[mantis/f13/master] Add a couple security related patches

Sat Dec 18 00:18:33 UTC 2010

commit b8838a756d563d93b2bf78a21a3e25428848fbaa
Author: Gianluca Sforna <giallu at gmail.com>
Date:   Sat Dec 18 01:12:04 2010 +0100

    Add a couple security related patches

 mantis-1.1.8-CVE-2010-4348-4349-4350.patch |   55 ++++++++++++++++++++++++++++
 mantis-1.1.8-XSS_in_summary_page.patch     |   30 +++++++++++++++
 mantis.spec                                |   22 ++++++++----
 3 files changed, 100 insertions(+), 7 deletions(-)
---

diff --git a/mantis-1.1.8-CVE-2010-4348-4349-4350.patch b/mantis-1.1.8-CVE-2010-4348-4349-4350.patch
new file mode 100644
index 0000000..f14e458
--- /dev/null
+++ b/mantis-1.1.8-CVE-2010-4348-4349-4350.patch
@@ -0,0 +1,55 @@
+From: David Hicks <hickseydr at optusnet.com.au>
+Date: Tue, 14 Dec 2010 23:40:32 +0000 (+1100)
+Subject: Fix #12607: LFI/PD/XSS in upgrade_unattended.php
+X-Git-Url: http://git.mantisbt.org/?p=mantisbt.git;a=commitdiff_plain;h=2641fdc60d2032ae1586338d6416e1eadabd7590
+
+Fix #12607: LFI/PD/XSS in upgrade_unattended.php
+
+This is a backport of the fix applied to the 1.2.x and 1.3.x branches.
+
+Gjoko Krstic of Zero Science Lab has kindly reported in detail a number
+of vulnerabilities in the admin/upgrade_unattended.php script.
+
+Earlier patches by Victor Boctor (MantisBT developer) resolved the
+issue. This patch enhances those changes to strengthen the security of
+this script even further.
+
+Please note that the "admin" directory SHOULD BE DELETED AFTER
+INSTALLATION on all live instances of MantisBT.
+---
+
+diff --git a/admin/upgrade_unattended.php b/admin/upgrade_unattended.php
+index b3add39..7ede9c1 100644
+--- a/admin/upgrade_unattended.php
++++ b/admin/upgrade_unattended.php
+@@ -32,6 +32,16 @@
+ 
+ 	$g_failed = false;
+ 
++	/* This script is probably meant to be executed from PHP CLI and hence should
++	 * not be interpreted as text/html. However saying that, we do call gpc_
++	 * functions that only make sense in PHP CGI mode. Given this mismatch we'll
++	 * just assume for now that this script is meant to be used from PHP CGI and
++	 * the output is meant to be text/plain. We also need to prevent Internet
++	 * Explorer from ignoring our MIME type and using it's own MIME sniffing.
++	 */
++	header( 'Content-Type: text/plain;' );
++	header( 'X-Content-Type-Options: nosniff' );
++
+ 	# -------
+ 	# print test result
+ 	function print_test_result( $p_result, $p_hard_fail=true, $p_message='' ) {
+@@ -99,6 +109,12 @@
+ 	$f_db_exists = gpc_get_bool( 'db_exists', false );
+ 
+ 	# install the tables
++	if ( !preg_match( '/^[a-zA-Z0-9_]+$/', $f_db_type ) ||
++	     !file_exists( dirname( dirname( __FILE__ ) ) . DIRECTORY_SEPARATOR . 'library' . DIRECTORY_SEPARATOR . 'adodb' . DIRECTORY_SEPARATOR . 'drivers' . DIRECTORY_SEPARATOR . 'adodb-' . $f_db_type . '.inc.php' ) ) {
++		echo 'Invalid db type ' . htmlspecialchars( $f_db_type ) . '.';
++		exit;
++	}
++
+ 	$GLOBALS['g_db_type'] = $f_db_type; # database_api references this
+ 	require_once( dirname( __FILE__ ) . DIRECTORY_SEPARATOR . 'schema.php' );
+ 	$g_db = ADONewConnection( $f_db_type );
+
diff --git a/mantis-1.1.8-XSS_in_summary_page.patch b/mantis-1.1.8-XSS_in_summary_page.patch
new file mode 100644
index 0000000..94a9ec5
--- /dev/null
+++ b/mantis-1.1.8-XSS_in_summary_page.patch
@@ -0,0 +1,30 @@
+commit 78d1449e8094b2c4a3e052bd11fe58fb9bad11b5
+Author: Gianluca Sforna <giallu at gmail.com>
+Date:   Thu Oct 7 12:31:09 2010 +0200
+
+    Fix #12432: XSS issues when viewing Summary page
+    
+    Backport of commit c58a678 for bug 12309
+
+diff --git a/core/summary_api.php b/core/summary_api.php
+index fc4ab8e..07e5c4d 100644
+--- a/core/summary_api.php
++++ b/core/summary_api.php
+@@ -322,7 +322,7 @@
+ 			if ( $t_count++ == 10 ) break;
+ 
+ 			$t_bugid = string_get_bug_view_link( $row['id'] );
+-			$t_summary = string_html_specialchars( $row['summary'] );
++			$t_summary = string_display_line( $row['summary'] );
+ 			$t_notescount = $row['count'];
+ 
+ 			print "<tr " . helper_alternate_class() . ">\n";
+@@ -362,7 +362,7 @@
+ 			if ( $t_count++ == 10 ) break;
+ 
+ 			$t_bugid = string_get_bug_view_link( $row['id'] );
+-			$t_summary = $row['summary'];
++			$t_summary = string_display_line( $row['summary'] );
+ 			$t_days_open = intval ( ( time() - strtotime( $row['date_submitted'] ) ) / 86400 );
+ 
+ 			print "<tr " . helper_alternate_class() . ">\n";
diff --git a/mantis.spec b/mantis.spec
index 99f70f4..0a28b92 100644
--- a/mantis.spec
+++ b/mantis.spec
@@ -6,7 +6,7 @@
 Summary:    Web-based issue tracking system
 Name:       mantis
 Version:    1.1.8
-Release:    4%{?dist}
+Release:    5%{?dist}
 License:    GPLv2+
 Group:      Applications/Internet
 URL:        http://www.mantisbt.org/
@@ -23,6 +23,8 @@ Patch3:     mantis-1.1.8-use_systems_nusoap.patch
 Patch4:     0001-Fix-12369-XSS-vulnerability-when-deleting-maliciousl.patch
 Patch5:     0002-Fix-12370-Multiple-XSS-issues-with-custom-field-enum.patch
 Patch6:     0003-Fix-12371-XSS-in-print_all_bug_page_word.php-project.patch
+Patch7:     mantis-1.1.8-XSS_in_summary_page.patch
+Patch8:     mantis-1.1.8-CVE-2010-4348-4349-4350.patch
 
