Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 553306 (CVE-2015-5059) - www-apps/mantisbt: Information disclosure (CVE-2015-5059)
Summary: www-apps/mantisbt: Information disclosure (CVE-2015-5059)
Status: RESOLVED FIXED
Alias: CVE-2015-5059
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B4 [ebuild/cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-06-26 09:29 UTC by Agostino Sarubbo
Modified: 2016-04-01 03:46 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2015-06-26 09:29:54 UTC
From ${URL} :

In MantisBT, the "Project Documentation" feature can be used to attach 
files to a project.

When this feature is enabled ($g_enable_project_documentation = ON) and 
the threshold to view these files is left to its default value 
($g_view_proj_doc_threshold = ANYBODY), any registered user in the 
system can download every such attachment, including those which are 
linked to private projects to which the user does not have access.

This can be achieved by calling the download script directly, and 
specifying the ID of the file to download, e.g.

http://example.com/mantis/file_download.php?file_id=123&type=doc


Affected versions:
- <= 1.2.19
- <= 1.3.0-beta.2

Fixed in versions:
- 1.2.20 (not yet released)
- 1.3.0-rc1 (not yet released)

Patch:
See Github [1]

Credits:
The issue was discovered by Werner Karl and fixed by Damien Regad
(MantisBT Developer).

References:
Further details available in our issue tracker [2]


Best regards,
D. Regad
MantisBT Developer
http://www.mantisbt.org


[1] http://github.com/mantisbt/mantisbt/commit/f39cf525 (1.2.x)
     http://github.com/mantisbt/mantisbt/commit/a4be76d6 (1.3.x)
[2] https://mantisbt.org/bugs/view.php?id=19873



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Yury German Gentoo Infrastructure gentoo-dev 2015-11-22 14:31:33 UTC
It has been some time since this Bug received an update. Since it is security related, bringing it up to the surface so it is not forgotten.

Any updates?
Comment 2 Yury German Gentoo Infrastructure gentoo-dev 2015-12-23 16:14:15 UTC
It has been six months since the bug went in to the system. Please decide if interested in maintaining the package, or if you would like to remove it from tree.
Comment 3 Aaron Bauman (RETIRED) gentoo-dev 2016-03-07 08:28:02 UTC
Multiple vulnerabilities spread across 9 different bugs.  No movement from maintainers in over a year.
Comment 4 Aaron Bauman (RETIRED) gentoo-dev 2016-04-01 03:46:51 UTC
Package removed