[mantis/f13/master] Add a couple security related patches
Gianluca Sforna
giallu at fedoraproject.org
Sat Dec 18 00:18:33 UTC 2010
commit b8838a756d563d93b2bf78a21a3e25428848fbaa
Author: Gianluca Sforna <giallu at gmail.com>
Date: Sat Dec 18 01:12:04 2010 +0100
Add a couple security related patches
mantis-1.1.8-CVE-2010-4348-4349-4350.patch | 55 ++++++++++++++++++++++++++++
mantis-1.1.8-XSS_in_summary_page.patch | 30 +++++++++++++++
mantis.spec | 22 ++++++++----
3 files changed, 100 insertions(+), 7 deletions(-)
---
diff --git a/mantis-1.1.8-CVE-2010-4348-4349-4350.patch b/mantis-1.1.8-CVE-2010-4348-4349-4350.patch
new file mode 100644
index 0000000..f14e458
--- /dev/null
+++ b/mantis-1.1.8-CVE-2010-4348-4349-4350.patch
@@ -0,0 +1,55 @@
+From: David Hicks <hickseydr at optusnet.com.au>
+Date: Tue, 14 Dec 2010 23:40:32 +0000 (+1100)
+Subject: Fix #12607: LFI/PD/XSS in upgrade_unattended.php
+X-Git-Url: http://git.mantisbt.org/?p=mantisbt.git;a=commitdiff_plain;h=2641fdc60d2032ae1586338d6416e1eadabd7590
+
+Fix #12607: LFI/PD/XSS in upgrade_unattended.php
+
+This is a backport of the fix applied to the 1.2.x and 1.3.x branches.
+
+Gjoko Krstic of Zero Science Lab has kindly reported in detail a number
+of vulnerabilities in the admin/upgrade_unattended.php script.
+
+Earlier patches by Victor Boctor (MantisBT developer) resolved the
+issue. This patch enhances those changes to strengthen the security of
+this script even further.
+
+Please note that the "admin" directory SHOULD BE DELETED AFTER
+INSTALLATION on all live instances of MantisBT.
+---
+
+diff --git a/admin/upgrade_unattended.php b/admin/upgrade_unattended.php
+index b3add39..7ede9c1 100644
+--- a/admin/upgrade_unattended.php
++++ b/admin/upgrade_unattended.php
+@@ -32,6 +32,16 @@
+
+ $g_failed = false;
+
++ /* This script is probably meant to be executed from PHP CLI and hence should
++ * not be interpreted as text/html. However saying that, we do call gpc_
++ * functions that only make sense in PHP CGI mode. Given this mismatch we'll
++ * just assume for now that this script is meant to be used from PHP CGI and
++ * the output is meant to be text/plain. We also need to prevent Internet
++ * Explorer from ignoring our MIME type and using it's own MIME sniffing.
++ */
++ header( 'Content-Type: text/plain;' );
++ header( 'X-Content-Type-Options: nosniff' );
++
+ # -------
+ # print test result
+ function print_test_result( $p_result, $p_hard_fail=true, $p_message='' ) {
+@@ -99,6 +109,12 @@
+ $f_db_exists = gpc_get_bool( 'db_exists', false );
+
+ # install the tables
++ if ( !preg_match( '/^[a-zA-Z0-9_]+$/', $f_db_type ) ||
++ !file_exists( dirname( dirname( __FILE__ ) ) . DIRECTORY_SEPARATOR . 'library' . DIRECTORY_SEPARATOR . 'adodb' . DIRECTORY_SEPARATOR . 'drivers' . DIRECTORY_SEPARATOR . 'adodb-' . $f_db_type . '.inc.php' ) ) {
++ echo 'Invalid db type ' . htmlspecialchars( $f_db_type ) . '.';
++ exit;
++ }
++
+ $GLOBALS['g_db_type'] = $f_db_type; # database_api references this
+ require_once( dirname( __FILE__ ) . DIRECTORY_SEPARATOR . 'schema.php' );
+ $g_db = ADONewConnection( $f_db_type );
+
diff --git a/mantis-1.1.8-XSS_in_summary_page.patch b/mantis-1.1.8-XSS_in_summary_page.patch
new file mode 100644
index 0000000..94a9ec5
--- /dev/null
+++ b/mantis-1.1.8-XSS_in_summary_page.patch
