[arch-commits] Commit in mantisbt/repos/community-any (5 files)

Maxime Gauduin alucryd at archlinux.org
Mon Dec 1 09:13:15 UTC 2014


    Date: Monday, December 1, 2014 @ 10:13:14
  Author: alucryd
Revision: 123318

SVN did it again...

Added:
  mantisbt/repos/community-any/CVE-2014-8554.patch
  mantisbt/repos/community-any/CVE-2014-9089.patch
  mantisbt/repos/community-any/PKGBUILD
  mantisbt/repos/community-any/fix-17742.patch
  mantisbt/repos/community-any/fix-17870.patch

---------------------+
 CVE-2014-8554.patch |   35 ++++++++++++++++++++++++++
 CVE-2014-9089.patch |   35 ++++++++++++++++++++++++++
 PKGBUILD            |   65 ++++++++++++++++++++++++++++++++++++++++++++++++++
 fix-17742.patch     |   31 +++++++++++++++++++++++
 fix-17870.patch     |   24 ++++++++++++++++++
 5 files changed, 190 insertions(+)

Added: CVE-2014-8554.patch
===================================================================
--- CVE-2014-8554.patch	                        (rev 0)
+++ CVE-2014-8554.patch	2014-12-01 09:13:14 UTC (rev 123318)
@@ -0,0 +1,35 @@
+From 99ffb0afaff3409d0eaec78ac963214da0d2a079 Mon Sep 17 00:00:00 2001
+From: Damien Regad <dregad at mantisbt.org>
+Date: Thu, 30 Oct 2014 15:31:36 +0100
+Subject: [PATCH] SQL injection in mc_project_get_attachments()
+
+This is a follow-up on CVE-2014-1609 / issue #16880.
+
+Edwin Gozeling and Wim Visser from ITsec Security Services BV
+(http://www.itsec.nl) discovered that the fix in #16880 did not fully
+address the problem. Their research demonstrate that using a specially
+crafted project id parameter, an attacker could still perform an SQL
+injection.
+
+The same issue was also reported by Paul Richards in issue #17823.
+
+This patch fixes the problem by typecasting the Project ID parameter
+to Integer.
+
+Fixes #17812, CVE-2014-8554
+---
+ api/soap/mc_project_api.php | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/api/soap/mc_project_api.php b/api/soap/mc_project_api.php
+index 8e6aae9..fe57b7b 100644
+--- a/api/soap/mc_project_api.php
++++ b/api/soap/mc_project_api.php
+@@ -655,6 +655,7 @@ function mc_project_get_attachments( $p_username, $p_password, $p_project_id ) {
+ 		return mci_soap_fault_login_failed();
+ 	}
+ 
++	$p_project_id = (int)$p_project_id;
+ 	$g_project_override = $p_project_id;
+ 
+ 	# Check if project documentation feature is enabled.

Added: CVE-2014-9089.patch
===================================================================
--- CVE-2014-9089.patch	                        (rev 0)
+++ CVE-2014-9089.patch	2014-12-01 09:13:14 UTC (rev 123318)
@@ -0,0 +1,35 @@
+From b0021673ab23249244119bde3c7fcecd4daa4e7f Mon Sep 17 00:00:00 2001
+From: Victor Boctor <victor at mantishub.net>
+Date: Mon, 24 Nov 2014 20:54:51 -0800
+Subject: [PATCH] Improve validation for filter sort and direction
+
+Fixes #17841
+---
+ core/filter_api.php | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/core/filter_api.php b/core/filter_api.php
+index 7ec33d7..0667996 100644
+--- a/core/filter_api.php
++++ b/core/filter_api.php
+@@ -606,8 +606,20 @@ function filter_ensure_valid_filter( $p_filter_arr ) {
+ 			unset( $t_fields[$i] );
+ 		}
+ 	}
++
++	# Make sure array is no longer than 2 elements
+ 	$t_sort_fields = explode( ',', $p_filter_arr['sort'] );
++	if( count( $t_sort_fields ) > 2 ) {
++		$t_sort_fields = array_slice( $t_sort_fields, 0, 2 );
++	}
++
++	# Make sure array is no longer than 2 elements
+ 	$t_dir_fields = explode( ',', $p_filter_arr['dir'] );
++	if( count( $t_dir_fields ) > 2 ) {
++		$t_dir_fields = array_slice( $t_dir_fields, 0, 2 );
++	}
++
++	# Validate the max of two segments for $t_sort_fields and $t_dir_fields
+ 	for( $i = 0;$i < 2;$i++ ) {
+ 		if( isset( $t_sort_fields[$i] ) ) {
+ 			$t_drop = false;

