giallu pushed to mantis (el5). "pick up latest changes from Fedora"
notifications at fedoraproject.org
notifications at fedoraproject.org
Tue Apr 7 13:33:13 UTC 2015
>From 1733256145a09647325abdc825510c5c2c53c649 Mon Sep 17 00:00:00 2001
From: Gianluca Sforna <giallu at gmail.com>
Date: Fri, 14 Nov 2014 10:23:24 +0100
Subject: Fix latest security issues
diff --git a/mantis-1.2.17-fix-CVE-2014-7146.patch b/mantis-1.2.17-fix-CVE-2014-7146.patch
new file mode 100644
index 0000000..9603bb1
--- /dev/null
+++ b/mantis-1.2.17-fix-CVE-2014-7146.patch
@@ -0,0 +1,63 @@
+commit bed19db954359043515300c995ebc40ebb97265a
+Author: Damien Regad <dregad at mantisbt.org>
+Date: Sat Nov 1 19:45:47 2014 +0100
+
+ XML Import: Fix php code injection vulnerability
+
+ Egidio Romano discovered a vulnerability in the XML import plugin.
+
+ User input passed through the "description" field (and the "issuelink"
+ attribute) of the uploaded XML file isn't properly sanitized before
+ being used in a call to the preg_replace() function which uses the 'e'
+ modifier. This can be exploited to inject and execute arbitrary PHP code
+ when the Import/Export plugin is installed.
+
+ This fix is a partial backport from a master branch commit which has
+ been confirmed as addressing the issue (84017535f8718685d755d58af7a39d80f52ffca8)
+ excluding changes not relevant to fixing the security issue, including
+ subsequent fixes (aea1a348043979e75a6cc021e4a0a7f8d3bb7211,
+ 4350b4d4f0ee4fba423edcae1cd2117dc1e2d63b).
+
+ Fixes #17725 (CVE-2014-7146)
+
+diff --git a/plugins/XmlImportExport/ImportXml.php b/plugins/XmlImportExport/ImportXml.php
+index 590f898..09ccc8d 100644
+--- a/plugins/XmlImportExport/ImportXml.php
++++ b/plugins/XmlImportExport/ImportXml.php
+@@ -102,16 +102,27 @@ class ImportXML {
+
+ echo " Done\n";
+
+- $importedIssues = $this->itemsMap_->getall( 'issue' );
+- printf( "Processing cross-references for %s issues...", count( $importedIssues ) );
+- foreach( $importedIssues as $oldId => $newId ) {
+- $bugData = bug_get( $newId, true );
+-
+- $bugLinkRegexp = '/(^|[^\w])(' . preg_quote( $this->source_->issuelink, '/' ) . ')(\d+)\b/e';
+- $replacement = '"\\1" . $this->getReplacementString( "\\2", "\\3" )';
++ # replace bug references
++ $t_imported_issues = $this->itemsMap_->getall( 'issue' );
++ printf( 'Processing cross-references for %s issues...', count( $t_imported_issues ) );
++ foreach( $t_imported_issues as $t_old_id => $t_new_id ) {
++ $t_bug = bug_get( $t_new_id, true );
++ $t_content_replaced = false;
++ $t_bug_link_regexp = '/(^|[^\w])(' . preg_quote( $this->source_->issuelink, '/' ) . ')(\d+)\b/';
++
++ # replace links in description
++ preg_match_all( $t_bug_link_regexp, $t_bug->description, $t_matches );
++ if( is_array( $t_matches[3] ) && count( $t_matches[3] ) > 0 ) {
++ $t_content_replaced = true;
++ foreach ( $t_matches[3] as $t_old_id2 ) {
++ $t_bug->description = str_replace( $this->source_->issuelink . $t_old_id2, $this->getReplacementString( $this->source_->issuelink, $t_old_id2 ), $t_bug->description );
++ }
++ }
+
+- $bugData->description = preg_replace( $bugLinkRegexp, $replacement, $bugData->description );
+- $bugData->update( true, true );
++ if( $t_content_replaced ) {
++ # only update bug if necessary (otherwise last update date would be unnecessarily overwritten)
++ $t_bug->update( true );
++ }
+ }
+ echo " Done\n";
+ }
diff --git a/mantis-1.2.17-fix-CVE-2014-8554.patch b/mantis-1.2.17-fix-CVE-2014-8554.patch
new file mode 100644
index 0000000..ef8b35a
--- /dev/null
+++ b/mantis-1.2.17-fix-CVE-2014-8554.patch
@@ -0,0 +1,33 @@
+commit 99ffb0afaff3409d0eaec78ac963214da0d2a079
+Author: Damien Regad <dregad at mantisbt.org>
+Date: Thu Oct 30 15:31:36 2014 +0100
+
+ SQL injection in mc_project_get_attachments()
+
+ This is a follow-up on CVE-2014-1609 / issue #16880.
+
+ Edwin Gozeling and Wim Visser from ITsec Security Services BV
+ (http://www.itsec.nl) discovered that the fix in #16880 did not fully
+ address the problem. Their research demonstrate that using a specially
+ crafted project id parameter, an attacker could still perform an SQL
+ injection.
+
+ The same issue was also reported by Paul Richards in issue #17823.
+
+ This patch fixes the problem by typecasting the Project ID parameter
+ to Integer.
+
+ Fixes #17812, CVE-2014-8554
+
+diff --git a/api/soap/mc_project_api.php b/api/soap/mc_project_api.php
+index 8e6aae9..fe57b7b 100644
+--- a/api/soap/mc_project_api.php
++++ b/api/soap/mc_project_api.php
+@@ -655,6 +655,7 @@ function mc_project_get_attachments( $p_username, $p_password, $p_project_id ) {
+ return mci_soap_fault_login_failed();
+ }
+
++ $p_project_id = (int)$p_project_id;
+ $g_project_override = $p_project_id;
+
+ # Check if project documentation feature is enabled.
diff --git a/mantis-1.2.17-fix-CVE-2014-8598.patch b/mantis-1.2.17-fix-CVE-2014-8598.patch
new file mode 100644
index 0000000..f9442d7
--- /dev/null
+++ b/mantis-1.2.17-fix-CVE-2014-8598.patch
@@ -0,0 +1,194 @@
+commit 80a15487cda89afb00ce866da8e24d76808dcdb4
+Author: Damien Regad <dregad at mantisbt.org>
+Date: Fri Oct 17 17:21:25 2014 +0200
+
+ XML plugin: Add config page with access thresholds
+
+ Prior to this, any user of a MantisBT instance with the XML
+ Import/Export plugin enabled and knowing the URL to the plugin's import
+ page could upload an XML file and insert data without restriction,
+ regardless of their access level.
