Date: Monday, December 8, 2014 @ 09:32:49 Author: alucryd Revision: 123623
upgpkg: mantisbt 1.2.18-1 Modified: mantisbt/trunk/PKGBUILD Deleted: mantisbt/trunk/CVE-2014-7146.patch mantisbt/trunk/CVE-2014-8554.patch mantisbt/trunk/CVE-2014-8598.patch mantisbt/trunk/CVE-2014-9089.patch mantisbt/trunk/fix-17742.patch mantisbt/trunk/fix-17870.patch ---------------------+ CVE-2014-7146.patch | 65 ---------------- CVE-2014-8554.patch | 35 -------- CVE-2014-8598.patch | 203 -------------------------------------------------- CVE-2014-9089.patch | 35 -------- PKGBUILD | 31 ------- fix-17742.patch | 31 ------- fix-17870.patch | 24 ----- 7 files changed, 4 insertions(+), 420 deletions(-) Deleted: CVE-2014-7146.patch =================================================================== --- CVE-2014-7146.patch 2014-12-08 05:41:55 UTC (rev 123622) +++ CVE-2014-7146.patch 2014-12-08 08:32:49 UTC (rev 123623) @@ -1,65 +0,0 @@ -From bed19db954359043515300c995ebc40ebb97265a Mon Sep 17 00:00:00 2001 -From: Damien Regad <[email protected]> -Date: Sat, 1 Nov 2014 19:45:47 +0100 -Subject: [PATCH] XML Import: Fix php code injection vulnerability - -Egidio Romano discovered a vulnerability in the XML import plugin. - -User input passed through the "description" field (and the "issuelink" -attribute) of the uploaded XML file isn't properly sanitized before -being used in a call to the preg_replace() function which uses the 'e' -modifier. This can be exploited to inject and execute arbitrary PHP code -when the Import/Export plugin is installed. - -This fix is a partial backport from a master branch commit which has -been confirmed as addressing the issue (84017535f8718685d755d58af7a39d80f52ffca8) -excluding changes not relevant to fixing the security issue, including -subsequent fixes (aea1a348043979e75a6cc021e4a0a7f8d3bb7211, -4350b4d4f0ee4fba423edcae1cd2117dc1e2d63b). - -Fixes #17725 (CVE-2014-7146) ---- - plugins/XmlImportExport/ImportXml.php | 29 ++++++++++++++++++++--------- - 1 file changed, 20 insertions(+), 9 deletions(-) - -diff --git a/plugins/XmlImportExport/ImportXml.php b/plugins/XmlImportExport/ImportXml.php -index 590f898..09ccc8d 100644 ---- a/plugins/XmlImportExport/ImportXml.php -+++ b/plugins/XmlImportExport/ImportXml.php -@@ -102,16 +102,27 @@ public function import( ) { - - echo " Done\n"; - -- $importedIssues = $this->itemsMap_->getall( 'issue' ); -- printf( "Processing cross-references for %s issues...", count( $importedIssues ) ); -- foreach( $importedIssues as $oldId => $newId ) { -- $bugData = bug_get( $newId, true ); -- -- $bugLinkRegexp = '/(^|[^\w])(' . preg_quote( $this->source_->issuelink, '/' ) . ')(\d+)\b/e'; -- $replacement = '"\\1" . $this->getReplacementString( "\\2", "\\3" )'; -+ # replace bug references -+ $t_imported_issues = $this->itemsMap_->getall( 'issue' ); -+ printf( 'Processing cross-references for %s issues...', count( $t_imported_issues ) ); -+ foreach( $t_imported_issues as $t_old_id => $t_new_id ) { -+ $t_bug = bug_get( $t_new_id, true ); -+ $t_content_replaced = false; -+ $t_bug_link_regexp = '/(^|[^\w])(' . preg_quote( $this->source_->issuelink, '/' ) . ')(\d+)\b/'; -+ -+ # replace links in description -+ preg_match_all( $t_bug_link_regexp, $t_bug->description, $t_matches ); -+ if( is_array( $t_matches[3] ) && count( $t_matches[3] ) > 0 ) { -+ $t_content_replaced = true; -+ foreach ( $t_matches[3] as $t_old_id2 ) { -+ $t_bug->description = str_replace( $this->source_->issuelink . $t_old_id2, $this->getReplacementString( $this->source_->issuelink, $t_old_id2 ), $t_bug->description ); -+ } -+ } - -- $bugData->description = preg_replace( $bugLinkRegexp, $replacement, $bugData->description ); -- $bugData->update( true, true ); -+ if( $t_content_replaced ) { -+ # only update bug if necessary (otherwise last update date would be