Two security related problems have been discovered in Mantis, a web-based bug tracking system. The Common Vulnerabilities and Exposures project identifies the following problems: CAN-2005-2556 A remote attacker could insert arbitrary SQL code into SQL statements. CAN-2005-2557 A remote attacker was able to insert arbitrary HTML code bug reports, hence, cross site scripting.
Total of 4 bugs (two have been fixed in 1.0.0rc1): http://secunia.com/advisories/16506/
Apparently the Mantis team won't fix it quickly. Probably better to derive a patch from the Debian patchset ? Problem being they are based on 0.19.2 : http://security.debian.org/pool/updates/main/m/mantis/mantis_0.19.2-4.diff.gz http://security.debian.org/pool/updates/main/m/mantis/mantis_0.19.2.orig.tar.gz Pulling in web-apps for inputs.
Hmm, maybe we should mask it.
No response from maintainer -> I vote for a mask. Vapier/Solar please do the magic if you agree.
if it's fixed in debian why dont we just add their patchset to our SRC_URI and utilize it ? i could do it up ...
Mike you didn't agree, please to your magic then:-)
vapier: it should be possible to use the Debian patchset yes (probably by bumping to the same version they use). It's because the web-apps team apparently wasn't too enthousiast about it that we suggested masking. If yo ufeel like it please do it, otherwise we'll mask.
Created attachment 68207 [details, diff] mantis_0.19.2-4.diff well we have 1.0.0rc1 in portage which resolves the first two issues, but the 2nd two arent obvious as to how they are fixed in the Debian patchset (if they are) attached is the Debian patchset (#4) for 0.19.2 with all the extra cruft removed unless someone else feels like taking it further, i guess it's time we mask ;)
web-apps: last chance before masking vapier: please go ahead asap :)
Eh, they _just_ released 1.0.0_rc2, we should check if the security issues were fixed before masking. I'll try to take a look this afternoon.
1.0.0_rc2 and a patched 0.19.2 are in the tree. I can't tell from the ChangeLog ( http://www.mantisbt.org/changelog.php ) if the vulnerabilities have been fixed. Thoughts?
RC1 fixes : - 0005751: [security] Javascript XSS vulnerability (thraxisp) - 0005959: [security] Cross Site Scripting Vulnerabilty in the mantis/view_all_set.php Script (thraxisp) RC2 fixes : - 0006097: [security] user ID is cached indefinately (thraxisp) - 0006189: [security] List of users (in filter) visible for unauthorized users. (thraxisp) According to Secunia/Debian there are four things : http://bugs.mantisbt.org/view.php?id=5751 http://bugs.mantisbt.org/view.php?id=5956 [ access denied ] http://bugs.mantisbt.org/view.php?id=5959 [ access denied ] http://bugs.mantisbt.org/view.php?id=6002 [ access denied ] 1) Input included in bug reports is not properly sanitised before being deleted. This can be exploited to execute arbitrary HTML and script code in an administrative user's browser session in context of a vulnerable site when a malicious bug report is deleted. --> Mantis bug 5751, FIXED in RC1 2) Unspecified input passed to the "mantis/view_all_set.php" script is not properly sanitised before being returned to users. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of a vulnerable site. --> FIXED in RC1, Mantis bug 5959 3) Unspecified input passed to the "mantis/view_all_bug_page.php" script is not properly sanitised before being returned to users. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of vulnerable site. --> ? view_all_bug_page.php wasn't changed in the last 7 months so I guess it isn't fixed. 4) Unspecified input is not properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. --> ? since neither mantisbug 5956 or mantisbug 6002 appear in the changelog, I guess this one isn't fixed either... Since the last bug is about SQL injection, I call for masking.
Renat: does your patched-0.19.2 mirror all Debian patches ? In which case it probably fixes all the things and we can keep it.
I applied vapier's patches, so I guess we can keep 0.19.2. FYI - 0.18.3 is stable on ppc.
ppc: please test and mark 0.19.2 stable
Stable on ppc.
Ok, 0.19.2 is all set, 1.0.0_rc2 has been masked.
i know it's a different problem...but the actual ebuild fails: >>> Install mantisbt-0.19.2 into /var/tmp/portage/mantisbt-0.19.2/image/ category www-apps dodoc: doc/CREDITS does not exist dodoc: doc/CUSTOMIZATION does not exist dodoc: doc/ChangeLog does not exist dodoc: doc/LICENSE does not exist dodoc: doc/README does not exist dodoc: doc/TROUBLESHOOTING does not exist dodoc: doc/UPGRADING does not exist cp: impossibile fare stat di `*.php': No such file or directory cp: impossibile fare stat di `admin': No such file or directory cp: impossibile fare stat di `core': No such file or directory cp: impossibile fare stat di `css': No such file or directory cp: impossibile fare stat di `graphs': No such file or directory cp: impossibile fare stat di `images': No such file or directory cp: impossibile fare stat di `lang': No such file or directory cp: impossibile fare stat di `config_inc.php.sample': No such file or directory * ebuild fault: file '/usr/share/webapps/mantisbt/0.19.2/htdocs/config_inc.php' not found * Please report this as a bug at http://bugs.gentoo.org/ !!! ERROR: www-apps/mantisbt-0.19.2 failed. !!! Function webapp_checkfileexists, Line 57, Exitcode 0 !!! ebuild fault: file '/usr/share/webapps/mantisbt/0.19.2/htdocs/config_inc.php' not found !!! If you need support, post the topmost build error, NOT this status message.
Ready for GLSA vote. Renat: could you have a look at comment #18 ?
${S} was incorrect. Fixed in CVS.
Voting yes
Let's have a GLSA, I'm voting YES.
After down grading to 0.19.2, i was unable to log to mantis due to a missing field in mantis_user_table (lost_password_in_progress_count). Adding this field to the table seems to cure the pb.
GLSA 200509-16
1.0.0rc3 Has also addressed this. http://sourceforge.net/project/shownotes.php?release_id=366796&group_id=14963