plugins/XmlImportExport/pages/config.php +@@ -0,0 +1,27 @@ ++<?php ++# Copyright (c) 2014 MantisBT Team - [email protected] ++# Licensed under the MIT license ++ ++form_security_validate( 'plugin_XmlImportExport_config' ); ++access_ensure_global_level( config_get( 'manage_plugin_threshold' ) ); ++ ++/** ++ * Sets plugin config option if value is different from current/default ++ * @param string $p_name option name ++ * @param string $p_value value to set ++ * @return void ++ */ ++function config_set_if_needed( $p_name, $p_value ) { ++ if ( $p_value != plugin_config_get( $p_name ) ) { ++ plugin_config_set( $p_name, $p_value ); ++ } ++} ++ ++$t_redirect_url = plugin_page( 'config_page', true ); ++ ++config_set_if_needed( 'import_threshold' , gpc_get_int( 'import_threshold' ) ); ++config_set_if_needed( 'export_threshold' , gpc_get_int( 'export_threshold' ) ); ++ ++form_security_purge( 'plugin_XmlImportExport_config' ); ++ ++print_successful_redirect( $t_redirect_url ); +diff --git a/plugins/XmlImportExport/pages/config_page.php b/plugins/XmlImportExport/pages/config_page.php +new file mode 100644 +index 0000000..7c678af +--- /dev/null ++++ b/plugins/XmlImportExport/pages/config_page.php +@@ -0,0 +1,48 @@ ++<?php ++# Copyright (c) 2014 MantisBT Team - [email protected] ++# Licensed under the MIT license ++ ++access_ensure_global_level( config_get( 'manage_plugin_threshold' ) ); ++ ++html_page_top(); ++//print_manage_menu(); ++?> ++ ++<br /> ++<form action="<?php echo plugin_page( 'config' ) ?>" method="post"> ++<?php echo form_security_field( 'plugin_XmlImportExport_config' ) ?> ++<table class="width60" align="center"> ++ ++<tr> ++<td class="form-title" colspan="2"><?php echo plugin_lang_get("config_title") ?></td> ++</tr> ++ ++<tr <?php echo helper_alternate_class() ?>> ++<td class="category"><?php echo plugin_lang_get( 'import_threshold' ) ?></td> ++<td><select name="import_threshold"><?php ++ print_enum_string_option_list( ++ 'access_levels', ++ plugin_config_get( 'import_threshold' ) ++ ); ++ ?></select></td> ++</tr> ++ ++<tr <?php echo helper_alternate_class() ?>> ++<td class="category"><?php echo plugin_lang_get( 'export_threshold' ) ?></td> ++<td><select name="export_threshold"><?php ++ print_enum_string_option_list( ++ 'access_levels', ++ plugin_config_get( 'export_threshold' ) ++ ); ++ ?></select></td> ++</tr> ++ ++<tr> ++<td class="center" colspan="2"><input type="submit" value="<?php echo plugin_lang_get("action_update") ?>"/></td> ++</tr> ++ ++</table> ++</form> ++ ++<?php ++html_page_bottom(); +diff --git a/plugins/XmlImportExport/pages/export.php b/plugins/XmlImportExport/pages/export.php +index 061b135..aac3bbf 100644 +--- a/plugins/XmlImportExport/pages/export.php ++++ b/plugins/XmlImportExport/pages/export.php +@@ -20,6 +20,8 @@ + + require_once( 'core.php' ); + ++access_ensure_project_level( plugin_config_get( 'export_threshold' ) ); ++ + auth_ensure_user_authenticated( ); + helper_begin_long_process( ); + +diff --git a/plugins/XmlImportExport/pages/import.php b/plugins/XmlImportExport/pages/import.php +index cd7721f..6740727 100644 +--- a/plugins/XmlImportExport/pages/import.php ++++ b/plugins/XmlImportExport/pages/import.php +@@ -14,6 +14,8 @@ + # You should have received a copy of the GNU General Public License + # along with MantisBT. If not, see <http://www.gnu.org/licenses/>. + ++access_ensure_project_level( plugin_config_get( 'import_threshold' ) ); ++ + auth_reauthenticate( ); + + html_page_top( plugin_lang_get( 'import' ) ); Modified: PKGBUILD =================================================================== --- PKGBUILD 2014-11-12 14:51:56 UTC (rev 122441) +++ PKGBUILD 2014-11-12 14:58:00 UTC (rev 122442) @@ -7,7 +7,7 @@ pkgname=mantisbt pkgver=1.2.17 -pkgrel=3 +pkgrel=4 pkgdesc='Web-based issue tracking system' arch=('any') url='http://www.mantisbt.org/' @@ -23,14 +23,20 @@ backup=('etc/webapps/mantisbt/config_inc.php') install='mantisbt.install' source=("http://downloads.sourceforge.net/mantisbt/mantisbt-${pkgver}.tar.gz"; - 'CVE-2014-8554.patch') + 'CVE-2014-7146.patch' + 'CVE-2014-8554.patch' + 'CVE-2014-8598.patch') sha256sums=('4305295a1d3910516b6fa238e03e710c0bb5b30a01b3a908865799096207b243' - '3183477bcc3b69fc969b9d9502070816b2f8bd1ec387d02805b1bd901b471908') + '5660d838efa89f5cc391df902979faa024a26faa698ab0845a458bf3a5fdcd08' + '3183477bcc3b69fc969b9d9502070816b2f8bd1ec387d02805b1bd901b471908' + '3bfb9a6e118678f80a244ca13f527d5589da094491e910d95c53dd5c10d048ed') prepare() { cd mantisbt-${pkgver} + patch -Np1 -i ../CVE-2014-7146.patch patch -Np1 -i ../CVE-2014-8554.patch + patch -Np1 -i ../CVE-2014-8598.patch } package() {
