Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 241940 (CVE-2008-4689)

Summary: www-apps/mantisbt < 1.1.3: Logout functionality is broken (CVE-2008-4689)
Product: Gentoo Security Reporter: Peter Volkov (RETIRED) <pva>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor    
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B4 [glsa]
Package list:
Runtime testing required: ---

Description Peter Volkov (RETIRED) gentoo-dev 2008-10-14 11:59:33 UTC
Hello. Since our previous version (mantisbt-1.1.2-r1) seems that small issue were fixied upstream:

------------------------------------------------------------------------
r5594 | nuclear_eclipse | 2008-09-27 18:28:01 +0400 (Сбт, 27 Сен 2008) | 1 line

Fix #9664: PHP session cookies were not destroyed, and session_clean() was never called.
------------------------------------------------------------------------
r5624 | nuclear_eclipse | 2008-10-03 19:21:14 +0400 (Птн, 03 Окт 2008) | 1 line

Fix form security validation to use separate purge() step to work around all the possible error states.
------------------------------------------------------------------------
r5625 | nuclear_eclipse | 2008-10-03 19:22:45 +0400 (Птн, 03 Окт 2008) | 1 line

First step to implementing new form security purge().
------------------------------------------------------------------------
r5626 | nuclear_eclipse | 2008-10-03 19:23:32 +0400 (Птн, 03 Окт 2008) | 1 line

Second step of implementing form security purging.
------------------------------------------------------------------------
r5627 | nuclear_eclipse | 2008-10-03 19:23:41 +0400 (Птн, 03 Окт 2008) | 1 line

Last move to using form security purging.
------------------------------------------------------------------------
r5629 | nuclear_eclipse | 2008-10-03 21:43:16 +0400 (Птн, 03 Окт 2008) | 1 line

Move all form_security_validate() calls before any processing happens.
------------------------------------------------------------------------

For example not reported anywhere vulnerability was fixed:
http://www.mantisbt.org/bugs/view.php?id=9664
also it's clear that commits r562* were done to improve security.

This new release was already added to the tree and I think it's worth to start stabilization immediately. But what security team thinks?
Comment 1 Marek Królikowski 2008-10-15 06:37:55 UTC
For me this version not working.... i can`t add new problem to mantisbt.
I see on webpage of mantis:
 
"Sorry everyone: I broke the 1.1.3 build; it's fixed in SVN as of r5668; we'll see where we can go from here."

Comment 2 Peter Volkov (RETIRED) gentoo-dev 2008-10-15 17:07:37 UTC
(In reply to comment #1)
> For me this version not working.... i can`t add new problem to mantisbt.

Thank you for report, Marek. This should be fixed in mantisbt-1.1.3-r1. BTW, please, next time open new bug in bug report. :)
Comment 3 Christian Hoffmann (RETIRED) gentoo-dev 2008-10-15 17:32:00 UTC
Just had a quick conversation with pva on IRC. Besides the generic security improvements (which don't have any direct effect or at least it's not easily visible which those would be), the mentioned bug report describes an issue which apparently breaks the logout function. This will lead to information disclosure or unwanted manipulation of data, as another person (at the same machine) could hijack the session after a "successful" logout.

So, arches, please test and stabilize:
  =www-apps/mantisbt-1.1.3-r1

Target keywords: amd64 ppc x86
Comment 4 Tobias Scherbaum (RETIRED) gentoo-dev 2008-10-16 18:13:56 UTC
ppc stable
Comment 5 Markus Meier gentoo-dev 2008-10-16 18:47:14 UTC
amd64/x86 stable, all arches done.
Comment 6 Tobias Heinlein (RETIRED) gentoo-dev 2008-10-16 18:56:15 UTC
Ready for vote, I vote YES.
Comment 7 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-10-16 21:38:38 UTC
Yes too, request filed.
Comment 8 Christian Hoffmann (RETIRED) gentoo-dev 2008-10-22 17:04:32 UTC
Name: CVE-2008-4689
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4689
Reference: MLIST:[oss-security] 20081020 Re: CVE request: mantisbt < 1.1.4: RCE
Reference: URL:http://www.openwall.com/lists/oss-security/2008/10/20/1
Reference: CONFIRM:http://www.mantisbt.org/bugs/changelog_page.php
Reference: CONFIRM:http://www.mantisbt.org/bugs/file_download.php?file_id=1988&type=bug
Reference: CONFIRM:http://www.mantisbt.org/bugs/view.php?id=9664

Mantis before 1.1.3 does not unset the session cookie during logout,
which makes it easier for remote attackers to hijack sessions.
Comment 9 Stefan Behte (RETIRED) gentoo-dev Security 2008-10-23 08:41:58 UTC
CVE-2008-4689 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4689):
  Mantis before 1.1.3 does not unset the session cookie during logout,
  which makes it easier for remote attackers to hijack sessions.

Comment 10 Stefan Behte (RETIRED) gentoo-dev Security 2008-10-23 08:43:51 UTC
Whoops. Sorry bugspam, check-todo-issues made me do it. :/
Comment 11 Robert Buchholz (RETIRED) gentoo-dev 2008-12-02 17:56:09 UTC
GLSA 200812-07