 BuildRoot:  %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
@@ -43,11 +45,10 @@ Requires:   mod_ssl
 
 
 %description
-Mantis is a web-based bugtracking system. 
-It is written in the PHP scripting language and requires the MySQL
-database and a webserver. Mantis has been installed on Windows, MacOS,
-OS/2, and a variety of Unix operating systems. Any web browser should
-be able to function as a client. 
+Mantis is a free popular web-based issue tracking system.
+It is written in the PHP scripting language and works with MySQL, MS SQL,
+and PostgreSQL databases and a web server.
+Almost any web browser should be able to function as a client. 
 
 Documentation can be found in: %{docdir}
 
@@ -57,7 +58,7 @@ additional configuration steps; these are described in:
 
 
 %description config-httpd
-Mantis is a web-based bugtracking system.
+Mantis is a web-based issue tracking system.
 This package contains configuration-files for Apache httpd 2.
 
 
@@ -70,6 +71,8 @@ This package contains configuration-files for Apache httpd 2.
 %patch4 -p1
 %patch5 -p1
 %patch6 -p1
+%patch7 -p1
+%patch8 -p1
 
 cp %{SOURCE1} ./doc/README.Fedora
 rm .gitignore
@@ -158,6 +161,11 @@ rm -rf "${RPM_BUILD_ROOT}"
 
 
 %changelog
+* Sat Dec 17 2010 Gianluca Sforna <giallu at gmail.com> - 1.1.8.5
+- Updated description (#638942)
+- Fix CVE-2010-3763 (#640746)
+- Fix CVE-2010-4348, CVE-2010-4349, CVE-2010-4350 (#663299, #663230)
+
 * Mon Sep 20 2010 Gianluca Sforna <giallu at gmail.com> - 1.1.8-4
 - Fix CVE-2010-3070 using system's NuSOAP (#633011)
 - Fix CVE-2010-2574 and CVE-2010-3303 (#633003 #634340)