Added: PKGBUILD
===================================================================
--- PKGBUILD	                        (rev 0)
+++ PKGBUILD	2014-12-01 09:13:14 UTC (rev 123318)
@@ -0,0 +1,65 @@
+# $Id: PKGBUILD 123316 2014-12-01 09:07:07Z alucryd $
+# Maintainer: Maxime Gauduin <alucryd at archlinux.org>
+# Contributor: Alexander 'gridcol' Griesbaum <agrsbm at gmail.com>
+# Contributor: Ravenman <correo.cuervo at gmail.com>
+# Contributor: Anton Bazhenov <anton.bazhenov at gmail>
+# Contributor: Angel 'angvp' Velasquez <angvp at archlinux.com.ve>
+
+pkgname=mantisbt
+pkgver=1.2.17
+pkgrel=5
+pkgdesc='Web-based issue tracking system'
+arch=('any')
+url='http://www.mantisbt.org/'
+license=('GPL')
+depends=('php')
+optdepends=('apache: Web server to run MantisBT'
+            'curl: Twitter integration'
+            'gd: Graphs support'
+            'lighttpd: Web server to run MantisBT'
+            'mariadb: SQL database'
+            'nginx: Web server to run MantisBT'
+            'php-pgsql: PostgreSQL database')
+backup=('etc/webapps/mantisbt/config_inc.php')
+install='mantisbt.install'
+source=("http://downloads.sourceforge.net/mantisbt/mantisbt-${pkgver}.tar.gz"
+        'CVE-2014-7146.patch'
+        'CVE-2014-8554.patch'
+        'CVE-2014-8598.patch'
+        'CVE-2014-9089.patch'
+        'fix-17742.patch'
+        'fix-17870.patch')
+sha256sums=('4305295a1d3910516b6fa238e03e710c0bb5b30a01b3a908865799096207b243'
+            '5660d838efa89f5cc391df902979faa024a26faa698ab0845a458bf3a5fdcd08'
+            '3183477bcc3b69fc969b9d9502070816b2f8bd1ec387d02805b1bd901b471908'
+            '3bfb9a6e118678f80a244ca13f527d5589da094491e910d95c53dd5c10d048ed'
+            '6ecb79495337243971945e95c7c1ed4264ed17b49d1fdc256fb3406f793d56a5'
+            'b04ad80fe28ee8b247ec61433c6515e40ef6a4ca50f4aab039242858100efcca'
+            '9f879930bfe31baf7b8449de65123c96db5444187bc637bb45af57fc290bb7fc')
+
+prepare() {
+  cd mantisbt-${pkgver}
+
+  patch -Np1 -i ../CVE-2014-7146.patch
+  patch -Np1 -i ../CVE-2014-8554.patch
+  patch -Np1 -i ../CVE-2014-8598.patch
+  patch -Np1 -i ../CVE-2014-9089.patch
+  patch -Np1 -i ../fix-17742.patch
+  patch -Np1 -i ../fix-17870.patch
+}
+
+package() {
+  install -dm 755 "${pkgdir}"/{etc/webapps/mantisbt,usr/share/webapps}
+  cp -dr --no-preserve='ownership' mantisbt-${pkgver} "${pkgdir}"/usr/share/webapps/mantisbt
+
+  for f in {config_inc.php,custom_strings_inc.php,custom_constants_inc.php,custom_functions_inc.php}; do
+    ln -s /etc/webapps/mantisbt/${f} "${pkgdir}"/usr/share/webapps/mantisbt/
+  done
+  cp "${pkgdir}"/usr/share/webapps/mantisbt/config_inc.php.sample "${pkgdir}"/etc/webapps/mantisbt/config_inc.php
+
+  find "${pkgdir}" -type d -exec chmod 755 {} +
+  find "${pkgdir}" -type f -exec chmod 644 {} +
+  chown http:http -R "${pkgdir}"/usr/share/webapps/mantisbt
+}
+
+# vim: ts=2 sw=2 et:

