MantisBT 1.2.2 is a security update for the stable 1.2.x branch. All installations that are currently running any 1.2.x version are advised to upgrade to this release. Issue #11952 covers a security fix to the display of inline attachments, where "Arbitrary inline attachment rendering could lead to cross-domain scripting or other browser attacks". See http://www.mantisbt.org/bugs/view.php?id=11952 for further details and information.
New version was bumped. Arch teams, please, stabilize www-apps/mantisbt-1.2.2.
Are you sure? http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/www-apps/mantisbt/ I cant see version 1.2.2
Peter, thanks for following up with this new release. I am the MantisBT developer who patched the flaw so if you have any further questions about the vulnerability, please feel free to contact me. Essentially it was possible to upload a HTML file attachment to a bug and rename the extension to .gif (or another file format that MantisBT shows inline). MantisBT would then use pecl-fileinfo (if available) to determine the real MIME type of the file (text/html in this example) and this MIME type would be conveyed to users viewing/downloading the file. The browser would thus attempt to render the HTML file within the browser rather than downloading it. The solution was to pass a flag to the download script to inform the script of the Content-Disposition header to send to the user. This flag is protected by a CSRF token to ensure that the only way a file can be shown inline within a browser is if a user is currently looking at a bug report with inline previews enabled. Even in that case, inline previews will currently only work within <img src="???" /> where browsers won't attempt to render potentially harmful content such as text/html (they're expecting an image only).
(In reply to comment #2) > I cant see version 1.2.2 Markos, I forgot to confirm commit. Now everything is in place. Thank you. David, thank you very much for explanation. BTW do you want to be CC'ed to mantinsbt bugs in Gentoo? If yes, I can add your e-mail into metadata.xml.
amd64 done
stable x86
Marked ppc stable.
CVE-2010-2802 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2802): Cross-site scripting (XSS) vulnerability in MantisBT before 1.2.2 allows remote authenticated users to inject arbitrary web script or HTML via an HTML document with a .gif filename extension, related to inline attachments.
GLSA Vote: No.
No, too, closing NOGLSA.