unnecessarily overwritten) -+ $t_bug->update( true ); -+ } - } - echo " Done\n"; - } Deleted: CVE-2014-8554.patch =================================================================== --- CVE-2014-8554.patch 2014-12-08 05:41:55 UTC (rev 123622) +++ CVE-2014-8554.patch 2014-12-08 08:32:49 UTC (rev 123623) @@ -1,35 +0,0 @@ -From 99ffb0afaff3409d0eaec78ac963214da0d2a079 Mon Sep 17 00:00:00 2001 -From: Damien Regad <[email protected]> -Date: Thu, 30 Oct 2014 15:31:36 +0100 -Subject: [PATCH] SQL injection in mc_project_get_attachments() - -This is a follow-up on CVE-2014-1609 / issue #16880. - -Edwin Gozeling and Wim Visser from ITsec Security Services BV -(http://www.itsec.nl) discovered that the fix in #16880 did not fully -address the problem. Their research demonstrate that using a specially -crafted project id parameter, an attacker could still perform an SQL -injection. - -The same issue was also reported by Paul Richards in issue #17823. - -This patch fixes the problem by typecasting the Project ID parameter -to Integer. - -Fixes #17812, CVE-2014-8554 ---- - api/soap/mc_project_api.php | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/api/soap/mc_project_api.php b/api/soap/mc_project_api.php -index 8e6aae9..fe57b7b 100644 ---- a/api/soap/mc_project_api.php -+++ b/api/soap/mc_project_api.php -@@ -655,6 +655,7 @@ function mc_project_get_attachments( $p_username, $p_password, $p_project_id ) { - return mci_soap_fault_login_failed(); - } - -+ $p_project_id = (int)$p_project_id; - $g_project_override = $p_project_id; - - # Check if project documentation feature is enabled. Deleted: CVE-2014-8598.patch =================================================================== --- CVE-2014-8598.patch 2014-12-08 05:41:55 UTC (rev 123622) +++ CVE-2014-8598.patch 2014-12-08 08:32:49 UTC (rev 123623) @@ -1,203 +0,0 @@ -From 80a15487cda89afb00ce866da8e24d76808dcdb4 Mon Sep 17 00:00:00 2001 -From: Damien Regad <[email protected]> -Date: Fri, 17 Oct 2014 17:21:25 +0200 -Subject: [PATCH] XML plugin: Add config page with access thresholds - -Prior to this, any user of a MantisBT instance with the XML -Import/Export plugin enabled and knowing the URL to the plugin's import -page could upload an XML file and insert data without restriction, -regardless of their access level. - -This vulnerability is particularly dangerous when used in combination -with the one described in issue #17725 (CVE-2014-7146) as it makes for a -very simple and easily accessible vector for PHP code injection attacks. - -There was also no access check when exporting data, which could allow an -attacker to gain access to confidential information (disclosure of all -bug-related data, including usernames). - -Fixes #17780 (CVE-2014-8598) ---- - plugins/XmlImportExport/XmlImportExport.php | 16 +++++++- - plugins/XmlImportExport/lang/strings_english.txt | 7 ++++ - plugins/XmlImportExport/pages/config.php | 27 +++++++++++++ - plugins/XmlImportExport/pages/config_page.php | 48 ++++++++++++++++++++++++ - plugins/XmlImportExport/pages/export.php | 2 + - plugins/XmlImportExport/pages/import.php | 2 + - 6 files changed, 101 insertions(+), 1 deletion(-) - create mode 100644 plugins/XmlImportExport/pages/config.php - create mode 100644 plugins/XmlImportExport/pages/config_page.php - -diff --git a/plugins/XmlImportExport/XmlImportExport.php b/plugins/XmlImportExport/XmlImportExport.php -index 63e254e..20ea3c2 100644 ---- a/plugins/XmlImportExport/XmlImportExport.php -+++ b/plugins/XmlImportExport/XmlImportExport.php -@@ -39,7 +39,7 @@ class XmlImportExportPlugin extends MantisPlugin { - function register( ) { - $this->name = plugin_lang_get( 'title' ); - $this->description = plugin_lang_get( 'description' ); -- $this->page = ''; -+ $this->page = "config_page"; - - $this->version = '1.0'; - $this->requires = array( -@@ -54,6 +54,17 @@ function register( ) { - /** - * Default plugin configuration. - */ -+ public function config() { -+ return array( -+ "import_threshold" => ADMINISTRATOR, -+ "export_threshold" => DEVELOPER, -+ ); -+ } -+ -+ /** -+ * Plugin hooks -+ * @return array -+ */ - function hooks( ) { - $hooks = array( - 'EVENT_MENU_MANAGE' => 'import_issues_menu', -@@ -67,6 +78,9 @@ function import_issues_menu( ) { - } - - function export_issues_menu( ) { -+ if( !access_has_project_level( plugin_config_get( 'export_threshold' ) ) ) { -+ return array(); -+ } - return array( '<a href="' . plugin_page( 'export' ) . '">' . plugin_lang_get( 'export' ) . '</a>', ); - } - -diff --git a/plugins/XmlImportExport/lang/strings_english.txt b/plugins/XmlImportExport/lang/strings_english.txt -index 775ad76..e595228 100644 ---- a/plugins/XmlImportExport/lang/strings_english.txt -+++ b/plugins/XmlImportExport/lang/strings_english.txt -@@ -35,7 +35,14 @@ $s_plugin_XmlImportExport_description = 'Adds XML based import and export capabi - $s_plugin_XmlImportExport_import = 'Import issues'; - $s_plugin_XmlImportExport_export = 'XML Export'; - -+$s_plugin_XmlImportExport_config_title = 'XML Import/Export Access Levels Configuration'; -+$s_plugin_XmlImportExport_import_threshold = 'Import issues'; -+$s_plugin_XmlImportExport_export_threshold = 'Export issues'; -+ -+$s_plugin_XmlImportExport_action_update = 'Update'; -+ - $s_plugin_XmlImportExport_importing_in_project = 'Importing issues in project:'; -+ - $s_plugin_XmlImportExport_import_options = 'Import options'; - - $s_plugin_XmlImportExport_cross_references = 'Cross references'; -diff --git a/plugins/XmlImportExport/pages/config.php b/plugins/XmlImportExport/pages/config.php -new file mode 100644 -index 0000000..19587c8 ---- /dev/null -+++ b/plugins/XmlImportExport/pages/config.php -@@ -0,0 +1,27 @@ -+<?php -+# Copyright (c) 2014 MantisBT Team - [email protected] -+# Licensed under the MIT license -+ -+form_security_validate( 'plugin_XmlImportExport_config' ); -+access_ensure_global_level( config_get( 'manage_plugin_threshold' ) ); -+ -+/** -+ * Sets plugin config option if value is different from current/default -+ * @param string $p_name option name -+ * @param string $p_value value to set -+ * @return void -+ */ -+function config_set_if_needed( $p_name, $p_value ) { -+ if ( $p_value != plugin_config_get( $p_name ) ) { -+ plugin_config_set( $p_name, $p_value ); -+ } -+} -+ -+$t_redirect_url = plugin_page( 'config_page', true ); -+ -+config_set_if_needed( 'import_threshold' , gpc_get_int( 'import_threshold' ) ); -+config_set_if_needed( 'export_threshold' , gpc_get_int( 'export_threshold' ) ); -+ -+form_security_purge( 'plugin_XmlImportExport_config' ); -+ -+print_successful_redirect( $t_redirect_url ); -diff --git a/plugins/XmlImportExport/pages/config_page.php b/plugins/XmlImportExport/pages/config_page.php -new file mode 100644 -index 0000000..7c678af ---- /dev/null -+++ b/plugins/XmlImportExport/pages/config_page.php -@@ -0,0 +1,48 @@ -+<?php -+# Copyright (c) 2014 MantisBT Team - [email protected] -+# Licensed under the MIT license -+ -+access_ensure_global_level( config_get( 'manage_plugin_threshold' ) ); -+ -+html_page_top(); -+//print_manage_menu(); -+?> -+ -+<br /> -+<form action="<?php echo plugin_page( 'config' ) ?>" method="post"> -+<?php echo form_security_field( 'plugin_XmlImportExport_config' ) ?> -+<table class="width60" align="center"> -+ -+<tr> -+<td class="form-title" colspan="2"><?php echo plugin_lang_get("config_title") ?></td> -+</tr> -+ -+<tr <?php echo helper_alternate_class() ?>> -+<td class="category"><?php echo plugin_lang_get( 'import_threshold' ) ?></td> -+<td><select name="import_threshold"><?php -+ print_enum_string_option_list( -+ 'access_levels', -+ plugin_config_get( 'import_threshold' ) -+ ); -+ ?