Date: Monday, December 1, 2014 @ 10:13:14 Author: alucryd Revision: 123318
SVN did it again... Added: mantisbt/repos/community-any/CVE-2014-8554.patch mantisbt/repos/community-any/CVE-2014-9089.patch mantisbt/repos/community-any/PKGBUILD mantisbt/repos/community-any/fix-17742.patch mantisbt/repos/community-any/fix-17870.patch ---------------------+ CVE-2014-8554.patch | 35 ++++++++++++++++++++++++++ CVE-2014-9089.patch | 35 ++++++++++++++++++++++++++ PKGBUILD | 65 ++++++++++++++++++++++++++++++++++++++++++++++++++ fix-17742.patch | 31 +++++++++++++++++++++++ fix-17870.patch | 24 ++++++++++++++++++ 5 files changed, 190 insertions(+) Added: CVE-2014-8554.patch =================================================================== --- CVE-2014-8554.patch (rev 0) +++ CVE-2014-8554.patch 2014-12-01 09:13:14 UTC (rev 123318) @@ -0,0 +1,35 @@ +From 99ffb0afaff3409d0eaec78ac963214da0d2a079 Mon Sep 17 00:00:00 2001 +From: Damien Regad <dre...@mantisbt.org> +Date: Thu, 30 Oct 2014 15:31:36 +0100 +Subject: [PATCH] SQL injection in mc_project_get_attachments() + +This is a follow-up on CVE-2014-1609 / issue #16880. + +Edwin Gozeling and Wim Visser from ITsec Security Services BV +(http://www.itsec.nl) discovered that the fix in #16880 did not fully +address the problem. Their research demonstrate that using a specially +crafted project id parameter, an attacker could still perform an SQL +injection. + +The same issue was also reported by Paul Richards in issue #17823. + +This patch fixes the problem by typecasting the Project ID parameter +to Integer. + +Fixes #17812, CVE-2014-8554 +--- + api/soap/mc_project_api.php | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/api/soap/mc_project_api.php b/api/soap/mc_project_api.php +index 8e6aae9..fe57b7b 100644 +--- a/api/soap/mc_project_api.php ++++ b/api/soap/mc_project_api.php +@@ -655,6 +655,7 @@ function mc_project_get_attachments( $p_username, $p_password, $p_project_id ) { + return mci_soap_fault_login_failed(); + } + ++ $p_project_id = (int)$p_project_id; + $g_project_override = $p_project_id; + + # Check if project documentation feature is enabled. Added: CVE-2014-9089.patch =================================================================== --- CVE-2014-9089.patch (rev 0) +++ CVE-2014-9089.patch 2014-12-01 09:13:14 UTC (rev 123318) @@ -0,0 +1,35 @@ +From b0021673ab23249244119bde3c7fcecd4daa4e7f Mon Sep 17 00:00:00 2001 +From: Victor Boctor <vic...@mantishub.net> +Date: Mon, 24 Nov 2014 20:54:51 -0800 +Subject: [PATCH] Improve validation for filter sort and direction + +Fixes #17841 +--- + core/filter_api.php | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/core/filter_api.php b/core/filter_api.php +index 7ec33d7..0667996 100644 +--- a/core/filter_api.php ++++ b/core/filter_api.php +@@ -606,8 +606,20 @@ function filter_ensure_valid_filter( $p_filter_arr ) { + unset( $t_fields[$i] ); + } + } ++ ++ # Make sure array is no longer than 2 elements + $t_sort_fields = explode( ',', $p_filter_arr['sort'] ); ++ if( count( $t_sort_fields ) > 2 ) { ++ $t_sort_fields = array_slice( $t_sort_fields, 0, 2 ); ++ } ++ ++ # Make sure array is no longer than 2 elements + $t_dir_fields = explode( ',', $p_filter_arr['dir'] ); ++ if( count( $t_dir_fields ) > 2 ) { ++ $t_dir_fields = array_slice( $t_dir_fields, 0, 2 ); ++ } ++ ++ # Validate the max of two segments for $t_sort_fields and $t_dir_fields + for( $i = 0;$i < 2;$i++ ) { + if( isset( $t_sort_fields[$i] ) ) { + $t_drop = false; Added: PKGBUILD =================================================================== --- PKGBUILD (rev 0) +++ PKGBUILD 2014-12-01 09:13:14 UTC (rev 123318) @@ -0,0 +1,65 @@ +# $Id: PKGBUILD 123316 2014-12-01 09:07:07Z alucryd $ +# Maintainer: Maxime Gauduin <aluc...@archlinux.org> +# Contributor: Alexander 'gridcol' Griesbaum <agr...@gmail.com> +# Contributor: Ravenman <correo.cue...@gmail.com> +# Contributor: Anton Bazhenov <anton.bazhenov@gmail> +# Contributor: Angel 'angvp' Velasquez <an...