Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 157970 - www-apps/mantisbt <=1.0.6 Information disclosure (and CVE-2006-6574)
Summary: www-apps/mantisbt <=1.0.6 Information disclosure (and CVE-2006-6574)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High trivial (vote)
Assignee: Gentoo Security
URL: http://sourceforge.net/project/showno...
Whiteboard: ~4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2006-12-12 14:32 UTC by Matt Drew (RETIRED)
Modified: 2007-05-14 17:58 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Proposed Mantis 1.0.7 ebuild. (mantisbt-1.0.7.ebuild,852 bytes, text/plain)
2007-04-18 12:50 UTC, Philippe Chaintreuil 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Matt Drew (RETIRED) gentoo-dev 2006-12-12 14:32:53 UTC 
- 0003375: [security] Bughistory bypasses security on custom fields (thraxisp)
- 0005163: [security] Default value for $g_bug_reminder_threshold should be higher than "reporter" (vboctor)
- 0007364: [security] Custom field visible in history independent from user role (thraxisp)

http://secunia.com/advisories/23258/

The current release with the fixes is an alpha release - maybe wait until a full 1.1.x release?
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-03-25 10:55:38 UTC 
Web-apps please advise and bump as necessary.
Comment 2 Matt Drew (RETIRED) gentoo-dev 2007-04-05 14:28:35 UTC 
This was just fixed in the 1.0.7 release - web-apps, can we get an ebuild and close this one out?  Thanks.

http://www.mantisbt.org/changelog.php

2007.04.04 - 1.0.7

This is a maintenance release that includes 3 security fixes, a new logo, and IE7 compatibility
fix.  All users of previous versions of Mantis (0.x.x and 1.0.x) are encouraged to upgrade to
Mantis 1.0.7.

- 0007743: [security] Port: CVE-2006-6574 (vboctor)
- 0007772: [security] email notifications bypass security on custom fields (vboctor)
- 0007784: [security] XSS vulnerabilities (vboctor)
- 0007774: [custom fields] custom fields not stored correctly in bug history (vboctor)
- 0007783: [filters] Port: Dynamic filter selection (XMLHTTPRequest) broken when using IE7
(vboctor)
Comment 3 Philippe Chaintreuil 2007-04-18 12:50:33 UTC 
Created attachment 116631 [details]
Proposed Mantis 1.0.7 ebuild.

As an attempt to kick-start this getting into the tree, here's an ebuild.

Danger Will Robinson! Danger!
- This is my first try at updating an ebuild.
- I just read http://gentoo-wiki.com/HOWTO_Create_an_Updated_Ebuild to make it.
- Of course, all I had to do was rename the file, so I probably can't have screwed it up that much.  ;)  (CVS check-in header line still reads 1.0.6.)

But, I tried it and it works for me on my server.

Someone double check that I'm not a blundering idiot, and hopefully get it into the tree.
Comment 4 Peter Volkov (RETIRED) gentoo-dev 2007-05-11 14:18:26 UTC 
mantisbt-1.0.7 is in the tree. Thank Christian Parpart for bump.

Philippe, next time attach diff or just note, that coping of the old ebuild works for you. No need to attach full ebuild.
Comment 5 Philippe Chaintreuil 2007-05-11 14:21:33 UTC 
(In reply to comment #4)
> Philippe, next time attach diff or just note, that coping of the old ebuild
> works for you. No need to attach full ebuild.

   Roger that.

   Thanks for getting it into the tree, you guys.
Comment 6 Peter Volkov (RETIRED) gentoo-dev 2007-05-12 13:41:15 UTC 
mantisbt was stable some time ago on ppc, but current versions in portage are not stable on all archs. I removed unstable vulnerable version and I think this bug is fixed. Right? :)
Comment 7 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-05-14 17:58:06 UTC 
Thanks Peter.

Updating stuff for future reference.