></select></td> -+</tr> -+ -+<tr <?php echo helper_alternate_class() ?>> -+<td class="category"><?php echo plugin_lang_get( 'export_threshold' ) ?></td> -+<td><select name="export_threshold"><?php -+ print_enum_string_option_list( -+ 'access_levels', -+ plugin_config_get( 'export_threshold' ) -+ ); -+ ?></select></td> -+</tr> -+ -+<tr> -+<td class="center" colspan="2"><input type="submit" value="<?php echo plugin_lang_get("action_update") ?>"/></td> -+</tr> -+ -+</table> -+</form> -+ -+<?php -+html_page_bottom(); -diff --git a/plugins/XmlImportExport/pages/export.php b/plugins/XmlImportExport/pages/export.php -index 061b135..aac3bbf 100644 ---- a/plugins/XmlImportExport/pages/export.php -+++ b/plugins/XmlImportExport/pages/export.php -@@ -20,6 +20,8 @@ - - require_once( 'core.php' ); - -+access_ensure_project_level( plugin_config_get( 'export_threshold' ) ); -+ - auth_ensure_user_authenticated( ); - helper_begin_long_process( ); - -diff --git a/plugins/XmlImportExport/pages/import.php b/plugins/XmlImportExport/pages/import.php -index cd7721f..6740727 100644 ---- a/plugins/XmlImportExport/pages/import.php -+++ b/plugins/XmlImportExport/pages/import.php -@@ -14,6 +14,8 @@ - # You should have received a copy of the GNU General Public License - # along with MantisBT. If not, see <http://www.gnu.org/licenses/>. - -+access_ensure_project_level( plugin_config_get( 'import_threshold' ) ); -+ - auth_reauthenticate( ); - - html_page_top( plugin_lang_get( 'import' ) ); Deleted: CVE-2014-9089.patch =================================================================== --- CVE-2014-9089.patch 2014-12-08 05:41:55 UTC (rev 123622) +++ CVE-2014-9089.patch 2014-12-08 08:32:49 UTC (rev 123623) @@ -1,35 +0,0 @@ -From b0021673ab23249244119bde3c7fcecd4daa4e7f Mon Sep 17 00:00:00 2001 -From: Victor Boctor <[email protected]> -Date: Mon, 24 Nov 2014 20:54:51 -0800 -Subject: [PATCH] Improve validation for filter sort and direction - -Fixes #17841 ---- - core/filter_api.php | 12 ++++++++++++ - 1 file changed, 12 insertions(+) - -diff --git a/core/filter_api.php b/core/filter_api.php -index 7ec33d7..0667996 100644 ---- a/core/filter_api.php -+++ b/core/filter_api.php -@@ -606,8 +606,20 @@ function filter_ensure_valid_filter( $p_filter_arr ) { - unset( $t_fields[$i] ); - } - } -+ -+ # Make sure array is no longer than 2 elements - $t_sort_fields = explode( ',', $p_filter_arr['sort'] ); -+ if( count( $t_sort_fields ) > 2 ) { -+ $t_sort_fields = array_slice( $t_sort_fields, 0, 2 ); -+ } -+ -+ # Make sure array is no longer than 2 elements - $t_dir_fields = explode( ',', $p_filter_arr['dir'] ); -+ if( count( $t_dir_fields ) > 2 ) { -+ $t_dir_fields = array_slice( $t_dir_fields, 0, 2 ); -+ } -+ -+ # Validate the max of two segments for $t_sort_fields and $t_dir_fields - for( $i = 0;$i < 2;$i++ ) { - if( isset( $t_sort_fields[$i] ) ) { - $t_drop = false; Modified: PKGBUILD =================================================================== --- PKGBUILD 2014-12-08 05:41:55 UTC (rev 123622) +++ PKGBUILD 2014-12-08 08:32:49 UTC (rev 123623) @@ -6,8 +6,8 @@ # Contributor: Angel 'angvp' Velasquez <[email protected]> pkgname=mantisbt -pkgver=1.2.17 -pkgrel=5 +pkgver=1.2.18 +pkgrel=1 pkgdesc='Web-based issue tracking system' arch=('any') url='http://www.mantisbt.org/' @@ -22,32 +22,9 @@ 'php-pgsql: PostgreSQL database') backup=('etc/webapps/mantisbt/config_inc.php') install='mantisbt.install' -source=("http://downloads.sourceforge.net/mantisbt/mantisbt-${pkgver}.tar.gz"; - 'CVE-2014-7146.patch' - 'CVE-2014-8554.patch' - 'CVE-2014-8598.patch' - 'CVE-2014-9089.patch' - 'fix-17742.patch' - 'fix-17870.patch') -sha256sums=('4305295a1d3910516b6fa238e03e710c0bb5b30a01b3a908865799096207b243' - '5660d838efa89f5cc391df902979faa024a26faa698ab0845a458bf3a5fdcd08' - '3183477bcc3b69fc969b9d9502070816b2f8bd1ec387d02805b1bd901b471908' - '3bfb9a6e118678f80a244ca13f527d5589da094491e910d95c53dd5c10d048ed' - '6ecb79495337243971945e95c7c1ed4264ed17b49d1fdc256fb3406f793d56a5' - 