[arch-commits] Commit in mantisbt/trunk (CVE-2014-8554.patch PKGBUILD)

Wed Nov 5 15:34:50 UTC 2014

Date: Wednesday, November 5, 2014 @ 16:34:50
  Author: alucryd
Revision: 121959

FS#42683: mantisbt 1.2.17-3

Added:
  mantisbt/trunk/CVE-2014-8554.patch
Modified:
  mantisbt/trunk/PKGBUILD

---------------------+
 CVE-2014-8554.patch |   35 +++++++++++++++++++++++++++++++++++
 PKGBUILD            |   14 +++++++++++---
 2 files changed, 46 insertions(+), 3 deletions(-)

Added: CVE-2014-8554.patch
===================================================================

--- CVE-2014-8554.patch	                        (rev 0)
+++ CVE-2014-8554.patch	2014-11-05 15:34:50 UTC (rev 121959)
@@ -0,0 +1,35 @@
+From 99ffb0afaff3409d0eaec78ac963214da0d2a079 Mon Sep 17 00:00:00 2001
+From: Damien Regad <dregad at mantisbt.org>
+Date: Thu, 30 Oct 2014 15:31:36 +0100
+Subject: [PATCH] SQL injection in mc_project_get_attachments()
+
+This is a follow-up on CVE-2014-1609 / issue #16880.
+
+Edwin Gozeling and Wim Visser from ITsec Security Services BV
+(http://www.itsec.nl) discovered that the fix in #16880 did not fully
+address the problem. Their research demonstrate that using a specially
+crafted project id parameter, an attacker could still perform an SQL
+injection.
+
+The same issue was also reported by Paul Richards in issue #17823.
+
+This patch fixes the problem by typecasting the Project ID parameter
+to Integer.
+
+Fixes #17812, CVE-2014-8554
+---
+ api/soap/mc_project_api.php | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/api/soap/mc_project_api.php b/api/soap/mc_project_api.php
+index 8e6aae9..fe57b7b 100644
+--- a/api/soap/mc_project_api.php
++++ b/api/soap/mc_project_api.php
+@@ -655,6 +655,7 @@ function mc_project_get_attachments( $p_username, $p_password, $p_project_id ) {
+ 		return mci_soap_fault_login_failed();
+ 	}
+ 
++	$p_project_id = (int)$p_project_id;
+ 	$g_project_override = $p_project_id;
+ 
+ 	# Check if project documentation feature is enabled.

Modified: PKGBUILD
===================================================================
--- PKGBUILD	2014-11-05 15:23:45 UTC (rev 121958)
+++ PKGBUILD	2014-11-05 15:34:50 UTC (rev 121959)
@@ -7,7 +7,7 @@
 
 pkgname=mantisbt
 pkgver=1.2.17
-pkgrel=2
+pkgrel=3
 pkgdesc='Web-based issue tracking system'
 arch=('any')
 url='http://www.mantisbt.org/'
@@ -22,9 +22,17 @@
             'php-pgsql: PostgreSQL database')
 backup=('etc/webapps/mantisbt/config_inc.php')
 install='mantisbt.install'
-source=("http://downloads.sourceforge.net/mantisbt/mantisbt-${pkgver}.tar.gz")
-sha256sums=('4305295a1d3910516b6fa238e03e710c0bb5b30a01b3a908865799096207b243')
+source=("http://downloads.sourceforge.net/mantisbt/mantisbt-${pkgver}.tar.gz"
+        'CVE-2014-8554.patch')
+sha256sums=('4305295a1d3910516b6fa238e03e710c0bb5b30a01b3a908865799096207b243'
+            '3183477bcc3b69fc969b9d9502070816b2f8bd1ec387d02805b1bd901b471908')
 
+prepare() {
+  cd mantisbt-${pkgver}
+
+  patch -Np1 -i ../CVE-2014-8554.patch
+}
+
 package() {
   install -dm 755 "${pkgdir}"/{etc,usr/share}/webapps/mantisbt
   cp -dr --no-preserve='ownership' mantisbt-${pkgver}/* "${pkgdir}"/usr/share/webapps/mantisbt

