giallu pushed to mantis (el5). "Fix latest security issues"
notifications at fedoraproject.org
notifications at fedoraproject.org
Tue Apr 7 13:32:56 UTC 2015
>From 1733256145a09647325abdc825510c5c2c53c649 Mon Sep 17 00:00:00 2001
From: Gianluca Sforna <giallu at gmail.com>
Date: Fri, 14 Nov 2014 10:23:24 +0100
Subject: Fix latest security issues
diff --git a/mantis-1.2.17-fix-CVE-2014-7146.patch b/mantis-1.2.17-fix-CVE-2014-7146.patch
new file mode 100644
index 0000000..9603bb1
--- /dev/null
+++ b/mantis-1.2.17-fix-CVE-2014-7146.patch
@@ -0,0 +1,63 @@
+commit bed19db954359043515300c995ebc40ebb97265a
+Author: Damien Regad <dregad at mantisbt.org>
+Date: Sat Nov 1 19:45:47 2014 +0100
+
+ XML Import: Fix php code injection vulnerability
+
+ Egidio Romano discovered a vulnerability in the XML import plugin.
+
+ User input passed through the "description" field (and the "issuelink"
+ attribute) of the uploaded XML file isn't properly sanitized before
+ being used in a call to the preg_replace() function which uses the 'e'
+ modifier. This can be exploited to inject and execute arbitrary PHP code
+ when the Import/Export plugin is installed.
+
+ This fix is a partial backport from a master branch commit which has
+ been confirmed as addressing the issue (84017535f8718685d755d58af7a39d80f52ffca8)
+ excluding changes not relevant to fixing the security issue, including
+ subsequent fixes (aea1a348043979e75a6cc021e4a0a7f8d3bb7211,
+ 4350b4d4f0ee4fba423edcae1cd2117dc1e2d63b).
+
+ Fixes #17725 (CVE-2014-7146)
+
+diff --git a/plugins/XmlImportExport/ImportXml.php b/plugins/XmlImportExport/ImportXml.php
+index 590f898..09ccc8d 100644
+--- a/plugins/XmlImportExport/ImportXml.php
++++ b/plugins/XmlImportExport/ImportXml.php
+@@ -102,16 +102,27 @@ class ImportXML {
+
+ echo " Done\n";
+
+- $importedIssues = $this->itemsMap_->getall( 'issue' );
+- printf( "Processing cross-references for %s issues...", count( $importedIssues ) );
+- foreach( $importedIssues as $oldId => $newId ) {
+- $bugData = bug_get( $newId, true );
+-
+- $bugLinkRegexp = '/(^|[^\w])(' . preg_quote( $this->source_->issuelink, '/' ) . ')(\d+)\b/e';
+- $replacement = '"\\1" . $this->getReplacementString( "\\2", "\\3" )';
++ # replace bug references
++ $t_imported_issues = $this->itemsMap_->getall( 'issue' );
++ printf( 'Processing cross-references for %s issues...', count( $t_imported_issues ) );
++ foreach( $t_imported_issues as $t_old_id => $t_new_id ) {
++ $t_bug = bug_get( $t_new_id, true );
++ $t_content_replaced = false;
++ $t_bug_link_regexp = '/(^|[^\w])(' . preg_quote( $this->source_->issuelink, '/' ) . ')(\d+)\b/';
++
++ # replace links in description
++ preg_match_all( $t_bug_link_regexp, $t_bug->description, $t_matches );
++ if( is_array( $t_matches[3] ) && count( $t_matches[3] ) > 0 ) {
++ $t_content_replaced = true;
++ foreach ( $t_matches[3] as $t_old_id2 ) {
++ $t_bug->description = str_replace( $this->source_->issuelink . $t_old_id2, $this->getReplacementString( $this->source_->issuelink, $t_old_id2 ), $t_bug->description );
++ }
++ }
+
+- $bugData->description = preg_replace( $bugLinkRegexp, $replacement, $bugData->description );
+- $bugData->update( true, true );
++ if( $t_content_replaced ) {
++ # only update bug if necessary (otherwise last update date would be unnecessarily overwritten)
++ $t_bug->update( true );
++ }
+ }
+ echo " Done\n";
+ }
diff --git a/mantis-1.2.17-fix-CVE-2014-8554.patch b/mantis-1.2.17-fix-CVE-2014-8554.patch
new file mode 100644
index 0000000..ef8b35a
--- /dev/null
+++ b/mantis-1.2.17-fix-CVE-2014-8554.patch
@@ -0,0 +1,33 @@
+commit 99ffb0afaff3409d0eaec78ac963214da0d2a079
+Author: Damien Regad <dregad at mantisbt.org>
+Date: Thu Oct 30 15:31:36 2014 +0100
+
+ SQL injection in mc_project_get_attachments()
+
+ This is a follow-up on CVE-2014-1609 / issue #16880.
