Summary: | <www-apps/mantisbt-1.2.7-r1 multiple vulnerabilities (CVE-2011-3357) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | David Hicks <david> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | david, pva, web-apps |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.mantisbt.org/bugs/view.php?id=13281 | ||
Whiteboard: | B3 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
David Hicks
2011-09-01 11:53:46 UTC
Thank you David. I've added this patch in mantisbt-1.2.7-r1. Arch teams, please, consider stabilization. amd64:pass + 02 Sep 2011; Tony Vroon <chainsaw@gentoo.org> mantisbt-1.2.7-r1.ebuild: + Marked stable on AMD64 based on arch testing by Elijah "Armageddon" El + Lazkani in security bug #381417 filed by David Hicks. x86 stable Thanks, folks. GLSA Vote: no. Hi Peter & others, Thanks for the quick response. All vulnerabilities have now been fixed and the 1.2.8 release has been tagged in the repository, ready for packaging and release. The original patch I produced has been replaced with a more comprehensive patch for the 1.2.8 release. A CVE request has been sent to the oss-security mailing list. Note the potential severity of the LFI vulnerability from my follow-up post to oss-security: ----------- MantisBT allows users to upload attachments to bug reports. These attachments are commonly stored on the disk in an 'attachments' directory that should be stored outside the web root (but are still accessible to MantisBT for retrieval). This LFI vulnerbility therefore allows arbitrary remote code execution on a target server (as the web user ID). This level of access could be used to connect to the MantisBT database and access files and configuration of other web applications operating under the same uid/gid as the MantisBT installation. For example, this LFI vulnerability may allow an attacker to call: require_once('../var/www/example.com/data/mantisbt/attachments/123456-malicious_attachment.php') ----------- (In reply to comment #6) > Hi Peter & others, > > Thanks for the quick response. > Thank you, David. I've opened a new bug, 381785, to track the fixes for the other two issues. Added to pending GLSA request. This issue was resolved and addressed in GLSA 201211-01 at http://security.gentoo.org/glsa/glsa-201211-01.xml by GLSA coordinator Tobias Heinlein (keytoaster). |