tags 669927 +patch
thanks
Hi,
Attached you'll find a possible patch for CVE-2012-1122.
Description: Fix for CVE-2012-1122: Incorrect access checks performed when
moving bugs between projects
Bug-Mantis: http://www.mantisbt.org/bugs/view.php?id=13748
Bug-Debian: http://bugs.debian.org/669927
Origin:
https://github.com/mantisbt/mantisbt/commit/64af3ef8c0b43bd007664d84e0177716daac4a84
Last-Update: 2012-04-21
Note: Needs some testing!
Regards,
--
Dario Minnucci mid...@debian.org
Phone: +34 902884117 | Fax: +34 902024417 | Support: +34 80745
Key fingerprint = BAA1 7AAF B21D 6567 D457 D67D A82F BB83 F3D5 7033
Description: Fix for CVE-2012-1122: Incorrect access checks performed when moving bugs between projects
Bug-Mantis: http://www.mantisbt.org/bugs/view.php?id=13748
Bug-Debian: http://bugs.debian.org/669927
Origin: https://github.com/mantisbt/mantisbt/commit/64af3ef8c0b43bd007664d84e0177716daac4a84
Last-Update: 2012-04-21
Index: mantis/bug_actiongroup.php
===
--- mantis.orig/bug_actiongroup.php 2012-04-21 22:16:58.760666308 +0200
+++ mantis/bug_actiongroup.php 2012-04-21 22:20:42.921354198 +0200
@@ -96,7 +96,8 @@
break;
case 'MOVE':
- if ( access_has_bug_level( config_get( 'move_bug_threshold' ), $t_bug_id ) ) {
+ if( access_has_bug_level( config_get( 'move_bug_threshold' ), $t_bug_id )
+access_has_project_level( config_get( 'report_bug_threshold', null, null, $f_project_id ), $f_project_id ) ) {
# @@@ we need to issue a helper_call_custom_function( 'issue_update_validate', array( $t_bug_id, $t_bug_data, $f_bugnote_text ) );
$f_project_id = gpc_get_int( 'project_id' );
bug_set_field( $t_bug_id, 'project_id', $f_project_id );
signature.asc
Description: OpenPGP digital signature