+
+ Edwin Gozeling and Wim Visser from ITsec Security Services BV
+ (http://www.itsec.nl) discovered that the fix in #16880 did not fully
+ address the problem. Their research demonstrate that using a specially
+ crafted project id parameter, an attacker could still perform an SQL
+ injection.
+
+ The same issue was also reported by Paul Richards in issue #17823.
+
+ This patch fixes the problem by typecasting the Project ID parameter
+ to Integer.
+
+ Fixes #17812, CVE-2014-8554
+
+diff --git a/api/soap/mc_project_api.php b/api/soap/mc_project_api.php
+index 8e6aae9..fe57b7b 100644
+--- a/api/soap/mc_project_api.php
++++ b/api/soap/mc_project_api.php
+@@ -655,6 +655,7 @@ function mc_project_get_attachments( $p_username, $p_password, $p_project_id ) {
+ return mci_soap_fault_login_failed();
+ }
+
++ $p_project_id = (int)$p_project_id;
+ $g_project_override = $p_project_id;
+
+ # Check if project documentation feature is enabled.
diff --git a/mantis-1.2.17-fix-CVE-2014-8598.patch b/mantis-1.2.17-fix-CVE-2014-8598.patch
new file mode 100644
index 0000000..f9442d7
--- /dev/null
+++ b/mantis-1.2.17-fix-CVE-2014-8598.patch
@@ -0,0 +1,194 @@
+commit 80a15487cda89afb00ce866da8e24d76808dcdb4
+Author: Damien Regad <dregad at mantisbt.org>
+Date: Fri Oct 17 17:21:25 2014 +0200
+
+ XML plugin: Add config page with access thresholds
+
+ Prior to this, any user of a MantisBT instance with the XML
+ Import/Export plugin enabled and knowing the URL to the plugin's import
+ page could upload an XML file and insert data without restriction,
+ regardless of their access level.
+
+ This vulnerability is particularly dangerous when used in combination
+ with the one described in issue #17725 (CVE-2014-7146) as it makes for a
+ very simple and easily accessible vector for PHP code injection attacks.
+
+ There was also no access check when exporting data, which could allow an
+ attacker to gain access to confidential information (disclosure of all
+ bug-related data, including usernames).
+
+ Fixes #17780 (CVE-2014-8598)
+
+diff --git a/plugins/XmlImportExport/XmlImportExport.php b/plugins/XmlImportExport/XmlImportExport.php
+index 63e254e..20ea3c2 100644
+--- a/plugins/XmlImportExport/XmlImportExport.php
++++ b/plugins/XmlImportExport/XmlImportExport.php
+@@ -39,7 +39,7 @@ class XmlImportExportPlugin extends MantisPlugin {
+ function register( ) {
+ $this->name = plugin_lang_get( 'title' );
+ $this->description = plugin_lang_get( 'description' );
+- $this->page = '';
++ $this->page = "config_page";
+
+ $this->version = '1.0';
+ $this->requires = array(
+@@ -54,6 +54,17 @@ class XmlImportExportPlugin extends MantisPlugin {
+ /**
+ * Default plugin configuration.