+
+ This vulnerability is particularly dangerous when used in combination
+ with the one described in issue #17725 (CVE-2014-7146) as it makes for a
+ very simple and easily accessible vector for PHP code injection attacks.
+
+ There was also no access check when exporting data, which could allow an
+ attacker to gain access to confidential information (disclosure of all
+ bug-related data, including usernames).
+
+ Fixes #17780 (CVE-2014-8598)
+
+diff --git a/plugins/XmlImportExport/XmlImportExport.php b/plugins/XmlImportExport/XmlImportExport.php
+index 63e254e..20ea3c2 100644
+--- a/plugins/XmlImportExport/XmlImportExport.php
++++ b/plugins/XmlImportExport/XmlImportExport.php
+@@ -39,7 +39,7 @@ class XmlImportExportPlugin extends MantisPlugin {
+ function register( ) {
+ $this->name = plugin_lang_get( 'title' );
+ $this->description = plugin_lang_get( 'description' );
+- $this->page = '';
++ $this->page = "config_page";
+
+ $this->version = '1.0';
+ $this->requires = array(
+@@ -54,6 +54,17 @@ class XmlImportExportPlugin extends MantisPlugin {
+ /**
+ * Default plugin configuration.
+ */
++ public function config() {
++ return array(
++ "import_threshold" => ADMINISTRATOR,
++ "export_threshold" => DEVELOPER,
++ );
++ }
++
++ /**
++ * Plugin hooks
++ * @return array
++ */
+ function hooks( ) {
+ $hooks = array(
+ 'EVENT_MENU_MANAGE' => 'import_issues_menu',
+@@ -67,6 +78,9 @@ class XmlImportExportPlugin extends MantisPlugin {
+ }
+
+ function export_issues_menu( ) {
++ if( !access_has_project_level( plugin_config_get( 'export_threshold' ) ) ) {
++ return array();
++ }
+ return array( '<a href="' . plugin_page( 'export' ) . '">' . plugin_lang_get( 'export' ) . '</a>', );
+ }
+
+diff --git a/plugins/XmlImportExport/lang/strings_english.txt b/plugins/XmlImportExport/lang/strings_english.txt
+index 775ad76..e595228 100644
+--- a/plugins/XmlImportExport/lang/strings_english.txt
++++ b/plugins/XmlImportExport/lang/strings_english.txt
+@@ -35,7 +35,14 @@ $s_plugin_XmlImportExport_description = 'Adds XML based import and export capabi
+ $s_plugin_XmlImportExport_import = 'Import issues';
+ $s_plugin_XmlImportExport_export = 'XML Export';
+
++$s_plugin_XmlImportExport_config_title = 'XML Import/Export Access Levels Configuration';
++$s_plugin_XmlImportExport_import_threshold = 'Import issues';
++$s_plugin_XmlImportExport_export_threshold = 'Export issues';
++
++$s_plugin_XmlImportExport_action_update = 'Update';
++
+ $s_plugin_XmlImportExport_importing_in_project = 'Importing issues in project:';
++
+ $s_plugin_XmlImportExport_import_options = 'Import options';
+
+ $s_plugin_XmlImportExport_cross_references = 'Cross references';
+diff --git a/plugins/XmlImportExport/pages/config.php b/plugins/XmlImportExport/pages/config.php
+new file mode 100644
+index 0000000..19587c8
+--- /dev/null
++++ b/plugins/XmlImportExport/pages/config.php
+@@ -0,0 +1,27 @@
++<?php
++# Copyright (c) 2014 MantisBT Team - mantisbt-dev at lists.sourceforge.net
++# Licensed under the MIT license
++
++form_security_validate( 'plugin_XmlImportExport_config' );
++access_ensure_global_level( config_get( 'manage_plugin_threshold' ) );
++
++/**
++ * Sets plugin config option if value is different from current/default
++ * @param string $p_name option name
++ * @param string $p_value value to set
++ * @return void
++ */
++function config_set_if_needed( $p_name, $p_value ) {
++ if ( $p_value != plugin_config_get( $p_name ) ) {
++ plugin_config_set( $p_name, $p_value );
++ }
++}
++
++$t_redirect_url = plugin_page( 'config_page', true );
++
++config_set_if_needed( 'import_threshold' , gpc_get_int( 'import_threshold' ) );
++config_set_if_needed( 'export_threshold' , gpc_get_int( 'export_threshold' ) );
++
++form_security_purge( 'plugin_XmlImportExport_config' );
++
++print_successful_redirect( $t_redirect_url );
+diff --git a/plugins/XmlImportExport/pages/config_page.php b/plugins/XmlImportExport/pages/config_page.php
+new file mode 100644
+index 0000000..7c678af
+--- /dev/null
++++ b/plugins/XmlImportExport/pages/config_page.php
+@@ -0,0 +1,48 @@
++<?php
++# Copyright (c) 2014 MantisBT Team - mantisbt-dev at lists.sourceforge.net
++# Licensed under the MIT license
++
++access_ensure_global_level( config_get( 'manage_plugin_threshold' ) );
++
++html_page_top();
++//print_manage_menu();
++?>
++
++<br />
++<form action="<?php echo plugin_page( 'config' ) ?>" method="post">
++<?php echo form_security_field( 'plugin_XmlImportExport_config' ) ?>
++<table class="width60" align="center">
++
++<tr>
++<td class="form-title" colspan="2"><?php echo plugin_lang_get("config_title") ?></td>
++</tr>
++
++<tr <?php echo helper_alternate_class() ?>>
++<td class="category"><?php echo plugin_lang_get( 'import_threshold' ) ?></td>
++<td><select name="import_threshold"><?php
++ print_enum_string_option_list(
++ 'access_levels',
++ plugin_config_get( 'import_threshold' )
++ );
++ ?></select></td>
++</tr>
++
++<tr <?php echo helper_alternate_class() ?>>
++<td class="category"><?php echo plugin_lang_get( 'export_threshold' ) ?></td>
++<td><select name="export_threshold"><?php
++ print_enum_string_option_list(
++ 'access_levels',
++ plugin_config_get( 'export_threshold' )
++ );
++ ?></select></td>
++</tr>
++
++<tr>
++<td class="center" colspan="2"><input type="submit" value="<?php echo plugin_lang_get("action_update") ?>"/></td>
++</tr>
++
++</table>
++</form>
++
++<?php
++html_page_bottom();
+diff --git a/plugins/XmlImportExport/pages/export.php b/plugins/XmlImportExport/pages/export.php
+index 061b135..aac3bbf 100644
+--- a/plugins/XmlImportExport/pages/export.php
++++ b/plugins/XmlImportExport/pages/export.php
+@@ -20,6 +20,8 @@
+
+ require_once( 'core.php' );
+
++access_ensure_project_level( plugin_config_get( 'export_threshold' ) );
++
+ auth_ensure_user_authenticated( );
+ helper_begin_long_process( );
+
+diff --git a/plugins/XmlImportExport/pages/import.php b/plugins/XmlImportExport/pages/import.php
+index cd7721f..6740727 100644
+--- a/plugins/XmlImportExport/pages/import.php
++++ b/plugins/XmlImportExport/pages/import.php
+@@ -14,6 +14,8 @@
+ # You should have received a copy of the GNU General Public License
+ # along with MantisBT. If not, see <http://www.gnu.org/licenses/>.
