giallu pushed to mantis (el5). "new upstream release, fixes several security issues"

notifications at fedoraproject.org notifications at fedoraproject.org
Tue Apr 7 13:32:56 UTC 2015 

>From 9525ad1b48b7a3e627905110669eaf965ed77c2b Mon Sep 17 00:00:00 2001
From: Gianluca Sforna <giallu at gmail.com>
Date: Tue, 9 Dec 2014 10:36:53 +0100
Subject: new upstream release, fixes several security issues


diff --git a/.gitignore b/.gitignore
index 526d8f0..0bb4046 100644
--- a/.gitignore
+++ b/.gitignore
@@ -6,3 +6,4 @@ mantisbt-1.1.8.tar.gz
 /mantisbt-1.2.14.tar.gz
 /mantisbt-1.2.15.tar.gz
 /mantisbt-1.2.17.tar.gz
+/mantisbt-1.2.18.tar.gz
diff --git a/mantis-1.2.17-fix-CVE-2014-7146.patch b/mantis-1.2.17-fix-CVE-2014-7146.patch
deleted file mode 100644
index 9603bb1..0000000
--- a/mantis-1.2.17-fix-CVE-2014-7146.patch
+++ /dev/null
@@ -1,63 +0,0 @@
-commit bed19db954359043515300c995ebc40ebb97265a
-Author: Damien Regad <dregad at mantisbt.org>
-Date:   Sat Nov 1 19:45:47 2014 +0100
-
-    XML Import: Fix php code injection vulnerability
-    
-    Egidio Romano discovered a vulnerability in the XML import plugin.
-    
-    User input passed through the "description" field (and the "issuelink"
-    attribute) of the uploaded XML file isn't properly sanitized before
-    being used in a call to the preg_replace() function which uses the 'e'
-    modifier. This can be exploited to inject and execute arbitrary PHP code
-    when the Import/Export plugin is installed.
-    
-    This fix is a partial backport from a master branch commit which has
-    been confirmed as addressing the issue (84017535f8718685d755d58af7a39d80f52ffca8)
-    excluding changes not relevant to fixing the security issue, including
-    subsequent fixes (aea1a348043979e75a6cc021e4a0a7f8d3bb7211,
-    4350b4d4f0ee4fba423edcae1cd2117dc1e2d63b).
-    
-    Fixes #17725 (CVE-2014-7146)
-
-diff --git a/plugins/XmlImportExport/ImportXml.php b/plugins/XmlImportExport/ImportXml.php
-index 590f898..09ccc8d 100644
---- a/plugins/XmlImportExport/ImportXml.php
-+++ b/plugins/XmlImportExport/ImportXml.php
-@@ -102,16 +102,27 @@ class ImportXML {
- 
- 		echo " Done\n";
- 
--		$importedIssues = $this->itemsMap_->getall( 'issue' );
--		printf( "Processing cross-references for %s issues...", count( $importedIssues ) );
--		foreach( $importedIssues as $oldId => $newId ) {
--			$bugData = bug_get( $newId, true );
--
--			$bugLinkRegexp = '/(^|[^\w])(' . preg_quote( $this->source_->issuelink, '/' ) . ')(\d+)\b/e';
--			$replacement = '"\\1" . $this->getReplacementString( "\\2", "\\3" )';
-+		# replace bug references
-+		$t_imported_issues = $this->itemsMap_->getall( 'issue' );
-+		printf( 'Processing cross-references for %s issues...', count( $t_imported_issues ) );
-+		foreach( $t_imported_issues as $t_old_id => $t_new_id ) {
-+			$t_bug = bug_get( $t_new_id, true );
-+			$t_content_replaced = false;
-+			$t_bug_link_regexp = '/(^|[^\w])(' . preg_quote( $this->source_->issuelink, '/' ) . ')(\d+)\b/';
-+
-+			# replace links in description
-+			preg_match_all( $t_bug_link_regexp, $t_bug->description, $t_matches );
-+			if( is_array( $t_matches[3] ) && count( $t_matches[3] ) > 0 ) {
-+				$t_content_replaced = true;
-+				foreach ( $t_matches[3] as $t_old_id2 ) {
-+					$t_bug->description = str_replace( $this->source_->issuelink . $t_old_id2, $this->getReplacementString( $this->source_->issuelink, $t_old_id2 ), $t_bug->description );
-+				}
-+			}