Added: fix-17742.patch
===================================================================
--- fix-17742.patch	                        (rev 0)
+++ fix-17742.patch	2014-12-01 09:13:14 UTC (rev 123318)
@@ -0,0 +1,31 @@
+From 5f0b150b79868ea9d791e2c46b45b3f41b410e50 Mon Sep 17 00:00:00 2001
+From: Paul Richards <paul at issue-track.org>
+Date: Thu, 30 Oct 2014 23:00:01 +0000
+Subject: [PATCH] Incorrect access check on attachment downloads
+
+Even if config variables $g_download_attachments_threshold and
+$g_view_attachments_threshold are set to 55 (developer), users with
+lower privileges can download attachments.
+
+Fixes #17742
+
+Signed-off-by: Damien Regad <dregad at mantisbt.org>
+---
+ core/file_api.php | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/core/file_api.php b/core/file_api.php
+index 16d9dd6..2dc260b 100644
+--- a/core/file_api.php
++++ b/core/file_api.php
+@@ -120,8 +120,8 @@ function file_can_view_bug_attachments( $p_bug_id, $p_uploader_user_id = null )
+ # Check if the current user can download attachments for the specified bug.
+ function file_can_download_bug_attachments( $p_bug_id, $p_uploader_user_id = null ) {
+ 	$t_uploaded_by_me = auth_get_current_user_id() === $p_uploader_user_id;
+-	$t_can_download = access_has_bug_level( config_get( 'download_attachments_threshold' ), $p_bug_id );
+-	$t_can_download = $t_can_download || ( $t_uploaded_by_me && config_get( 'allow_download_own_attachments' ) );
++	$t_can_download = access_has_bug_level( config_get( 'download_attachments_threshold', null, null, bug_get_field( $p_bug_id, 'project_id' ) ), $p_bug_id );
++	$t_can_download = $t_can_download || ( $t_uploaded_by_me && config_get( 'allow_download_own_attachments', null, null, bug_get_field( $p_bug_id, 'project_id' ) ) );
+ 	return $t_can_download;
+ }
+ 

Added: fix-17870.patch
===================================================================
--- fix-17870.patch	                        (rev 0)
+++ fix-17870.patch	2014-12-01 09:13:14 UTC (rev 123318)
@@ -0,0 +1,24 @@
+From 49c3d0893091fb1bb6b92639e59a72203be0bc4a Mon Sep 17 00:00:00 2001
+From: Damien Regad <dregad at mantisbt.org>
+Date: Fri, 14 Nov 2014 22:55:47 +0100
+Subject: [PATCH] Fix #17870: XSS in adm_config_report.php
+
+This is the correct fix for this issue, using string_attribute() to
+escape the variable. Thanks to Paul Richards for pointing this out.
+---
+ adm_config_report.php | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/adm_config_report.php b/adm_config_report.php
+index 79ace81..d762491 100644
+--- a/adm_config_report.php
++++ b/adm_config_report.php
+@@ -480,7 +480,7 @@ function print_option_list_from_array( $p_array, $p_filter_value ) {
+ 	</td>
+ 	<td>
+ 		<input type="text" name="config_option"
+-			value="<?php echo $t_edit_option; ?>"
++			value="<?php echo string_attribute( $t_edit_option ); ?>"
+ 			size="64" maxlength="64" />
+ 	</td>
+ </tr>



More information about the arch-commits mailing list