+
++access_ensure_project_level( plugin_config_get( 'import_threshold' ) );
++
+ auth_reauthenticate( );
+
+ html_page_top( plugin_lang_get( 'import' ) );
diff --git a/mantis.spec b/mantis.spec
index df38ece..c41dd3f 100644
--- a/mantis.spec
+++ b/mantis.spec
@@ -6,7 +6,7 @@
Summary: Web-based issue tracking system
Name: mantis
Version: 1.2.17
-Release: 3%{?dist}
+Release: 4%{?dist}
License: GPLv2+
Group: Applications/Internet
URL: http://www.mantisbt.org/
@@ -23,6 +23,9 @@ Patch3: mantis-1.2.12-use_systems_phpmailer.patch
# set environment variable to find config_inc.php in /etc/mantis
Patch4: mantis-1.2.14-set_env_on_scripts.patch
Patch5: mantis-1.2.17-fix_LDAP_poisoning.patch
+Patch6: mantis-1.2.17-fix-CVE-2014-8554.patch
+Patch7: mantis-1.2.17-fix-CVE-2014-8598.patch
+Patch8: mantis-1.2.17-fix-CVE-2014-7146.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -70,6 +73,9 @@ This package contains configuration-files for Apache httpd 2.
%patch3 -p1
%patch4 -p1
%patch5 -p1
+%patch6 -p1
+%patch7 -p1
+%patch8 -p1
cp %{SOURCE1} ./doc/README.Fedora
rm -rf packages docbook tests
@@ -154,6 +160,10 @@ rm -rf "${RPM_BUILD_ROOT}"
%changelog
+* Fri Nov 14 2014 Gianluca Sforna <giallu at gmail.com> - 1.2.17-4
+- fix CVE-2014-7146, CVE-2014-8598 (#1162046)
+- fix CVE-2014-8554 (#1159295)
+
* Fri Oct 03 2014 Gianluca Sforna <giallu at gmail.com> - 1.2.17-3
- fix CVE-2014-6387 (#1141310)
--
cgit v0.10.2
>From 9525ad1b48b7a3e627905110669eaf965ed77c2b Mon Sep 17 00:00:00 2001
From: Gianluca Sforna <giallu at gmail.com>
Date: Tue, 9 Dec 2014 10:36:53 +0100
Subject: new upstream release, fixes several security issues
diff --git a/.gitignore b/.gitignore
index 526d8f0..0bb4046 100644
--- a/.gitignore
+++ b/.gitignore
@@ -6,3 +6,4 @@ mantisbt-1.1.8.tar.gz
/mantisbt-1.2.14.tar.gz
/mantisbt-1.2.15.tar.gz
/mantisbt-1.2.17.tar.gz
+/mantisbt-1.2.18.tar.gz
diff --git a/mantis-1.2.17-fix-CVE-2014-7146.patch b/mantis-1.2.17-fix-CVE-2014-7146.patch
deleted file mode 100644
index 9603bb1..0000000
--- a/mantis-1.2.17-fix-CVE-2014-7146.patch
+++ /dev/null
@@ -1,63 +0,0 @@
-commit bed19db954359043515300c995ebc40ebb97265a
-Author: Damien Regad <dregad at mantisbt.org>
-Date: Sat Nov 1 19:45:47 2014 +0100
-
- XML Import: Fix php code injection vulnerability
-
- Egidio Romano discovered a vulnerability in the XML import plugin.
-
- User input passed through the "description" field (and the "issuelink"
- attribute) of the uploaded XML file isn't properly sanitized before
- being used in a call to the preg_replace() function which uses the 'e'
- modifier. This can be exploited to inject and execute arbitrary PHP code
- when the Import/Export plugin is installed.
-
- This fix is a partial backport from a master branch commit which has
- been confirmed as addressing the issue (84017535f8718685d755d58af7a39d80f52ffca8)
- excluding changes not relevant to fixing the security issue, including
- subsequent fixes (aea1a348043979e75a6cc021e4a0a7f8d3bb7211,
- 4350b4d4f0ee4fba423edcae1cd2117dc1e2d63b).