@@ -0,0 +1,30 @@
+commit 78d1449e8094b2c4a3e052bd11fe58fb9bad11b5
+Author: Gianluca Sforna <giallu at gmail.com>
+Date: Thu Oct 7 12:31:09 2010 +0200
+
+ Fix #12432: XSS issues when viewing Summary page
+
+ Backport of commit c58a678 for bug 12309
+
+diff --git a/core/summary_api.php b/core/summary_api.php
+index fc4ab8e..07e5c4d 100644
+--- a/core/summary_api.php
++++ b/core/summary_api.php
+@@ -322,7 +322,7 @@
+ if ( $t_count++ == 10 ) break;
+
+ $t_bugid = string_get_bug_view_link( $row['id'] );
+- $t_summary = string_html_specialchars( $row['summary'] );
++ $t_summary = string_display_line( $row['summary'] );
+ $t_notescount = $row['count'];
+
+ print "<tr " . helper_alternate_class() . ">\n";
+@@ -362,7 +362,7 @@
+ if ( $t_count++ == 10 ) break;
+
+ $t_bugid = string_get_bug_view_link( $row['id'] );
+- $t_summary = $row['summary'];
++ $t_summary = string_display_line( $row['summary'] );
+ $t_days_open = intval ( ( time() - strtotime( $row['date_submitted'] ) ) / 86400 );
+
+ print "<tr " . helper_alternate_class() . ">\n";
diff --git a/mantis.spec b/mantis.spec
index 99f70f4..0a28b92 100644
--- a/mantis.spec
+++ b/mantis.spec
@@ -6,7 +6,7 @@
Summary: Web-based issue tracking system
Name: mantis
Version: 1.1.8
-Release: 4%{?dist}
+Release: 5%{?dist}
License: GPLv2+
Group: Applications/Internet
URL: http://www.mantisbt.org/
@@ -23,6 +23,8 @@ Patch3: mantis-1.1.8-use_systems_nusoap.patch
Patch4: 0001-Fix-12369-XSS-vulnerability-when-deleting-maliciousl.patch
Patch5: 0002-Fix-12370-Multiple-XSS-issues-with-custom-field-enum.patch
Patch6: 0003-Fix-12371-XSS-in-print_all_bug_page_word.php-project.patch
+Patch7: mantis-1.1.8-XSS_in_summary_page.patch
+Patch8: mantis-1.1.8-CVE-2010-4348-4349-4350.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -43,11 +45,10 @@ Requires: mod_ssl
%description
-Mantis is a web-based bugtracking system.
-It is written in the PHP scripting language and requires the MySQL
-database and a webserver. Mantis has been installed on Windows, MacOS,
-OS/2, and a variety of Unix operating systems. Any web browser should
-be able to function as a client.
+Mantis is a free popular web-based issue tracking system.
+It is written in the PHP scripting language and works with MySQL, MS SQL,
+and PostgreSQL databases and a web server.
+Almost any web browser should be able to function as a client.
Documentation can be found in: %{docdir}
@@ -57,7 +58,7 @@ additional configuration steps; these are described in:
%description config-httpd
-Mantis is a web-based bugtracking system.
+Mantis is a web-based issue tracking system.
This package contains configuration-files for Apache httpd 2.
@@ -70,6 +71,8 @@ This package contains configuration-files for Apache httpd 2.
%patch4 -p1
%patch5 -p1
%patch6 -p1
+%patch7 -p1
+%patch8 -p1
cp %{SOURCE1} ./doc/README.Fedora
rm .gitignore
@@ -158,6 +161,11 @@ rm -rf "${RPM_BUILD_ROOT}"
%changelog
+* Sat Dec 17 2010 Gianluca Sforna <giallu at gmail.com> - 1.1.8.5
+- Updated description (#638942)
+- Fix CVE-2010-3763 (#640746)
+- Fix CVE-2010-4348, CVE-2010-4349, CVE-2010-4350 (#663299, #663230)
+
* Mon Sep 20 2010 Gianluca Sforna <giallu at gmail.com> - 1.1.8-4
- Fix CVE-2010-3070 using system's NuSOAP (#633011)
- Fix CVE-2010-2574 and CVE-2010-3303 (#633003 #634340)
More information about the scm-commits
mailing list