'b04ad80fe28ee8b247ec61433c6515e40ef6a4ca50f4aab039242858100efcca' - '9f879930bfe31baf7b8449de65123c96db5444187bc637bb45af57fc290bb7fc') +source=("http://downloads.sourceforge.net/mantisbt/mantisbt-${pkgver}.tar.gz";) +sha256sums=('80d2787cbedcb3ca1c724a6c5b33d4d66046ce8f991da82e91a09c4b00ddb93d') -prepare() { - cd mantisbt-${pkgver} - - patch -Np1 -i ../CVE-2014-7146.patch - patch -Np1 -i ../CVE-2014-8554.patch - patch -Np1 -i ../CVE-2014-8598.patch - patch -Np1 -i ../CVE-2014-9089.patch - patch -Np1 -i ../fix-17742.patch - patch -Np1 -i ../fix-17870.patch -} - package() { install -dm 755 "${pkgdir}"/{etc/webapps/mantisbt,usr/share/webapps} cp -dr --no-preserve='ownership' mantisbt-${pkgver} "${pkgdir}"/usr/share/webapps/mantisbt Deleted: fix-17742.patch =================================================================== --- fix-17742.patch 2014-12-08 05:41:55 UTC (rev 123622) +++ fix-17742.patch 2014-12-08 08:32:49 UTC (rev 123623) @@ -1,31 +0,0 @@ -From 5f0b150b79868ea9d791e2c46b45b3f41b410e50 Mon Sep 17 00:00:00 2001 -From: Paul Richards <[email protected]> -Date: Thu, 30 Oct 2014 23:00:01 +0000 -Subject: [PATCH] Incorrect access check on attachment downloads - -Even if config variables $g_download_attachments_threshold and -$g_view_attachments_threshold are set to 55 (developer), users with -lower privileges can download attachments. - -Fixes #17742 - -Signed-off-by: Damien Regad <[email protected]> ---- - core/file_api.php | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/core/file_api.php b/core/file_api.php -index 16d9dd6..2dc260b 100644 ---- a/core/file_api.php -+++ b/core/file_api.php -@@ -120,8 +120,8 @@ function file_can_view_bug_attachments( $p_bug_id, $p_uploader_user_id = null ) - # Check if the current user can download attachments for the specified bug. - function file_can_download_bug_attachments( $p_bug_id, $p_uploader_user_id = null ) { - $t_uploaded_by_me = auth_get_current_user_id() === $p_uploader_user_id; -- $t_can_download = access_has_bug_level( config_get( 'download_attachments_threshold' ), $p_bug_id ); -- $t_can_download = $t_can_download || ( $t_uploaded_by_me && config_get( 'allow_download_own_attachments' ) ); -+ $t_can_download = access_has_bug_level( config_get( 'download_attachments_threshold', null, null, bug_get_field( $p_bug_id, 'project_id' ) ), $p_bug_id ); -+ $t_can_download = $t_can_download || ( $t_uploaded_by_me && config_get( 'allow_download_own_attachments', null, null, bug_get_field( $p_bug_id, 'project_id' ) ) ); - return $t_can_download; - } - Deleted: fix-17870.patch =================================================================== --- fix-17870.patch 2014-12-08 05:41:55 UTC (rev 123622) +++ fix-17870.patch 2014-12-08 08:32:49 UTC (rev 123623) @@ -1,24 +0,0 @@ -From 49c3d0893091fb1bb6b92639e59a72203be0bc4a Mon Sep 17 00:00:00 2001 -From: Damien Regad <[email protected]> -Date: Fri, 14 Nov 2014 22:55:47 +0100 -Subject: [PATCH] Fix #17870: XSS in adm_config_report.php - -This is the correct fix for this issue, using string_attribute() to -escape the variable. Thanks to Paul Richards for pointing this out. ---- - adm_config_report.php | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/adm_config_report.php b/adm_config_report.php -index 79ace81..d762491 100644 ---- a/adm_config_report.php -+++ b/adm_config_report.php -@@ -480,7 +480,7 @@ function print_option_list_from_array( $p_array, $p_filter_value ) { - </td> - <td> - <input type="text" name="config_option" -- value="<?php echo $t_edit_option; ?>" -+ value="<?php echo string_attribute( $t_edit_option ); ?>" - size="64" maxlength="64" /> - </td> - </tr>