-
- Fixes #17725 (CVE-2014-7146)
-
-diff --git a/plugins/XmlImportExport/ImportXml.php b/plugins/XmlImportExport/ImportXml.php
-index 590f898..09ccc8d 100644
---- a/plugins/XmlImportExport/ImportXml.php
-+++ b/plugins/XmlImportExport/ImportXml.php
-@@ -102,16 +102,27 @@ class ImportXML {
-
- echo " Done\n";
-
-- $importedIssues = $this->itemsMap_->getall( 'issue' );
-- printf( "Processing cross-references for %s issues...", count( $importedIssues ) );
-- foreach( $importedIssues as $oldId => $newId ) {
-- $bugData = bug_get( $newId, true );
--
-- $bugLinkRegexp = '/(^|[^\w])(' . preg_quote( $this->source_->issuelink, '/' ) . ')(\d+)\b/e';
-- $replacement = '"\\1" . $this->getReplacementString( "\\2", "\\3" )';
-+ # replace bug references
-+ $t_imported_issues = $this->itemsMap_->getall( 'issue' );
-+ printf( 'Processing cross-references for %s issues...', count( $t_imported_issues ) );
-+ foreach( $t_imported_issues as $t_old_id => $t_new_id ) {
-+ $t_bug = bug_get( $t_new_id, true );
-+ $t_content_replaced = false;
-+ $t_bug_link_regexp = '/(^|[^\w])(' . preg_quote( $this->source_->issuelink, '/' ) . ')(\d+)\b/';
-+
-+ # replace links in description
-+ preg_match_all( $t_bug_link_regexp, $t_bug->description, $t_matches );
-+ if( is_array( $t_matches[3] ) && count( $t_matches[3] ) > 0 ) {
-+ $t_content_replaced = true;
-+ foreach ( $t_matches[3] as $t_old_id2 ) {
-+ $t_bug->description = str_replace( $this->source_->issuelink . $t_old_id2, $this->getReplacementString( $this->source_->issuelink, $t_old_id2 ), $t_bug->description );
-+ }
-+ }
-
-- $bugData->description = preg_replace( $bugLinkRegexp, $replacement, $bugData->description );
-- $bugData->update( true, true );
-+ if( $t_content_replaced ) {
-+ # only update bug if necessary (otherwise last update date would be unnecessarily overwritten)
-+ $t_bug->update( true );
-+ }
- }
- echo " Done\n";
- }
diff --git a/mantis-1.2.17-fix-CVE-2014-8554.patch b/mantis-1.2.17-fix-CVE-2014-8554.patch
deleted file mode 100644
index ef8b35a..0000000
--- a/mantis-1.2.17-fix-CVE-2014-8554.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-commit 99ffb0afaff3409d0eaec78ac963214da0d2a079
-Author: Damien Regad <dregad at mantisbt.org>
-Date: Thu Oct 30 15:31:36 2014 +0100
-
- SQL injection in mc_project_get_attachments()
-
- This is a follow-up on CVE-2014-1609 / issue #16880.
-
- Edwin Gozeling and Wim Visser from ITsec Security Services BV
- (http://www.itsec.nl) discovered that the fix in #16880 did not fully
- address the problem. Their research demonstrate that using a specially
- crafted project id parameter, an attacker could still perform an SQL
- injection.
-
- The same issue was also reported by Paul Richards in issue #17823.
-
- This patch fixes the problem by typecasting the Project ID parameter
- to Integer.
-
- Fixes #17812, CVE-2014-8554
-
-diff --git a/api/soap/mc_project_api.php b/api/soap/mc_project_api.php
-index 8e6aae9..fe57b7b 100644
---- a/api/soap/mc_project_api.php
-+++ b/api/soap/mc_project_api.php
-@@ -655,6 +655,7 @@ function mc_project_get_attachments( $p_username, $p_password, $p_project_id ) {
- return mci_soap_fault_login_failed();
- }
-
-+ $p_project_id = (int)$p_project_id;
- $g_project_override = $p_project_id;
-
- # Check if project documentation feature is enabled.
diff --git a/mantis-1.2.17-fix-CVE-2014-8598.patch b/mantis-1.2.17-fix-CVE-2014-8598.patch
deleted file mode 100644
index f9442d7..0000000
--- a/mantis-1.2.17-fix-CVE-2014-8598.patch
+++ /dev/null
@@ -1,194 +0,0 @@
-commit 80a15487cda89afb00ce866da8e24d76808dcdb4
-Author: Damien Regad <dregad at mantisbt.org>
-Date: Fri Oct 17 17:21:25 2014 +0200
-
- XML plugin: Add config page with access thresholds
-
- Prior to this, any user of a MantisBT instance with the XML
- Import/Export plugin enabled and knowing the URL to the plugin's import
- page could upload an XML file and insert data without restriction,
- regardless of their access level.
-
- This vulnerability is particularly dangerous when used in combination
- with the one described in issue #17725 (CVE-2014-7146) as it makes for a
- very simple and easily accessible vector for PHP code injection attacks.
-
- There was also no access check when exporting data, which could allow an
- attacker to gain access to confidential information (disclosure of all
- bug-related data, including usernames).
-
- Fixes #17780 (CVE-2014-8598)
-
-diff --git a/plugins/XmlImportExport/XmlImportExport.php b/plugins/XmlImportExport/XmlImportExport.php
-index 63e254e..20ea3c2 100644
---- a/plugins/XmlImportExport/XmlImportExport.php
-+++ b/plugins/XmlImportExport/XmlImportExport.php
-@@ -39,7 +39,7 @@ class XmlImportExportPlugin extends MantisPlugin {
- function register( ) {
- $this->name = plugin_lang_get( 'title' );
- $this->description = plugin_lang_get( 'description' );
-- $this->page = '';
-+ $this->page = "config_page";
-
- $this->version = '1.0';
- $this->requires = array(
-@@ -54,6 +54,17 @@ class XmlImportExportPlugin extends MantisPlugin {
- /**
- * Default plugin configuration.