+ */
++ public function config() {
++ return array(
++ "import_threshold" => ADMINISTRATOR,
++ "export_threshold" => DEVELOPER,
++ );
++ }
++
++ /**
++ * Plugin hooks
++ * @return array
++ */
+ function hooks( ) {
+ $hooks = array(
+ 'EVENT_MENU_MANAGE' => 'import_issues_menu',
+@@ -67,6 +78,9 @@ class XmlImportExportPlugin extends MantisPlugin {
+ }
+
+ function export_issues_menu( ) {
++ if( !access_has_project_level( plugin_config_get( 'export_threshold' ) ) ) {
++ return array();
++ }
+ return array( '<a href="' . plugin_page( 'export' ) . '">' . plugin_lang_get( 'export' ) . '</a>', );
+ }
+
+diff --git a/plugins/XmlImportExport/lang/strings_english.txt b/plugins/XmlImportExport/lang/strings_english.txt
+index 775ad76..e595228 100644
+--- a/plugins/XmlImportExport/lang/strings_english.txt
++++ b/plugins/XmlImportExport/lang/strings_english.txt
+@@ -35,7 +35,14 @@ $s_plugin_XmlImportExport_description = 'Adds XML based import and export capabi
+ $s_plugin_XmlImportExport_import = 'Import issues';
+ $s_plugin_XmlImportExport_export = 'XML Export';
+
++$s_plugin_XmlImportExport_config_title = 'XML Import/Export Access Levels Configuration';
++$s_plugin_XmlImportExport_import_threshold = 'Import issues';
++$s_plugin_XmlImportExport_export_threshold = 'Export issues';
++
++$s_plugin_XmlImportExport_action_update = 'Update';
++
+ $s_plugin_XmlImportExport_importing_in_project = 'Importing issues in project:';
++
+ $s_plugin_XmlImportExport_import_options = 'Import options';
+
+ $s_plugin_XmlImportExport_cross_references = 'Cross references';
+diff --git a/plugins/XmlImportExport/pages/config.php b/plugins/XmlImportExport/pages/config.php
+new file mode 100644
+index 0000000..19587c8
+--- /dev/null
++++ b/plugins/XmlImportExport/pages/config.php
+@@ -0,0 +1,27 @@
++<?php
++# Copyright (c) 2014 MantisBT Team - mantisbt-dev at lists.sourceforge.net
++# Licensed under the MIT license
++
++form_security_validate( 'plugin_XmlImportExport_config' );
++access_ensure_global_level( config_get( 'manage_plugin_threshold' ) );
++
++/**
++ * Sets plugin config option if value is different from current/default
++ * @param string $p_name option name
++ * @param string $p_value value to set
++ * @return void
++ */
++function config_set_if_needed( $p_name, $p_value ) {
++ if ( $p_value != plugin_config_get( $p_name ) ) {
++ plugin_config_set( $p_name, $p_value );
++ }
++}
++
++$t_redirect_url = plugin_page( 'config_page', true );
++
++config_set_if_needed( 'import_threshold' , gpc_get_int( 'import_threshold' ) );
++config_set_if_needed( 'export_threshold' , gpc_get_int( 'export_threshold' ) );
++
++form_security_purge( 'plugin_XmlImportExport_config' );
++
++print_successful_redirect( $t_redirect_url );
+diff --git a/plugins/XmlImportExport/pages/config_page.php b/plugins/XmlImportExport/pages/config_page.php
+new file mode 100644
+index 0000000..7c678af
+--- /dev/null
++++ b/plugins/XmlImportExport/pages/config_page.php
+@@ -0,0 +1,48 @@
++<?php
++# Copyright (c) 2014 MantisBT Team - mantisbt-dev at lists.sourceforge.net
++# Licensed under the MIT license
++
++access_ensure_global_level( config_get( 'manage_plugin_threshold' ) );
++
++html_page_top();
++//print_manage_menu();
++?>
++
++<br />
++<form action="<?php echo plugin_page( 'config' ) ?>" method="post">
++<?php echo form_security_field( 'plugin_XmlImportExport_config' ) ?>
