[arch-commits] Commit in mantisbt/trunk (CVE-2014-8986.patch PKGBUILD)

Maxime Gauduin Tue, 17 Feb 2015 02:45:28 -0800

    Date: Tuesday, February 17, 2015 @ 11:45:13
  Author: alucryd
Revision: 127839


FS#43841: mantisbt 1.2.19-2

Added:
  mantisbt/trunk/CVE-2014-8986.patch
Modified:
  mantisbt/trunk/PKGBUILD

---------------------+
 CVE-2014-8986.patch |   20 ++++++++++++++++++++
 PKGBUILD            |   14 +++++++++++---
 2 files changed, 31 insertions(+), 3 deletions(-)

Added: CVE-2014-8986.patch
===================================================================
--- CVE-2014-8986.patch                         (rev 0)
+++ CVE-2014-8986.patch 2015-02-17 10:45:13 UTC (rev 127839)
@@ -0,0 +1,20 @@
+diff -rupN mantisbt-1.2.19.orig/adm_config_report.php 
mantisbt-1.2.19/adm_config_report.php
+--- mantisbt-1.2.19.orig/adm_config_report.php 2015-02-17 11:36:02.025998608 
+0100
++++ mantisbt-1.2.19/adm_config_report.php      2015-02-17 11:42:22.122773322 
+0100
+@@ -159,6 +159,16 @@
+               }
+       }
+ 
++      if( !is_blank( $t_filter_config_value ) && (int)$t_filter_config_value 
!== META_FILTER_NONE ) {
++              // check that config value exists
++              if( @config_get_global( $t_filter_config_value ) === null ) {
++                      $t_cookie_path = config_get( 'cookie_path' );
++                      gpc_clear_cookie( $t_cookie_name, $t_cookie_path );
++
++                      trigger_error( ERROR_GENERIC, ERROR );
++              }
++      }
++
+       # Get config edit values
+       $t_edit_user_id         = gpc_get_int( 'user_id', $t_filter_user_value 
== META_FILTER_NONE ? ALL_USERS : $t_filter_user_value );
+       $t_edit_project_id      = gpc_get_int( 'project_id', 
$t_filter_project_value == META_FILTER_NONE ? ALL_PROJECTS : 
$t_filter_project_value );

Modified: PKGBUILD
===================================================================
--- PKGBUILD    2015-02-17 10:05:48 UTC (rev 127838)
+++ PKGBUILD    2015-02-17 10:45:13 UTC (rev 127839)
@@ -7,7 +7,7 @@
 
 pkgname=mantisbt
 pkgver=1.2.19
-pkgrel=1
+pkgrel=2
 pkgdesc='Web-based issue tracking system'
 arch=('any')
 url='http://www.mantisbt.org/'
@@ -22,9 +22,17 @@
             'php-pgsql: PostgreSQL database')
 backup=('etc/webapps/mantisbt/config_inc.php')
 install='mantisbt.install'
-source=("http://downloads.sourceforge.net/mantisbt/mantisbt-${pkgver}.tar.gz";)
-sha256sums=('0814d2113de4a53498bb67fa531ca36dee821e5c22df150deb75dc918eed86de')
+source=("http://downloads.sourceforge.net/mantisbt/mantisbt-${pkgver}.tar.gz";
+        'CVE-2014-8986.patch')
+sha256sums=('0814d2113de4a53498bb67fa531ca36dee821e5c22df150deb75dc918eed86de'
+            '9e1b5bb831e6bbbfa8c3a61e91c339928b428147bcf609d2abca78b67140c6ab')
 
+prepare() {
+  cd mantisbt-${pkgver}
+
+  patch -Np1 -i ../CVE-2014-8986.patch
+}
+
 package() {
   install -dm 755 "${pkgdir}"/{etc/webapps/mantisbt,usr/share/webapps}
   cp -dr --no-preserve='ownership' mantisbt-${pkgver} 
"${pkgdir}"/usr/share/webapps/mantisbt

[arch-commits] Commit in mantisbt/trunk (CVE-2014-8986.patch PKGBUILD)

Reply via email to