[arch-commits] Commit in mantisbt/trunk (CVE-2014-8986.patch PKGBUILD)

Maxime Gauduin alucryd at archlinux.org
Tue Feb 17 10:45:14 UTC 2015 

    Date: Tuesday, February 17, 2015 @ 11:45:13
  Author: alucryd
Revision: 127839

FS#43841: mantisbt 1.2.19-2

Added:
  mantisbt/trunk/CVE-2014-8986.patch
Modified:
  mantisbt/trunk/PKGBUILD

---------------------+
 CVE-2014-8986.patch |   20 ++++++++++++++++++++
 PKGBUILD            |   14 +++++++++++---
 2 files changed, 31 insertions(+), 3 deletions(-)

Added: CVE-2014-8986.patch
===================================================================
--- CVE-2014-8986.patch	                        (rev 0)
+++ CVE-2014-8986.patch	2015-02-17 10:45:13 UTC (rev 127839)
@@ -0,0 +1,20 @@
+diff -rupN mantisbt-1.2.19.orig/adm_config_report.php mantisbt-1.2.19/adm_config_report.php
+--- mantisbt-1.2.19.orig/adm_config_report.php	2015-02-17 11:36:02.025998608 +0100
++++ mantisbt-1.2.19/adm_config_report.php	2015-02-17 11:42:22.122773322 +0100
+@@ -159,6 +159,16 @@
+ 		}
+ 	}
+ 
++	if( !is_blank( $t_filter_config_value ) && (int)$t_filter_config_value !== META_FILTER_NONE ) {
++		// check that config value exists
++		if( @config_get_global( $t_filter_config_value ) === null ) {
++			$t_cookie_path = config_get( 'cookie_path' );
++			gpc_clear_cookie( $t_cookie_name, $t_cookie_path );
++
++			trigger_error( ERROR_GENERIC, ERROR );
++		}
++	}
++
+ 	# Get config edit values
+ 	$t_edit_user_id         = gpc_get_int( 'user_id', $t_filter_user_value == META_FILTER_NONE ? ALL_USERS : $t_filter_user_value );
+ 	$t_edit_project_id      = gpc_get_int( 'project_id', $t_filter_project_value == META_FILTER_NONE ? ALL_PROJECTS : $t_filter_project_value );

Modified: PKGBUILD
===================================================================
--- PKGBUILD	2015-02-17 10:05:48 UTC (rev 127838)
+++ PKGBUILD	2015-02-17 10:45:13 UTC (rev 127839)
@@ -7,7 +7,7 @@
 
 pkgname=mantisbt
 pkgver=1.2.19
-pkgrel=1
+pkgrel=2
 pkgdesc='Web-based issue tracking system'
 arch=('any')
 url='http://www.mantisbt.org/'
@@ -22,9 +22,17 @@
             'php-pgsql: PostgreSQL database')
 backup=('etc/webapps/mantisbt/config_inc.php')
 install='mantisbt.install'
-source=("http://downloads.sourceforge.net/mantisbt/mantisbt-${pkgver}.tar.gz")
-sha256sums=('0814d2113de4a53498bb67fa531ca36dee821e5c22df150deb75dc918eed86de')
+source=("http://downloads.sourceforge.net/mantisbt/mantisbt-${pkgver}.tar.gz"
+        'CVE-2014-8986.patch')
+sha256sums=('0814d2113de4a53498bb67fa531ca36dee821e5c22df150deb75dc918eed86de'
+            '9e1b5bb831e6bbbfa8c3a61e91c339928b428147bcf609d2abca78b67140c6ab')
 
+prepare() {
+  cd mantisbt-${pkgver}
+
+  patch -Np1 -i ../CVE-2014-8986.patch
+}
+
 package() {
   install -dm 755 "${pkgdir}"/{etc/webapps/mantisbt,usr/share/webapps}
   cp -dr --no-preserve='ownership' mantisbt-${pkgver} "${pkgdir}"/usr/share/webapps/mantisbt

More information about the arch-commits mailing list