- 
--			$bugData->description = preg_replace( $bugLinkRegexp, $replacement, $bugData->description );
--			$bugData->update( true, true );
-+			if( $t_content_replaced ) {
-+				# only update bug if necessary (otherwise last update date would be unnecessarily overwritten)
-+				$t_bug->update( true );
-+			}
- 		}
- 		echo " Done\n";
- 	}
diff --git a/mantis-1.2.17-fix-CVE-2014-8554.patch b/mantis-1.2.17-fix-CVE-2014-8554.patch
deleted file mode 100644
index ef8b35a..0000000
--- a/mantis-1.2.17-fix-CVE-2014-8554.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-commit 99ffb0afaff3409d0eaec78ac963214da0d2a079
-Author: Damien Regad <dregad at mantisbt.org>
-Date:   Thu Oct 30 15:31:36 2014 +0100
-
-    SQL injection in mc_project_get_attachments()
-    
-    This is a follow-up on CVE-2014-1609 / issue #16880.
-    
-    Edwin Gozeling and Wim Visser from ITsec Security Services BV
-    (http://www.itsec.nl) discovered that the fix in #16880 did not fully
-    address the problem. Their research demonstrate that using a specially
-    crafted project id parameter, an attacker could still perform an SQL
-    injection.
-    
-    The same issue was also reported by Paul Richards in issue #17823.
-    
-    This patch fixes the problem by typecasting the Project ID parameter
-    to Integer.
-    
-    Fixes #17812, CVE-2014-8554
-
-diff --git a/api/soap/mc_project_api.php b/api/soap/mc_project_api.php
-index 8e6aae9..fe57b7b 100644
---- a/api/soap/mc_project_api.php
-+++ b/api/soap/mc_project_api.php
-@@ -655,6 +655,7 @@ function mc_project_get_attachments( $p_username, $p_password, $p_project_id ) {
- 		return mci_soap_fault_login_failed();
- 	}
- 
-+	$p_project_id = (int)$p_project_id;
- 	$g_project_override = $p_project_id;
- 
- 	# Check if project documentation feature is enabled.
diff --git a/mantis-1.2.17-fix-CVE-2014-8598.patch b/mantis-1.2.17-fix-CVE-2014-8598.patch
deleted file mode 100644
index f9442d7..0000000
--- a/mantis-1.2.17-fix-CVE-2014-8598.patch
+++ /dev/null
@@ -1,194 +0,0 @@
-commit 80a15487cda89afb00ce866da8e24d76808dcdb4
-Author: Damien Regad <dregad at mantisbt.org>
-Date:   Fri Oct 17 17:21:25 2014 +0200
-
-    XML plugin: Add config page with access thresholds
-    
-    Prior to this, any user of a MantisBT instance with the XML
-    Import/Export plugin enabled and knowing the URL to the plugin's import
-    page could upload an XML file and insert data without restriction,
-    regardless of their access level.
-    
-    This vulnerability is particularly dangerous when used in combination
-    with the one described in issue #17725 (CVE-2014-7146) as it makes for a
-    very simple and easily accessible vector for PHP code injection attacks.
-    
-    There was also no access check when exporting data, which could allow an
-    attacker to gain access to confidential information (disclosure of all
-    bug-related data, including usernames).
-    
-    Fixes #17780 (CVE-2014-8598)
-
-diff --git a/plugins/XmlImportExport/XmlImportExport.php b/plugins/XmlImportExport/XmlImportExport.php
-index 63e254e..20ea3c2 100644
---- a/plugins/XmlImportExport/XmlImportExport.php
-+++ b/plugins/XmlImportExport/XmlImportExport.php
-@@ -39,7 +39,7 @@ class XmlImportExportPlugin extends MantisPlugin {
- 	function register( ) {
- 		$this->name = plugin_lang_get( 'title' );
- 		$this->description = plugin_lang_get( 'description' );
--		$this->page = '';
-+		$this->page = "config_page";