- */
-+ public function config() {
-+ return array(
-+ "import_threshold" => ADMINISTRATOR,
-+ "export_threshold" => DEVELOPER,
-+ );
-+ }
-+
-+ /**
-+ * Plugin hooks
-+ * @return array
-+ */
- function hooks( ) {
- $hooks = array(
- 'EVENT_MENU_MANAGE' => 'import_issues_menu',
-@@ -67,6 +78,9 @@ class XmlImportExportPlugin extends MantisPlugin {
- }
-
- function export_issues_menu( ) {
-+ if( !access_has_project_level( plugin_config_get( 'export_threshold' ) ) ) {
-+ return array();
-+ }
- return array( '<a href="' . plugin_page( 'export' ) . '">' . plugin_lang_get( 'export' ) . '</a>', );
- }
-
-diff --git a/plugins/XmlImportExport/lang/strings_english.txt b/plugins/XmlImportExport/lang/strings_english.txt
-index 775ad76..e595228 100644
---- a/plugins/XmlImportExport/lang/strings_english.txt
-+++ b/plugins/XmlImportExport/lang/strings_english.txt
-@@ -35,7 +35,14 @@ $s_plugin_XmlImportExport_description = 'Adds XML based import and export capabi
- $s_plugin_XmlImportExport_import = 'Import issues';
- $s_plugin_XmlImportExport_export = 'XML Export';
-
-+$s_plugin_XmlImportExport_config_title = 'XML Import/Export Access Levels Configuration';
-+$s_plugin_XmlImportExport_import_threshold = 'Import issues';
-+$s_plugin_XmlImportExport_export_threshold = 'Export issues';
-+
-+$s_plugin_XmlImportExport_action_update = 'Update';
-+
- $s_plugin_XmlImportExport_importing_in_project = 'Importing issues in project:';
-+
- $s_plugin_XmlImportExport_import_options = 'Import options';
-
- $s_plugin_XmlImportExport_cross_references = 'Cross references';
-diff --git a/plugins/XmlImportExport/pages/config.php b/plugins/XmlImportExport/pages/config.php
-new file mode 100644
-index 0000000..19587c8
---- /dev/null
-+++ b/plugins/XmlImportExport/pages/config.php
-@@ -0,0 +1,27 @@
-+<?php
-+# Copyright (c) 2014 MantisBT Team - mantisbt-dev at lists.sourceforge.net
-+# Licensed under the MIT license
-+
-+form_security_validate( 'plugin_XmlImportExport_config' );
-+access_ensure_global_level( config_get( 'manage_plugin_threshold' ) );
-+
-+/**
-+ * Sets plugin config option if value is different from current/default
-+ * @param string $p_name option name
-+ * @param string $p_value value to set
-+ * @return void
-+ */
-+function config_set_if_needed( $p_name, $p_value ) {
-+ if ( $p_value != plugin_config_get( $p_name ) ) {
-+ plugin_config_set( $p_name, $p_value );
-+ }
-+}
-+
-+$t_redirect_url = plugin_page( 'config_page', true );
-+
-+config_set_if_needed( 'import_threshold' , gpc_get_int( 'import_threshold' ) );
-+config_set_if_needed( 'export_threshold' , gpc_get_int( 'export_threshold' ) );
-+
-+form_security_purge( 'plugin_XmlImportExport_config' );
-+
-+print_successful_redirect( $t_redirect_url );
-diff --git a/plugins/XmlImportExport/pages/config_page.php b/plugins/XmlImportExport/pages/config_page.php
-new file mode 100644
-index 0000000..7c678af
---- /dev/null
-+++ b/plugins/XmlImportExport/pages/config_page.php
-@@ -0,0 +1,48 @@
-+<?php
-+# Copyright (c) 2014 MantisBT Team - mantisbt-dev at lists.sourceforge.net
-+# Licensed under the MIT license
-+
-+access_ensure_global_level( config_get( 'manage_plugin_threshold' ) );
-+
-+html_page_top();
-+//print_manage_menu();
-+?>
-+
-+<br />
-+<form action="<?php echo plugin_page( 'config' ) ?>" method="post">
-+<?php echo form_security_field( 'plugin_XmlImportExport_config' ) ?>
-+<table class="width60" align="center">
-+
-+<tr>
-+<td class="form-title" colspan="2"><?php echo plugin_lang_get("config_title") ?></td>
-+</tr>
-+
-+<tr <?php echo helper_alternate_class() ?>>
-+<td class="category"><?php echo plugin_lang_get( 'import_threshold' ) ?></td>
-+<td><select name="import_threshold"><?php
-+ print_enum_string_option_list(
-+ 'access_levels',
-+ plugin_config_get( 'import_threshold' )
-+ );
-+ ?></select></td>
-+</tr>
-+
-+<tr <?php echo helper_alternate_class() ?>>
-+<td class="category"><?php echo plugin_lang_get( 'export_threshold' ) ?></td>
-+<td><select name="export_threshold"><?php
-+ print_enum_string_option_list(
-+ 'access_levels',
-+ plugin_config_get( 'export_threshold' )
-+ );
-+ ?></select></td>
-+</tr>
-+
-+<tr>
-+<td class="center" colspan="2"><input type="submit" value="<?php echo plugin_lang_get("action_update") ?>"/></td>
-+</tr>
-+
-+</table>
-+</form>
-+
-+<?php
-+html_page_bottom();
-diff --git a/plugins/XmlImportExport/pages/export.php b/plugins/XmlImportExport/pages/export.php
-index 061b135..aac3bbf 100644
---- a/plugins/XmlImportExport/pages/export.php
-+++ b/plugins/XmlImportExport/pages/export.php
-@@ -20,6 +20,8 @@
-
- require_once( 'core.php' );
-
-+access_ensure_project_level( plugin_config_get( 'export_threshold' ) );
-+
- auth_ensure_user_authenticated( );
- helper_begin_long_process( );
-
-diff --git a/plugins/XmlImportExport/pages/import.php b/plugins/XmlImportExport/pages/import.php
-index cd7721f..6740727 100644
---- a/plugins/XmlImportExport/pages/import.php
-+++ b/plugins/XmlImportExport/pages/import.php
-@@ -14,6 +14,8 @@
- # You should have received a copy of the GNU General Public License
- # along with MantisBT. If not, see <http://www.gnu.org/licenses/>.