@archlinux.com.ve> + +pkgname=mantisbt +pkgver=1.2.17 +pkgrel=5 +pkgdesc='Web-based issue tracking system' +arch=('any') +url='http://www.mantisbt.org/' +license=('GPL') +depends=('php') +optdepends=('apache: Web server to run MantisBT' + 'curl: Twitter integration' + 'gd: Graphs support' + 'lighttpd: Web server to run MantisBT' + 'mariadb: SQL database' + 'nginx: Web server to run MantisBT' + 'php-pgsql: PostgreSQL database') +backup=('etc/webapps/mantisbt/config_inc.php') +install='mantisbt.install' +source=("http://downloads.sourceforge.net/mantisbt/mantisbt-${pkgver}.tar.gz" + 'CVE-2014-7146.patch' + 'CVE-2014-8554.patch' + 'CVE-2014-8598.patch' + 'CVE-2014-9089.patch' + 'fix-17742.patch' + 'fix-17870.patch') +sha256sums=('4305295a1d3910516b6fa238e03e710c0bb5b30a01b3a908865799096207b243' + '5660d838efa89f5cc391df902979faa024a26faa698ab0845a458bf3a5fdcd08' + '3183477bcc3b69fc969b9d9502070816b2f8bd1ec387d02805b1bd901b471908' + '3bfb9a6e118678f80a244ca13f527d5589da094491e910d95c53dd5c10d048ed' + '6ecb79495337243971945e95c7c1ed4264ed17b49d1fdc256fb3406f793d56a5' + 'b04ad80fe28ee8b247ec61433c6515e40ef6a4ca50f4aab039242858100efcca' + '9f879930bfe31baf7b8449de65123c96db5444187bc637bb45af57fc290bb7fc') + +prepare() { + cd mantisbt-${pkgver} + + patch -Np1 -i ../CVE-2014-7146.patch + patch -Np1 -i ../CVE-2014-8554.patch + patch -Np1 -i ../CVE-2014-8598.patch + patch -Np1 -i ../CVE-2014-9089.patch + patch -Np1 -i ../fix-17742.patch + patch -Np1 -i ../fix-17870.patch +} + +package() { + install -dm 755 "${pkgdir}"/{etc/webapps/mantisbt,usr/share/webapps} + cp -dr --no-preserve='ownership' mantisbt-${pkgver} "${pkgdir}"/usr/share/webapps/mantisbt + + for f in {config_inc.php,custom_strings_inc.php,custom_constants_inc.php,custom_functions_inc.php}; do + ln -s /etc/webapps/mantisbt/${f} "${pkgdir}"/usr/share/webapps/mantisbt/ + done + cp "${pkgdir}"/usr/share/webapps/mantisbt/config_inc.php.sample "${pkgdir}"/etc/webapps/mantisbt/config_inc.php + + find "${pkgdir}" -type d -exec chmod 755 {} + + find "${pkgdir}" -type f -exec chmod 644 {} + + chown http:http -R "${pkgdir}"/usr/share/webapps/mantisbt +} + +# vim: ts=2 sw=2 et: Added: fix-17742.patch =================================================================== --- fix-17742.patch (rev 0) +++ fix-17742.patch 2014-12-01 09:13:14 UTC (rev 123318) @@ -0,0 +1,31 @@ +From 5f0b150b79868ea9d791e2c46b45b3f41b410e50 Mon Sep 17 00:00:00 2001 +From: Paul Richards <p...@issue-track.org> +Date: Thu, 30 Oct 2014 23:00:01 +0000 +Subject: [PATCH] Incorrect access check on attachment downloads + +Even if config variables $g_download_attachments_threshold and +$g_view_attachments_threshold are set to 55 (developer), users with +lower privileges can download attachments. + +Fixes #17742 + +Signed-off-by: Damien Regad <dre...@mantisbt.org> +--- + core/file_api.php | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/core/file_api.php b/core/file_api.php +index 16d9dd6..2dc260b 100644 +--- a/core/file_api.php ++++ b/core/file_api.php +@@ -120,8 +120,8 @@ function file_can_view_bug_attachments( $p_bug_id, $p_uploader_user_id = null ) + # Check if the current user can download attachments for the specified bug. + function file_can_download_bug_attachments( $p_bug_id, $p_uploader_user_id = null ) { + $t_uploaded_by_me = auth_get_current_user_id() === $p_uploader_user_id; +- $t_can_download = access_has_bug_level( config_get( 'download_attachments_threshold' ), $p_bug_id ); +- $t_can_download = $t_can_download || ( $t_uploaded_by_me && config_get( 'allow_download_own_attachments' ) ); ++ $t_can_download = access_has_bug_level( config_get( 'download_attachments_threshold', null, null, bug_get_field( $p_bug_id, 'project_id' ) ), $p_bug_id ); ++ $t_can_download = $t_can_download || ( $t_uploaded_by_me && config_get( 'allow_download_own_attachments', null, null, bug_get_field( $p_bug_id, 'project_id' ) ) ); + return $t_can_download; + } + Added: fix-17870.patch =================================================================== --- fix-17870.patch (rev 0) +++ fix-17870.patch 2014-12-01 09:13:14 UTC (rev 123318) @@ -0,0 +1,24 @@ +From 49c3d0893091fb1bb6b92639e59a72203be0bc4a Mon Sep 17 00:00:00 2001 +From: Damien Regad <dre...@mantisbt.org> +Date: Fri, 14 Nov 2014 22:55:47 +0100 +Subject: [PATCH] Fix #17870: XSS in adm_config_report.php + +This is the correct fix for this issue, using string_attribute() to +escape the variable. Thanks to Paul Richards for pointing this out. +--- + adm_config_report.php | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/adm_config_report.php b/adm_config_report.php +index 79ace81..d762491 100644 +--- a/adm_config_report.php ++++ b/adm_config_report.php +@@ -480,7 +480,7 @@ function print_option_list_from_array( $p_array, $p_filter_value ) { + </td> + <td> + <input type="text" name="config_option" +- value="<?php echo $t_edit_option; ?>" ++ value="<?php echo string_attribute( $t_edit_option ); ?>" + size="64" maxlength="64" /> + </td> + </tr>