- 
- 		$this->version = '1.0';
- 		$this->requires = array(
-@@ -54,6 +54,17 @@ class XmlImportExportPlugin extends MantisPlugin {
- 	/**
- 	 * Default plugin configuration.
- 	 */
-+	public function config() {
-+		return array(
-+			"import_threshold" => ADMINISTRATOR,
-+			"export_threshold" => DEVELOPER,
-+		);
-+	}
-+
-+	/**
-+	 * Plugin hooks
-+	 * @return array
-+	 */
- 	function hooks( ) {
- 		$hooks = array(
- 			'EVENT_MENU_MANAGE' => 'import_issues_menu',
-@@ -67,6 +78,9 @@ class XmlImportExportPlugin extends MantisPlugin {
- 	}
- 
- 	function export_issues_menu( ) {
-+		if( !access_has_project_level( plugin_config_get( 'export_threshold' ) ) ) {
-+			return array();
-+		}
- 		return array( '<a href="' . plugin_page( 'export' ) . '">' . plugin_lang_get( 'export' ) . '</a>', );
- 	}
- 
-diff --git a/plugins/XmlImportExport/lang/strings_english.txt b/plugins/XmlImportExport/lang/strings_english.txt
-index 775ad76..e595228 100644
---- a/plugins/XmlImportExport/lang/strings_english.txt
-+++ b/plugins/XmlImportExport/lang/strings_english.txt
-@@ -35,7 +35,14 @@ $s_plugin_XmlImportExport_description = 'Adds XML based import and export capabi
- $s_plugin_XmlImportExport_import = 'Import issues';
- $s_plugin_XmlImportExport_export = 'XML Export';
- 
-+$s_plugin_XmlImportExport_config_title = 'XML Import/Export Access Levels Configuration';
-+$s_plugin_XmlImportExport_import_threshold = 'Import issues';
-+$s_plugin_XmlImportExport_export_threshold = 'Export issues';
-+
-+$s_plugin_XmlImportExport_action_update = 'Update';
-+
- $s_plugin_XmlImportExport_importing_in_project = 'Importing issues in project:';
-+
- $s_plugin_XmlImportExport_import_options = 'Import options';
- 
- $s_plugin_XmlImportExport_cross_references = 'Cross references';
-diff --git a/plugins/XmlImportExport/pages/config.php b/plugins/XmlImportExport/pages/config.php
-new file mode 100644
-index 0000000..19587c8
---- /dev/null
-+++ b/plugins/XmlImportExport/pages/config.php
-@@ -0,0 +1,27 @@
-+<?php
-+# Copyright (c) 2014  MantisBT Team - mantisbt-dev at lists.sourceforge.net
-+# Licensed under the MIT license
-+
-+form_security_validate( 'plugin_XmlImportExport_config' );
-+access_ensure_global_level( config_get( 'manage_plugin_threshold' ) );
-+
-+/**
-+ * Sets plugin config option if value is different from current/default
-+ * @param string $p_name  option name
-+ * @param string $p_value value to set
-+ * @return void
-+ */
-+function config_set_if_needed( $p_name, $p_value ) {
-+	if ( $p_value != plugin_config_get( $p_name ) ) {
-+		plugin_config_set( $p_name, $p_value );
-+	}
-+}
-+
-+$t_redirect_url = plugin_page( 'config_page', true );
-+
-+config_set_if_needed( 'import_threshold' , gpc_get_int( 'import_threshold' ) );
-+config_set_if_needed( 'export_threshold' , gpc_get_int( 'export_threshold' ) );
-+
-+form_security_purge( 'plugin_XmlImportExport_config' );
-+
-+print_successful_redirect( $t_redirect_url );
-diff --git a/plugins/XmlImportExport/pages/config_page.php b/plugins/XmlImportExport/pages/config_page.php
-new file mode 100644
-index 0000000..7c678af
---- /dev/null
-+++ b/plugins/XmlImportExport/pages/config_page.php
-@@ -0,0 +1,48 @@
-+<?php
-+# Copyright (c) 2014  MantisBT Team - mantisbt-dev at lists.sourceforge.net
-+# Licensed under the MIT license
-+
-+access_ensure_global_level( config_get( 'manage_plugin_threshold' ) );
-+
-+html_page_top();
-+//print_manage_menu();
-+?>
-+
-+<br />
