Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 420375 (CVE-2012-2691) - <www-apps/mantisbt-1.2.11: multiple vulnerabilities (CVE-2012-{2691,2692})
Summary: <www-apps/mantisbt-1.2.11: multiple vulnerabilities (CVE-2012-{2691,2692})
Status: RESOLVED FIXED
Alias: CVE-2012-2691
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B4 [glsa]
Keywords:
: 423957 (view as bug list)
Depends on:
Blocks: CVE-2012-1118
  Show dependency tree
 
Reported: 2012-06-09 09:15 UTC by David Hicks
Modified: 2012-11-08 10:43 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description David Hicks 2012-06-09 09:15:18 UTC
MantisBT 1.2.11 is a security update for the stable 1.2.x branch.

CVE requests for 2 issues have been sent to oss-security@lists.openwall.com as follows:

CVE REQUEST #1

Title: Reporters can edit arbitrary bugnotes via SOAP API
Affected: MantisBT 1.2.10 and earlier versions
Not affected: MantisBT 1.2.11

Description:
Roland Becker and Damien Regad (MantisBT developers) found that any user
able to report issues via the SOAP interface could also modify any
bugnotes (comments) created by other users. In a default/typical
MantisBT installation, SOAP API is enabled and any user can sign up to
report new issues. This vulnerability therefore impacts upon many public
facing MantisBT installations.

References:
[1] http://www.mantisbt.org/bugs/view.php?id=14340



CVE REQUEST #2

Title: delete_attachments_threshold not checked on attachment deletion
Affected: MantisBT 1.2.10 and earlier versions
Not affected: MantisBT 1.2.11

Description:
Roland Becker (MantisBT developer) found that the
delete_attachments_threshold permission was not being checked when a
user attempted to delete an attachment from an issue. The more generic
update_bug_threshold permission was being checked instead. MantisBT
administrators may have been under the false impression that their
configuration of the delete_attachments_threshold was successfully
preventing unwanted users from deleting attachments.

References:
[1] http://www.mantisbt.org/bugs/view.php?id=14016

Reproducible: Always
Comment 1 Agostino Sarubbo gentoo-dev 2012-06-09 15:19:44 UTC
Thanks for the report David.
Comment 2 David Hicks 2012-06-12 08:49:10 UTC
CVE numbers were assigned as follows:

CVE-2012-2691: Reporters can edit arbitrary bugnotes via SOAP API (#14340)

CVE-2012-2692: delete_attachments_threshold not checked on attachment deletion (#14016)
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2012-06-27 23:15:56 UTC
CVE-2012-2692 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2692):
  MantisBT before 1.2.11 does not check the delete_attachments_threshold
  permission when form_security_validation is set to OFF, which allows remote
  authenticated users with certain privileges to bypass intended access
  restrictions and delete arbitrary attachments.

CVE-2012-2691 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2691):
  The mc_issue_note_update function in the SOAP API in MantisBT before 1.2.11
  does not properly check privileges, which allows remote attackers with bug
  reporting privileges to edit arbitrary bugnotes via a SOAP request.
Comment 4 Agostino Sarubbo gentoo-dev 2012-06-28 11:11:51 UTC
*** Bug 423957 has been marked as a duplicate of this bug. ***
Comment 5 Sean Amoss gentoo-dev Security 2012-09-20 00:23:53 UTC
Peter, David, web-apps: may we stabilize 1.2.11?
Comment 6 Sean Amoss gentoo-dev Security 2012-09-26 22:25:41 UTC
(In reply to comment #5)
> Peter, David, web-apps: may we stabilize 1.2.11?

ping?
Comment 7 David Hicks 2012-09-26 23:37:12 UTC
From a MantisBT developer point-of-view I don't see any reason for holding back on stabilisation. We're fairly strict about what goes into minor version bumps (security and small bug fixes).
Comment 8 Sean Amoss gentoo-dev Security 2012-09-27 17:53:05 UTC
Arches, please test and mark stable =www-apps/mantisbt-1.2.11
Comment 9 Agostino Sarubbo gentoo-dev 2012-09-28 09:48:35 UTC
amd64 stable
Comment 10 Andreas Schürch gentoo-dev 2012-10-08 08:11:25 UTC
x86 stable, last arch!
Comment 11 Sean Amoss gentoo-dev Security 2012-10-08 11:13:56 UTC
Thanks, everyone.

Already on an existing GLSA request.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2012-11-08 10:43:02 UTC
This issue was resolved and addressed in
 GLSA 201211-01 at http://security.gentoo.org/glsa/glsa-201211-01.xml
by GLSA coordinator Tobias Heinlein (keytoaster).