Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 443106 (CVE-2012-5522) - <www-apps/mantisbt-1.2.15 : multiple security flaws (CVE-2012-{5522,5523},CVE-2013-1811)
Summary: <www-apps/mantisbt-1.2.15 : multiple security flaws (CVE-2012-{5522,5523},CVE...
Status: RESOLVED FIXED
Alias: CVE-2012-5522
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B4 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2012-11-14 14:51 UTC by Agostino Sarubbo
Modified: 2016-04-01 03:42 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2012-11-14 14:51:54 UTC
From https://bugzilla.redhat.com/show_bug.cgi?id=876371 :

Two flaws were noted as being fixed in the Mantis 1.2.12 changelog [1]:

- 0014496: [security] Workflow Transitions: Minimal Access Level to Change to this status has no 
correct 'default' (dregad)
- 0014704: [security] Clone and Move issue with Copy bug notes - user get email notice from project 
without access (dregad)

[1] http://www.mantisbt.org/bugs/changelog_page.php?version_id=150
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2012-11-20 00:40:32 UTC
CVE-2012-5523 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5523):
  core/email_api.php in MantisBT before 1.2.12 does not properly manage the
  sending of e-mail notifications about restricted bugs, which might allow
  remote authenticated users to obtain sensitive information by adding a note
  to a bug before losing permission to view that bug.

CVE-2012-5522 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5522):
  MantisBT before 1.2.12 does not use an expected default value during
  decisions about whether a user may modify the status of a bug, which allows
  remote authenticated users to bypass intended access restrictions and make
  status changes by leveraging a blank value for a per-status setting.
Comment 2 Patrick Lauer gentoo-dev 2013-03-06 04:24:29 UTC
+  06 Mar 2013; Patrick Lauer <patrick@gentoo.org> +mantisbt-1.2.12.ebuild:
+  Bump for #443106
Comment 3 Agostino Sarubbo gentoo-dev 2013-03-06 16:15:56 UTC
(In reply to comment #2)
> +  06 Mar 2013; Patrick Lauer <patrick@gentoo.org> +mantisbt-1.2.12.ebuild:
> +  Bump for #443106

I guess this is not enough: http://www.openwall.com/lists/oss-security/2013/03/03/6
Comment 4 Sean Amoss (RETIRED) gentoo-dev Security 2013-03-14 12:10:37 UTC
(In reply to comment #3)
> (In reply to comment #2)
> > +  06 Mar 2013; Patrick Lauer <patrick@gentoo.org> +mantisbt-1.2.12.ebuild:
> > +  Bump for #443106
> 
> I guess this is not enough:
> http://www.openwall.com/lists/oss-security/2013/03/03/6

Furthermore:

MantisBT 1.2.14 is a security update for the stable 1.2.x branch. All installations that are currently running any 1.2.x version are strongly advised to upgrade to this release.

Please refer to the release notes for details.

- 0015415: [security] XSS vulnerability on Configuration Report page (dregad) - closed.
- 0015416: [security] XSS issue in adm_config_report.php when displaying complex value (dregad) - closed.
- 0015411: [performance] Huge memory consumption for print_user_option_list() (dregad) - closed.

http://mantisbt.org/bugs/changelog_page.php?project=mantisbt&version=1.2.14
Comment 5 Agostino Sarubbo gentoo-dev 2013-03-21 18:51:42 UTC
Another vulnerability for mantis: https://bugzilla.redhat.com/show_bug.cgi?id=924340


A denial of service flaw was found in the way MantisBT, a free popular web-based issue tracking system, performed processing of certain type of View Issues page search queries. A remote attacker could provide a specially-crafted query (filter combining some criteria and a text search with 'any condition') that, when processed by the MantisBT system, would lead to excessive system resources consumption (denial of service), possibly leading to complete MantisBT server instance unavailability.

References:
[1] http://www.openwall.com/lists/oss-security/2013/03/21/3

Upstream bug report:
[2] http://www.mantisbt.org/bugs/view.php?id=15573

Relevant upstream patch:
[3] https://github.com/mantisbt/mantisbt/commit/d16988c3ca232a7
Comment 6 Agostino Sarubbo gentoo-dev 2013-04-05 11:22:11 UTC
Other vulnerabilities out: http://www.openwall.com/lists/oss-security/2013/04/04/8

1. Close button available to users despite workflow restrictions

This issue affects Mantis 1.2.12 and later.

It allows low-privileged users to close issues even though the workflow
settings do not permit it.

Reference: http://www.mantisbt.org/bugs/view.php?id=15453


4. XSS issue on Configuration Report page when displaying complex value

This issue affects Mantis 1.2.0rc1 and later.

Lack of proper string escaping allows users (having admin access) to enter
arbitrary javascript code and have it executed on the user's browser.

Reference: http://www.mantisbt.org/bugs/view.php?id=15416


Issues 2 and 3 does not affect gentoo.

Please bump 1.2.15
Comment 7 Peter Volkov (RETIRED) gentoo-dev 2013-05-11 19:31:06 UTC
New version is in the tree. Arch teams, please, stabilize 1.2.15.
Comment 8 Agostino Sarubbo gentoo-dev 2013-05-19 15:06:48 UTC
amd64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2013-05-19 15:08:03 UTC
x86 stable
Comment 10 Sergey Popov gentoo-dev 2013-08-22 10:00:28 UTC
GLSA vote: yes
Comment 11 Yury German Gentoo Infrastructure gentoo-dev 2014-06-19 03:09:30 UTC
GLSA Vote: Yes
Created a New GLSA request.
Comment 12 Aaron Bauman (RETIRED) gentoo-dev 2016-03-07 08:25:15 UTC
Multiple vulnerabilities spread across 9 different bugs.  No movement from maintainers in over a year.
Comment 13 Aaron Bauman (RETIRED) gentoo-dev 2016-04-01 03:42:53 UTC
Package removed