++<table class="width60" align="center">
++
++<tr>
++<td class="form-title" colspan="2"><?php echo plugin_lang_get("config_title") ?></td>
++</tr>
++
++<tr <?php echo helper_alternate_class() ?>>
++<td class="category"><?php echo plugin_lang_get( 'import_threshold' ) ?></td>
++<td><select name="import_threshold"><?php
++ print_enum_string_option_list(
++ 'access_levels',
++ plugin_config_get( 'import_threshold' )
++ );
++ ?></select></td>
++</tr>
++
++<tr <?php echo helper_alternate_class() ?>>
++<td class="category"><?php echo plugin_lang_get( 'export_threshold' ) ?></td>
++<td><select name="export_threshold"><?php
++ print_enum_string_option_list(
++ 'access_levels',
++ plugin_config_get( 'export_threshold' )
++ );
++ ?></select></td>
++</tr>
++
++<tr>
++<td class="center" colspan="2"><input type="submit" value="<?php echo plugin_lang_get("action_update") ?>"/></td>
++</tr>
++
++</table>
++</form>
++
++<?php
++html_page_bottom();
+diff --git a/plugins/XmlImportExport/pages/export.php b/plugins/XmlImportExport/pages/export.php
+index 061b135..aac3bbf 100644
+--- a/plugins/XmlImportExport/pages/export.php
++++ b/plugins/XmlImportExport/pages/export.php
+@@ -20,6 +20,8 @@
+
+ require_once( 'core.php' );
+
++access_ensure_project_level( plugin_config_get( 'export_threshold' ) );
++
+ auth_ensure_user_authenticated( );
+ helper_begin_long_process( );
+
+diff --git a/plugins/XmlImportExport/pages/import.php b/plugins/XmlImportExport/pages/import.php
+index cd7721f..6740727 100644
+--- a/plugins/XmlImportExport/pages/import.php
++++ b/plugins/XmlImportExport/pages/import.php
+@@ -14,6 +14,8 @@
+ # You should have received a copy of the GNU General Public License
+ # along with MantisBT. If not, see <http://www.gnu.org/licenses/>.
+
++access_ensure_project_level( plugin_config_get( 'import_threshold' ) );
++
+ auth_reauthenticate( );
+
+ html_page_top( plugin_lang_get( 'import' ) );
diff --git a/mantis.spec b/mantis.spec
index df38ece..c41dd3f 100644
--- a/mantis.spec
+++ b/mantis.spec
@@ -6,7 +6,7 @@
Summary: Web-based issue tracking system
Name: mantis
Version: 1.2.17
-Release: 3%{?dist}
+Release: 4%{?dist}
License: GPLv2+
Group: Applications/Internet
URL: http://www.mantisbt.org/
@@ -23,6 +23,9 @@ Patch3: mantis-1.2.12-use_systems_phpmailer.patch
# set environment variable to find config_inc.php in /etc/mantis
Patch4: mantis-1.2.14-set_env_on_scripts.patch
Patch5: mantis-1.2.17-fix_LDAP_poisoning.patch
+Patch6: mantis-1.2.17-fix-CVE-2014-8554.patch
+Patch7: mantis-1.2.17-fix-CVE-2014-8598.patch
+Patch8: mantis-1.2.17-fix-CVE-2014-7146.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -70,6 +73,9 @@ This package contains configuration-files for Apache httpd 2.
%patch3 -p1
%patch4 -p1
%patch5 -p1
+%patch6 -p1
+%patch7 -p1
+%patch8 -p1
cp %{SOURCE1} ./doc/README.Fedora
rm -rf packages docbook tests
@@ -154,6 +160,10 @@ rm -rf "${RPM_BUILD_ROOT}"
%changelog
+* Fri Nov 14 2014 Gianluca Sforna <giallu at gmail.com> - 1.2.17-4
+- fix CVE-2014-7146, CVE-2014-8598 (#1162046)
+- fix CVE-2014-8554 (#1159295)
+
* Fri Oct 03 2014 Gianluca Sforna <giallu at gmail.com> - 1.2.17-3
- fix CVE-2014-6387 (#1141310)
--
cgit v0.10.2
http://pkgs.fedoraproject.org/cgit/mantis.git/commit/?h=el5&id=1733256145a09647325abdc825510c5c2c53c649
More information about the scm-commits
mailing list