With this new release there was added fix for Remote Code Execution Exploit. It was reported here: http://www.mantisbt.org/bugs/view.php?id=0009704 exploit exists here: http://www.milw0rm.com/exploits/6768
ebuild was just added to the tree. arch teams, please, stabilize. Target keywords: mantisbt-1.1.4: amd64 ppc x86
Setting whiteboard, CVE requested on oss-sec. If I'm not mistaken, this issue is fixed in 1.1.4, so replacing <= by < in the summary.
amd64/x86 stable, again!
This new release has some problems: 1. fix for this issue was incomplete, see last comment at bug: http://www.mantisbt.org/bugs/view.php?id=9704 2. does not allow to register new users http://www.mantisbt.org/bugs/view.php?id=9713 3. small issue: http://www.mantisbt.org/bugs/view.php?id=9714 Currently I've commited 1.1.4-r1 which supposed to fix this issues, but I'm not sure what to do in this situation. We have stable broken. 1.1.3-r1 and 1.1.4 both have issue with user registration and this bug. Moving back to 1.1.2 is also not a best idea taking into account the number of security issues that were fixed since that time. So the question is should we stabilize this 1.1.4-r1 revision and continue our (not really) nice ride: 19 Oct 2008; Markus Meier <maekke@gentoo.org> mantisbt-1.1.4.ebuild: amd64/x86 stable, bug #242722 16 Oct 2008; Markus Meier <maekke@gentoo.org> mantisbt-1.1.3-r1.ebuild: amd64/x86 stable, bug #241940 01 Oct 2008; Markus Meier <maekke@gentoo.org> mantisbt-1.1.2-r1.ebuild: amd64/x86 stable, bug #238570 or should we package mask it (until 1.1.5 or may be longer)? Or what? I'd say lets stabilize 1.1.4-r1 and if required we'll continue adding fixes/stabilizing revisions/versions (adding archs, again...). At least this will provide our users with best solution to the moment. But if there are other opinions, please, speak. And in any case I'd say let's postpone GLSA at least for one week.
Name: CVE-2008-4687 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4687 Reference: MILW0RM:6768 Reference: URL:http://www.milw0rm.com/exploits/6768 Reference: MLIST:[oss-security] 20081019 CVE request: mantisbt < 1.1.4: RCE Reference: URL:http://www.openwall.com/lists/oss-security/2008/10/19/1 Reference: CONFIRM:http://mantisbt.svn.sourceforge.net/viewvc/mantisbt/branches/BRANCH_1_1_0/mantisbt/core/utility_api.php?r1=5679&r2=5678&pathrev=5679 Reference: CONFIRM:http://www.mantisbt.org/bugs/changelog_page.php Reference: CONFIRM:http://www.mantisbt.org/bugs/view.php?id=0009704 Reference: CONFIRM:https://bugs.gentoo.org/show_bug.cgi?id=242722 manage_proj_page.php in Mantis before 1.1.4 allows remote authenticated users to execute arbitrary code via a sort parameter containing PHP sequences, which are processed by create_function within the multi_sort function in core/utility_api.php.
Yet another issue: Name: CVE-2008-4688 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4688 Reference: MLIST:[oss-security] 20081020 Re: CVE request: mantisbt < 1.1.4: RCE Reference: URL:http://www.openwall.com/lists/oss-security/2008/10/20/1 Reference: CONFIRM:http://mantisbt.svn.sourceforge.net/viewvc/mantisbt/branches/BRANCH_1_1_0/mantisbt/core/string_api.php?r1=5285&r2=5384&pathrev=5384 Reference: CONFIRM:http://www.mantisbt.org/bugs/changelog_page.php Reference: CONFIRM:http://www.mantisbt.org/bugs/view.php?id=9321 core/string_api.php in Mantis before 1.1.3 does not check the privileges of the viewer before composing a link with issue data in the source anchor, which allows remote attackers to discover an issue's title and status via a request with a modified issue number. --- Going back to 1.1.2 is a no-go and leaving stable users with broken setups is not too nice either, so I'd be in favor of getting a working and fixed version stable rather quickly. Just my opinion though. (And sorry for the spam, forgot the second CVE when submitting the first change)
CVE-2008-4687 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4687): manage_proj_page.php in Mantis before 1.1.4 allows remote authenticated users to execute arbitrary code via a sort parameter containing PHP sequences, which are processed by create_function within the multi_sort function in core/utility_api.php. CVE-2008-4688 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4688): core/string_api.php in Mantis before 1.1.3 does not check the privileges of the viewer before composing a link with issue data in the source anchor, which allows remote attackers to discover an issue's title and status via a request with a modified issue number.
amd64/x86 stable
version: www-apps/mantisbt-1.1.4-r2 (as requested by pva)
ppc stable
GLSA request filed.
GLSA 200812-07