-
-+access_ensure_project_level( plugin_config_get( 'import_threshold' ) );
-+
- auth_reauthenticate( );
-
- html_page_top( plugin_lang_get( 'import' ) );
diff --git a/mantis-1.2.17-fix_LDAP_poisoning.patch b/mantis-1.2.17-fix_LDAP_poisoning.patch
deleted file mode 100644
index d67c100..0000000
--- a/mantis-1.2.17-fix_LDAP_poisoning.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-commit 215968fa8ff33e327f0600765a5caa24de392cbc
-Author: Paul Richards <paul at mantisforge.org>
-Date: Sat Oct 12 22:58:43 2013 +0100
-
- Strip null bytes out of GPC input strings
-
- Backporting commit fc02c46eea9d9e7cc472a7fc1801ea65d467db76 from master
- branch to fix issue #17640
-
- Signed-off-by: Damien Regad <dregad at mantisbt.org>
-
-diff --git a/core/gpc_api.php b/core/gpc_api.php
-index 2daad98..58e0827 100644
---- a/core/gpc_api.php
-+++ b/core/gpc_api.php
-@@ -110,7 +110,7 @@ function gpc_get_string( $p_var_name, $p_default = null ) {
- trigger_error( ERROR_GPC_ARRAY_UNEXPECTED, ERROR );
- }
-
-- return $t_result;
-+ return str_replace( "\0","",$t_result );
- }
-
- /**
-@@ -255,7 +255,11 @@ function gpc_get_string_array( $p_var_name, $p_default = null ) {
- trigger_error( ERROR_GPC_ARRAY_EXPECTED, ERROR );
- }
-
-- return $t_result;
-+ $t_array = array();
-+ foreach( $t_result as $key => $val ) {
-+ $t_array[$key] = str_replace( "\0", "", $val );
-+ }
-+ return $t_array;
- }
-
- /**
diff --git a/mantis.spec b/mantis.spec
index c41dd3f..e3182f9 100644
--- a/mantis.spec
+++ b/mantis.spec
@@ -5,8 +5,8 @@
Summary: Web-based issue tracking system
Name: mantis
-Version: 1.2.17
-Release: 4%{?dist}
+Version: 1.2.18
+Release: 1%{?dist}
License: GPLv2+
Group: Applications/Internet
URL: http://www.mantisbt.org/
@@ -22,10 +22,6 @@ Patch2: mantis-1.2.4-do_not_warn_on_admin_directory.patch
Patch3: mantis-1.2.12-use_systems_phpmailer.patch
# set environment variable to find config_inc.php in /etc/mantis
Patch4: mantis-1.2.14-set_env_on_scripts.patch
-Patch5: mantis-1.2.17-fix_LDAP_poisoning.patch
-Patch6: mantis-1.2.17-fix-CVE-2014-8554.patch
-Patch7: mantis-1.2.17-fix-CVE-2014-8598.patch
-Patch8: mantis-1.2.17-fix-CVE-2014-7146.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -72,10 +68,6 @@ This package contains configuration-files for Apache httpd 2.
%patch2 -p1
%patch3 -p1
%patch4 -p1
-%patch5 -p1
-%patch6 -p1
-%patch7 -p1
-%patch8 -p1
cp %{SOURCE1} ./doc/README.Fedora
rm -rf packages docbook tests
@@ -160,6 +152,12 @@ rm -rf "${RPM_BUILD_ROOT}"
%changelog
+* Tue Dec 9 2014 Gianluca Sforna <giallu at gmail.com> - 1.2.18-1
+- new upstream release
+- drop upstreamed patches
+- fix several security issues, full list in upstream changelog:
+ http://www.mantisbt.org/bugs/changelog_page.php?version_id=191
+
* Fri Nov 14 2014 Gianluca Sforna <giallu at gmail.com> - 1.2.17-4
- fix CVE-2014-7146, CVE-2014-8598 (#1162046)
- fix CVE-2014-8554 (#1159295)
diff --git a/sources b/sources
index 442a48a..09f7420 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-b3080a3a9351524c547823d33a76106f mantisbt-1.2.17.tar.gz
+24fd5200cd9709b69dafa34ce3e66690 mantisbt-1.2.18.tar.gz
--
cgit v0.10.2
>From d646ce43287e5b64ec46422b9190a9a3eacf7cb3 Mon Sep 17 00:00:00 2001
From: Gianluca Sforna <giallu at gmail.com>
Date: Mon, 26 Jan 2015 11:28:27 +0100
Subject: new upstream release
- fix CVE-2014-9571, CVE-2014-9572, CVE-2014-9573 (#1183595)
diff --git a/.gitignore b/.gitignore
index 0bb4046..ac57aeb 100644
--- a/.gitignore
+++ b/.gitignore
@@ -7,3 +7,4 @@ mantisbt-1.1.8.tar.gz
/mantisbt-1.2.15.tar.gz
/mantisbt-1.2.17.tar.gz
/mantisbt-1.2.18.tar.gz
+/mantisbt-1.2.19.tar.gz
diff --git a/mantis.spec b/mantis.spec
index e3182f9..0da3747 100644
--- a/mantis.spec
+++ b/mantis.spec
@@ -5,7 +5,7 @@
Summary: Web-based issue tracking system
Name: mantis
-Version: 1.2.18
+Version: 1.2.19
Release: 1%{?dist}
License: GPLv2+
Group: Applications/Internet
@@ -152,6 +152,10 @@ rm -rf "${RPM_BUILD_ROOT}"
%changelog
+* Mon Jan 26 2015 Gianluca Sforna <giallu at gmail.com> - 1.2.19-1
+- new upstream release
+- fix CVE-2014-9571, CVE-2014-9572, CVE-2014-9573 (#1183595)
+
* Tue Dec 9 2014 Gianluca Sforna <giallu at gmail.com> - 1.2.18-1
- new upstream release
- drop upstreamed patches
diff --git a/sources b/sources
index 09f7420..576bf0e 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-24fd5200cd9709b69dafa34ce3e66690 mantisbt-1.2.18.tar.gz
+8377a0219ec344b9ab9c186012b5114f mantisbt-1.2.19.tar.gz
--
cgit v0.10.2
>From 78cacd1292b9b20a0c7def104d8e517cc0c2f6df Mon Sep 17 00:00:00 2001
From: Gianluca Sforna <giallu at gmail.com>
Date: Mon, 26 Jan 2015 12:26:19 +0100
Subject: rebase patch
diff --git a/mantis-1.2.12-install_no_write_config.patch b/mantis-1.2.12-install_no_write_config.patch
deleted file mode 100644
index db2e000..0000000
--- a/mantis-1.2.12-install_no_write_config.patch
+++ /dev/null
@@ -1,141 +0,0 @@
-diff -u -aur mantisbt-1.2.12.orig/admin/install.php mantisbt-1.2.12/admin/install.php
---- mantisbt-1.2.12.orig/admin/install.php 2012-11-12 00:10:40.000000000 +0100
-+++ mantisbt-1.2.12/admin/install.php 2012-11-15 00:24:29.567983203 +0100
-@@ -412,10 +412,18 @@
- <?php if( !$g_database_upgrade ) {?>
- <tr>
- <td>
-+ <div style="background-color: #FCC; padding: 5px; border: 1px solid red;">
-+ To change any of the disabled options below, edit /etc/mantis/config_inc.php and reload this page!
