Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 222649 - www-apps/mantisbt <1.2.0a1? Remote code execution, CSRF, XSS (CVE-2008-2276)
Summary: www-apps/mantisbt <1.2.0a1? Remote code execution, CSRF, XSS (CVE-2008-2276)
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [glsa]
Depends on: 229105 CVE-2008-3331
  Show dependency tree
Reported: 2008-05-18 13:56 UTC by Robert Buchholz (RETIRED)
Modified: 2008-11-26 19:27 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

adv.txt (adv.txt,7.80 KB, text/plain)
2008-09-29 07:43 UTC, Peter Volkov (RETIRED)
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2008-05-18 13:56:38 UTC
CVE-2008-2276 (
  Cross-site request forgery (CSRF) vulnerability in Mantis 1.1.1 allows remote
  attackers to create new administrative users via user_create.
Comment 1 Gunnar Wrobel (RETIRED) gentoo-dev 2008-05-19 04:22:20 UTC
Backporting the patch to 1.1.1 seems rather involved. So I'd suggest waiting for 1.2.0 here.
Comment 2 Peter Volkov (RETIRED) gentoo-dev 2008-05-19 08:32:13 UTC
There were a rumors about upcoming 1.1.2, so I'd wait too but for that version. I'm sure 1.2.0 is too unstable to mark it stable...
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2008-05-20 21:10:51 UTC
The fixes introduced in 1.1.2 are not enough.

Please note that new vulnerabilities have been discovered, see:
Comment 4 Peter Volkov (RETIRED) gentoo-dev 2008-05-21 06:02:57 UTC
Thank you for the link, I'll check that all that bugs be fixed in 1.1.2. 1.1.2 is not released yet and work on backporting security and other fixes is in progress. 
Comment 5 Peter Volkov (RETIRED) gentoo-dev 2008-07-13 21:40:29 UTC
New version was added to the tree. Robert the link you posted here is unavailable now, but at time you posted it here, I've showed it to mantis developers and I remember that the issues that were raised there were in TODO list for 1.1.2 release. So I can not check now but I hope that everything is fixed.
Comment 6 Peter Volkov (RETIRED) gentoo-dev 2008-09-29 07:26:46 UTC
Well, link is available now and I've checked that all things reported there were fixed in 1.1.2 release, which is already stable in our tree. Please, mark this bug as appropriate. Thank you.
Comment 7 Peter Volkov (RETIRED) gentoo-dev 2008-09-29 07:43:04 UTC
Created attachment 166739 [details]

Attaching text Robert gave link in comment #3 not to loose it anymore.
Comment 8 Christian Hoffmann (RETIRED) gentoo-dev 2008-10-15 18:13:17 UTC
Should be GLSAed together with bug 238570 and bug 241940.
Security, please file the GLSA request.
Comment 9 Robert Buchholz (RETIRED) gentoo-dev 2008-11-26 19:27:49 UTC
CVE-2008-2276 was resolved in GLSA 200809-10, the other issues in the adv.txt are CVE-2008-3331 and CVE-2008-3332, which were bug 233336.