-+<form action="<?php echo plugin_page( 'config' ) ?>" method="post">
-+<?php echo form_security_field( 'plugin_XmlImportExport_config' ) ?>
-+<table class="width60" align="center">
-+
-+<tr>
-+<td class="form-title" colspan="2"><?php echo plugin_lang_get("config_title") ?></td>
-+</tr>
-+
-+<tr <?php echo helper_alternate_class() ?>>
-+<td class="category"><?php echo plugin_lang_get( 'import_threshold' ) ?></td>
-+<td><select name="import_threshold"><?php
-+	print_enum_string_option_list(
-+		'access_levels',
-+		plugin_config_get( 'import_threshold' )
-+	);
-+	?></select></td>
-+</tr>
-+
-+<tr <?php echo helper_alternate_class() ?>>
-+<td class="category"><?php echo plugin_lang_get( 'export_threshold' ) ?></td>
-+<td><select name="export_threshold"><?php
-+	print_enum_string_option_list(
-+		'access_levels',
-+		plugin_config_get( 'export_threshold' )
-+	);
-+	?></select></td>
-+</tr>
-+
-+<tr>
-+<td class="center" colspan="2"><input type="submit" value="<?php echo plugin_lang_get("action_update") ?>"/></td>
-+</tr>
-+
-+</table>
-+</form>
-+
-+<?php
-+html_page_bottom();
-diff --git a/plugins/XmlImportExport/pages/export.php b/plugins/XmlImportExport/pages/export.php
-index 061b135..aac3bbf 100644
---- a/plugins/XmlImportExport/pages/export.php
-+++ b/plugins/XmlImportExport/pages/export.php
-@@ -20,6 +20,8 @@
- 
- require_once( 'core.php' );
- 
-+access_ensure_project_level( plugin_config_get( 'export_threshold' ) );
-+
- auth_ensure_user_authenticated( );
- helper_begin_long_process( );
- 
-diff --git a/plugins/XmlImportExport/pages/import.php b/plugins/XmlImportExport/pages/import.php
-index cd7721f..6740727 100644
---- a/plugins/XmlImportExport/pages/import.php
-+++ b/plugins/XmlImportExport/pages/import.php
-@@ -14,6 +14,8 @@
- # You should have received a copy of the GNU General Public License
- # along with MantisBT.  If not, see <http://www.gnu.org/licenses/>.
- 
-+access_ensure_project_level( plugin_config_get( 'import_threshold' ) );
-+
- auth_reauthenticate( );
- 
- html_page_top( plugin_lang_get( 'import' ) );
diff --git a/mantis-1.2.17-fix_LDAP_poisoning.patch b/mantis-1.2.17-fix_LDAP_poisoning.patch
deleted file mode 100644
index d67c100..0000000
--- a/mantis-1.2.17-fix_LDAP_poisoning.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-commit 215968fa8ff33e327f0600765a5caa24de392cbc
-Author: Paul Richards <paul at mantisforge.org>
-Date:   Sat Oct 12 22:58:43 2013 +0100
-
-    Strip null bytes out of GPC input strings
-    
-    Backporting commit fc02c46eea9d9e7cc472a7fc1801ea65d467db76 from master
-    branch to fix issue #17640
-    
-    Signed-off-by: Damien Regad <dregad at mantisbt.org>
-
-diff --git a/core/gpc_api.php b/core/gpc_api.php
-index 2daad98..58e0827 100644
---- a/core/gpc_api.php
-+++ b/core/gpc_api.php
-@@ -110,7 +110,7 @@ function gpc_get_string( $p_var_name, $p_default = null ) {
- 		trigger_error( ERROR_GPC_ARRAY_UNEXPECTED, ERROR );
- 	}
- 
--	return $t_result;
-+	return str_replace( "\0","",$t_result );
- }
- 
- /**
-@@ -255,7 +255,11 @@ function gpc_get_string_array( $p_var_name, $p_default = null ) {
- 		trigger_error( ERROR_GPC_ARRAY_EXPECTED, ERROR );
- 	}
- 
--	return $t_result;
-+	$t_array = array();
-+	foreach( $t_result as $key => $val ) {
-+		$t_array[$key] = str_replace( "\0", "", $val );
-+	}
-+	return $t_array;
- }
- 
- /**
diff --git a/mantis.spec b/mantis.spec
index c41dd3f..e3182f9 100644
--- a/mantis.spec
+++ b/mantis.spec
@@ -5,8 +5,8 @@
 