-+ </div>
-+ </td>
-+</tr>
-+
-+<tr>
-+ <td>
- Type of Database
- </td>
- <td>
-- <select name="db_type">
-+ <select disabled="true" name="db_type">
- <?php
- // Build selection list of available DB types
- $t_db_list = array(
-@@ -451,7 +459,7 @@
- Hostname (for Database Server)
- </td>
- <td>
-- <input name="hostname" type="textbox" value="<?php echo $f_hostname?>"></input>
-+ <input name="hostname" type="textbox" disabled="disabled" value="<?php echo $f_hostname?>"></input>
- </td>
- </tr>
- <?php
-@@ -463,7 +471,7 @@
- Username (for Database)
- </td>
- <td>
-- <input name="db_username" type="textbox" value="<?php echo $f_db_username?>"></input>
-+ <input name="db_username" type="textbox" disabled="disabled" value="<?php echo $f_db_username?>"></input>
- </td>
- </tr>
- <?php
-@@ -475,7 +483,7 @@
- Password (for Database)
- </td>
- <td>
-- <input name="db_password" type="password" value="<?php echo( !is_blank( $f_db_password ) ? CONFIGURED_PASSWORD : "" )?>"></input>
-+ <input name="db_password" type="password" disabled="disabled" value="<?php echo( !is_blank( $f_db_password ) ? CONFIGURED_PASSWORD : "" )?>"></input>
- </td>
- </tr>
- <?php
-@@ -487,7 +495,7 @@
- Database name (for Database)
- </td>
- <td>
-- <input name="database_name" type="textbox" value="<?php echo $f_database_name?>"></input>
-+ <input name="database_name" type="textbox" disabled="disabled" value="<?php echo $f_database_name?>"></input>
- </td>
- </tr>
- <?php
-@@ -780,79 +788,9 @@
- if( 5 == $t_install_state ) {
- $t_config_filename = $g_absolute_path . 'config_inc.php';
- $t_config_exists = file_exists( $t_config_filename );
-- ?>
--<table width="100%" border="0" cellpadding="10" cellspacing="1">
--<tr>
-- <td bgcolor="#e8e8e8" colspan="2">
-- <span class="title">Write Configuration File(s)</span>
-- </td>
--</tr>
--
--<tr>
-- <td bgcolor="#ffffff">
-- <?php
-- if( !$t_config_exists ) {
-- echo 'Creating Configuration File (config_inc.php)<br />';
-- echo '<font color="red">(if this file is not created, create it manually with the contents below)</font>';
-- } else {
-- echo 'Updating Configuration File (config_inc.php)<br />';
-- }
-- ?>
-- </td>
-- <?php
-- $t_config = '<?php' . "\r\n";
-- $t_config .= "\t\$g_hostname = '$f_hostname';\r\n";
-- $t_config .= "\t\$g_db_type = '$f_db_type';\r\n";
-- $t_config .= "\t\$g_database_name = '$f_database_name';\r\n";
-- $t_config .= "\t\$g_db_username = '$f_db_username';\r\n";
-- $t_config .= "\t\$g_db_password = '$f_db_password';\r\n";
-
-- if( $f_db_type == 'db2' ) {
-- $t_config .= "\t\$g_db_schema = '$f_db_schema';\r\n";
-- }
--
-- $t_config .= '?>' . "\r\n";
-- $t_write_failed = true;
--
-- if( !$t_config_exists ) {
-- if( $fd = @fopen( $t_config_filename, 'w' ) ) {
-- fwrite( $fd, $t_config );
-- fclose( $fd );
-- }
--
-- if( file_exists( $t_config_filename ) ) {
-- print_test_result( GOOD );
-- $t_write_failed = false;
-- } else {
-- print_test_result( BAD, false, 'cannot write ' . $t_config_filename );
-- }
-- } else {
-- # already exists, see if the information is the same
-- if ( ( $f_hostname != config_get( 'hostname', '' ) ) ||
-- ( $f_db_type != config_get( 'db_type', '' ) ) ||
-- ( $f_database_name != config_get( 'database_name', '') ) ||
-- ( $f_db_schema != config_get( 'db_schema', '') ) ||
-- ( $f_db_username != config_get( 'db_username', '' ) ) ||
-- ( $f_db_password != config_get( 'db_password', '' ) ) ) {
-- print_test_result( BAD, false, 'file ' . $g_absolute_path . 'config_inc.php' . ' already exists and has different settings' );
-- } else {
-- print_test_result( GOOD, false );
-- $t_write_failed = false;
-- }
-- }
-- ?>
--</tr>
--<?php
-- if( true == $t_write_failed ) {
-- echo '<tr><table width="50%" border="0" cellpadding="10" cellspacing="1" align="center">';
-- echo '<tr><td>Please add the following lines to ' . $g_absolute_path . 'config_inc.php before continuing to the database upgrade check:</td></tr>';
-- echo '<tr><td><pre>' . htmlentities( $t_config ) . '</pre></td></tr></table></tr>';
-- }
-- ?>
-+ // FEDORA PATCH: Removed config_inc.php manipulation code
-
--</table>
--
--<?php
- if( false == $g_failed ) {
- $t_install_state++;
- }
-Only in mantisbt-1.2.12/admin: install.php.orig
diff --git a/mantis-1.2.19-install_no_write_config.patch b/mantis-1.2.19-install_no_write_config.patch
new file mode 100644
index 0000000..027c784
--- /dev/null
+++ b/mantis-1.2.19-install_no_write_config.patch
@@ -0,0 +1,144 @@
+diff --git a/admin/install.php b/admin/install.php
+index 6a57a88..9c619c0 100644
+--- a/admin/install.php
++++ b/admin/install.php
+@@ -411,10 +411,18 @@ if( 1 == $t_install_state ) {
+ <?php if( !$g_database_upgrade ) {?>
+ <tr>
+ <td>
++ <div style="background-color: #FCC; padding: 5px; border: 1px solid red;">
++ To change any of the disabled options below, edit /etc/mantis/config_inc.php and reload this page!
