Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 420375 (CVE-2012-2691) - <www-apps/mantisbt-1.2.11: multiple vulnerabilities (CVE-2012-{2691,2692})
Summary: <www-apps/mantisbt-1.2.11: multiple vulnerabilities (CVE-2012-{2691,2692})
Alias: CVE-2012-2691
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B4 [glsa]
: 423957 (view as bug list)
Depends on:
Blocks: CVE-2012-1118
  Show dependency tree
Reported: 2012-06-09 09:15 UTC by David Hicks
Modified: 2012-11-08 10:43 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description David Hicks 2012-06-09 09:15:18 UTC
MantisBT 1.2.11 is a security update for the stable 1.2.x branch.

CVE requests for 2 issues have been sent to as follows:


Title: Reporters can edit arbitrary bugnotes via SOAP API
Affected: MantisBT 1.2.10 and earlier versions
Not affected: MantisBT 1.2.11

Roland Becker and Damien Regad (MantisBT developers) found that any user
able to report issues via the SOAP interface could also modify any
bugnotes (comments) created by other users. In a default/typical
MantisBT installation, SOAP API is enabled and any user can sign up to
report new issues. This vulnerability therefore impacts upon many public
facing MantisBT installations.



Title: delete_attachments_threshold not checked on attachment deletion
Affected: MantisBT 1.2.10 and earlier versions
Not affected: MantisBT 1.2.11

Roland Becker (MantisBT developer) found that the
delete_attachments_threshold permission was not being checked when a
user attempted to delete an attachment from an issue. The more generic
update_bug_threshold permission was being checked instead. MantisBT
administrators may have been under the false impression that their
configuration of the delete_attachments_threshold was successfully
preventing unwanted users from deleting attachments.


Reproducible: Always
Comment 1 Agostino Sarubbo gentoo-dev 2012-06-09 15:19:44 UTC
Thanks for the report David.
Comment 2 David Hicks 2012-06-12 08:49:10 UTC
CVE numbers were assigned as follows:

CVE-2012-2691: Reporters can edit arbitrary bugnotes via SOAP API (#14340)

CVE-2012-2692: delete_attachments_threshold not checked on attachment deletion (#14016)
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2012-06-27 23:15:56 UTC
CVE-2012-2692 (
  MantisBT before 1.2.11 does not check the delete_attachments_threshold
  permission when form_security_validation is set to OFF, which allows remote
  authenticated users with certain privileges to bypass intended access
  restrictions and delete arbitrary attachments.

CVE-2012-2691 (
  The mc_issue_note_update function in the SOAP API in MantisBT before 1.2.11
  does not properly check privileges, which allows remote attackers with bug
  reporting privileges to edit arbitrary bugnotes via a SOAP request.
Comment 4 Agostino Sarubbo gentoo-dev 2012-06-28 11:11:51 UTC
*** Bug 423957 has been marked as a duplicate of this bug. ***
Comment 5 Sean Amoss (RETIRED) gentoo-dev Security 2012-09-20 00:23:53 UTC
Peter, David, web-apps: may we stabilize 1.2.11?
Comment 6 Sean Amoss (RETIRED) gentoo-dev Security 2012-09-26 22:25:41 UTC
(In reply to comment #5)
> Peter, David, web-apps: may we stabilize 1.2.11?

Comment 7 David Hicks 2012-09-26 23:37:12 UTC
From a MantisBT developer point-of-view I don't see any reason for holding back on stabilisation. We're fairly strict about what goes into minor version bumps (security and small bug fixes).
Comment 8 Sean Amoss (RETIRED) gentoo-dev Security 2012-09-27 17:53:05 UTC
Arches, please test and mark stable =www-apps/mantisbt-1.2.11
Comment 9 Agostino Sarubbo gentoo-dev 2012-09-28 09:48:35 UTC
amd64 stable
Comment 10 Andreas Schürch gentoo-dev 2012-10-08 08:11:25 UTC
x86 stable, last arch!
Comment 11 Sean Amoss (RETIRED) gentoo-dev Security 2012-10-08 11:13:56 UTC
Thanks, everyone.

Already on an existing GLSA request.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2012-11-08 10:43:02 UTC
This issue was resolved and addressed in
 GLSA 201211-01 at
by GLSA coordinator Tobias Heinlein (keytoaster).