 Summary:    Web-based issue tracking system
 Name:       mantis
-Version:    1.2.17
-Release:    4%{?dist}
+Version:    1.2.18
+Release:    1%{?dist}
 License:    GPLv2+
 Group:      Applications/Internet
 URL:        http://www.mantisbt.org/
@@ -22,10 +22,6 @@ Patch2:     mantis-1.2.4-do_not_warn_on_admin_directory.patch
 Patch3:     mantis-1.2.12-use_systems_phpmailer.patch
 # set environment variable to find config_inc.php in /etc/mantis
 Patch4:     mantis-1.2.14-set_env_on_scripts.patch
-Patch5:     mantis-1.2.17-fix_LDAP_poisoning.patch
-Patch6:     mantis-1.2.17-fix-CVE-2014-8554.patch
-Patch7:     mantis-1.2.17-fix-CVE-2014-8598.patch
-Patch8:     mantis-1.2.17-fix-CVE-2014-7146.patch
 
 BuildRoot:  %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
@@ -72,10 +68,6 @@ This package contains configuration-files for Apache httpd 2.
 %patch2 -p1
 %patch3 -p1
 %patch4 -p1
-%patch5 -p1
-%patch6 -p1
-%patch7 -p1
-%patch8 -p1
 
 cp %{SOURCE1} ./doc/README.Fedora
 rm -rf packages docbook tests
@@ -160,6 +152,12 @@ rm -rf "${RPM_BUILD_ROOT}"
 
 
 %changelog
+* Tue Dec  9 2014 Gianluca Sforna <giallu at gmail.com> - 1.2.18-1
+- new upstream release
+- drop upstreamed patches
+- fix several security issues, full list in upstream changelog:
+  http://www.mantisbt.org/bugs/changelog_page.php?version_id=191
+
 * Fri Nov 14 2014 Gianluca Sforna <giallu at gmail.com> - 1.2.17-4
 - fix CVE-2014-7146, CVE-2014-8598 (#1162046)
 - fix CVE-2014-8554 (#1159295)
diff --git a/sources b/sources
index 442a48a..09f7420 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-b3080a3a9351524c547823d33a76106f  mantisbt-1.2.17.tar.gz
+24fd5200cd9709b69dafa34ce3e66690  mantisbt-1.2.18.tar.gz
-- 
cgit v0.10.2


	http://pkgs.fedoraproject.org/cgit/mantis.git/commit/?h=el5&id=9525ad1b48b7a3e627905110669eaf965ed77c2b

More information about the scm-commits mailing list