++ </div>
++ </td>
++</tr>
++
++<tr>
++ <td>
+ Type of Database
+ </td>
+ <td>
+- <select name="db_type">
++ <select disabled="true" name="db_type">
+ <?php
+ // Build selection list of available DB types
+ $t_db_list = array(
+@@ -450,7 +458,7 @@ if( !$g_database_upgrade ) {?>
+ Hostname (for Database Server)
+ </td>
+ <td>
+- <input name="hostname" type="textbox" value="<?php echo string_attribute( $f_hostname ) ?>">
++ <input name="hostname" type="textbox" disabled="disabled" value="<?php echo string_attribute( $f_hostname ) ?>">
+ </td>
+ </tr>
+ <?php
+@@ -462,7 +470,7 @@ if( !$g_database_upgrade ) {?>
+ Username (for Database)
+ </td>
+ <td>
+- <input name="db_username" type="textbox" value="<?php echo string_attribute( $f_db_username ) ?>">
++ <input name="db_username" type="textbox" disabled="disabled" value="<?php echo string_attribute( $f_db_username ) ?>">
+ </td>
+ </tr>
+ <?php
+@@ -486,7 +494,7 @@ if( !$g_database_upgrade ) {?>
+ Database name (for Database)
+ </td>
+ <td>
+- <input name="database_name" type="textbox" value="<?php echo string_attribute( $f_database_name ) ?>">
++ <input name="database_name" type="textbox" disabled="disabled" value="<?php echo string_attribute( $f_database_name ) ?>">
+ </td>
+ </tr>
+ <?php
+@@ -785,91 +793,9 @@ if( 4 == $t_install_state ) {
+ if( 5 == $t_install_state ) {
+ $t_config_filename = $g_absolute_path . 'config_inc.php';
+ $t_config_exists = file_exists( $t_config_filename );
+- ?>
+-<table width="100%" border="0" cellpadding="10" cellspacing="1">
+-<tr>
+- <td bgcolor="#e8e8e8" colspan="2">
+- <span class="title">Write Configuration File(s)</span>
+- </td>
+-</tr>
+
+-<tr>
+- <td bgcolor="#ffffff">
+- <?php echo ( $t_config_exists ? 'Updating' : 'Creating' )
+- . ' Configuration File (config_inc.php)'; ?>
+- </td>
+- <?php
+- # Generating the config_inc.php file
+-
+- $t_config = '<?php' . "\r\n";
+- $t_config .= "\$g_hostname = '$f_hostname';\r\n";
+- $t_config .= "\$g_db_type = '$f_db_type';\r\n";
+- $t_config .= "\$g_database_name = '$f_database_name';\r\n";
+- $t_config .= "\$g_db_username = '$f_db_username';\r\n";
+- $t_config .= "\$g_db_password = '$f_db_password';\r\n";
+-
+- if( $f_db_type == 'db2' ) {
+- $t_config .= "\$g_db_schema = '$f_db_schema';\r\n";
+- }
+-
+- $t_write_failed = true;
+-
+- if( !$t_config_exists ) {
+- if( $fd = @fopen( $t_config_filename, 'w' ) ) {
+- fwrite( $fd, $t_config );
+- fclose( $fd );
+- }
++ // FEDORA PATCH: Removed config_inc.php manipulation code
+
+- if( file_exists( $t_config_filename ) ) {
+- print_test_result( GOOD );
+- $t_write_failed = false;
+- } else {
+- print_test_result( BAD, false, 'cannot write ' . $t_config_filename );
+- }
+- } else {
+- # already exists, see if the information is the same
+- if ( ( $f_hostname != config_get( 'hostname', '' ) ) ||
+- ( $f_db_type != config_get( 'db_type', '' ) ) ||
+- ( $f_database_name != config_get( 'database_name', '') ) ||
+- ( $f_db_schema != config_get( 'db_schema', '') ) ||
+- ( $f_db_username != config_get( 'db_username', '' ) ) ||
+- ( $f_db_password != config_get( 'db_password', '' ) ) ) {
+- print_test_result( BAD, false, 'file ' . $g_absolute_path . 'config_inc.php' . ' already exists and has different settings' );
+- } else {
+- print_test_result( GOOD, false );
+- $t_write_failed = false;
+- }
+- }
+- ?>
+-</tr>
+-<?php
+- if( true == $t_write_failed ) {
+-?>
+-<tr>
+- <td colspan="2">
+- <table width="50%" cellpadding="10" cellspacing="1">
+- <tr>
+- <td>
+- Please add the following lines to
+- <em>'<?php echo $g_absolute_path; ?>config_inc.php'</em>
+- before continuing:
+- </td>
+- </tr>
+- <tr>
+- <td>
+- <pre><?php echo htmlentities( $t_config ); ?></pre>
+- </td>
+- </tr>
+- </table>
+- </td>
+-</tr>
+-<?php
+- }
+- ?>
+-
+-</table>
+-
+-<?php
+ if( false == $g_failed ) {
+ $t_install_state++;
+ }
diff --git a/mantis.spec b/mantis.spec
index 0da3747..fa9e2d0 100644
--- a/mantis.spec
+++ b/mantis.spec
@@ -15,7 +15,7 @@ Source0: http://downloads.sourceforge.net/mantisbt/mantisbt-%{version}.tar.gz
Source1: mantis-README.Fedora
# Admin is supposed to edit /etc/mantis/config_inc.php
-Patch0: mantis-1.2.12-install_no_write_config.patch
+Patch0: mantis-1.2.19-install_no_write_config.patch
Patch1: mantis-1.2.12-no_example_com.patch
# We secure admin/ with httpd directives
Patch2: mantis-1.2.4-do_not_warn_on_admin_directory.patch
@@ -154,6 +154,7 @@ rm -rf "${RPM_BUILD_ROOT}"
%changelog
* Mon Jan 26 2015 Gianluca Sforna <giallu at gmail.com> - 1.2.19-1
- new upstream release
+- rebase patch
- fix CVE-2014-9571, CVE-2014-9572, CVE-2014-9573 (#1183595)
* Tue Dec 9 2014 Gianluca Sforna <giallu at gmail.com> - 1.2.18-1
--
cgit v0.10.2
http://pkgs.fedoraproject.org/cgit/mantis.git/commit/?h=el5&id=782382bb744da3d4052e855b089d2be1750a8b5b
More information about the scm-commits
mailing list