Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 242722 (CVE-2008-4687) - www-apps/mantisbt < 1.1.4-r1 Remote Code Execution, Information Disclosure (CVE-2008-{4687,4688})
Summary: www-apps/mantisbt < 1.1.4-r1 Remote Code Execution, Information Disclosure (C...
Status: RESOLVED FIXED
Alias: CVE-2008-4687
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High major (vote)
Assignee: Gentoo Security
URL: http://www.mantisbt.org/bugs/view.php...
Whiteboard: B1 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2008-10-19 08:54 UTC by Peter Volkov (RETIRED)
Modified: 2008-12-02 17:55 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Peter Volkov (RETIRED) gentoo-dev 2008-10-19 08:54:55 UTC
With this new release there was added fix for Remote Code Execution Exploit. It was reported here:
http://www.mantisbt.org/bugs/view.php?id=0009704

exploit exists here:
http://www.milw0rm.com/exploits/6768
Comment 1 Peter Volkov (RETIRED) gentoo-dev 2008-10-19 08:57:50 UTC
ebuild was just added to the tree. arch teams, please, stabilize.

Target keywords:
mantisbt-1.1.4: amd64 ppc x86
Comment 2 Christian Hoffmann (RETIRED) gentoo-dev 2008-10-19 09:20:14 UTC
Setting whiteboard, CVE requested on oss-sec.

If I'm not mistaken, this issue is fixed in 1.1.4, so replacing <= by < in the summary.
Comment 3 Markus Meier gentoo-dev 2008-10-19 14:37:00 UTC
amd64/x86 stable, again!
Comment 4 Peter Volkov (RETIRED) gentoo-dev 2008-10-20 20:08:53 UTC
This new release has some problems:

1. fix for this issue was incomplete, see last comment at bug:
http://www.mantisbt.org/bugs/view.php?id=9704
2. does not allow to register new users
http://www.mantisbt.org/bugs/view.php?id=9713
3. small issue: http://www.mantisbt.org/bugs/view.php?id=9714

Currently I've commited 1.1.4-r1 which supposed to fix this issues, but I'm not sure what to do in this situation. We have stable broken. 1.1.3-r1 and 1.1.4 both have issue with user registration and this bug. Moving back to 1.1.2 is also not a best idea taking into account the number of security issues that were fixed since that time.

So the question is should we stabilize this 1.1.4-r1 revision and continue our (not really) nice ride:

  19 Oct 2008; Markus Meier <maekke@gentoo.org> mantisbt-1.1.4.ebuild:
  amd64/x86 stable, bug #242722
  16 Oct 2008; Markus Meier <maekke@gentoo.org> mantisbt-1.1.3-r1.ebuild:
  amd64/x86 stable, bug #241940
  01 Oct 2008; Markus Meier <maekke@gentoo.org> mantisbt-1.1.2-r1.ebuild:
  amd64/x86 stable, bug #238570

or should we package mask it (until 1.1.5 or may be longer)? Or what? I'd say lets stabilize 1.1.4-r1 and if required we'll continue adding fixes/stabilizing revisions/versions (adding archs, again...). At least this will provide our users with best solution to the moment. But if there are other opinions, please, speak.

And in any case I'd say let's postpone GLSA at least for one week.
Comment 5 Christian Hoffmann (RETIRED) gentoo-dev 2008-10-22 17:06:54 UTC
Name: CVE-2008-4687
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4687
Reference: MILW0RM:6768
Reference: URL:http://www.milw0rm.com/exploits/6768
Reference: MLIST:[oss-security] 20081019 CVE request: mantisbt < 1.1.4: RCE
Reference: URL:http://www.openwall.com/lists/oss-security/2008/10/19/1
Reference: CONFIRM:http://mantisbt.svn.sourceforge.net/viewvc/mantisbt/branches/BRANCH_1_1_0/mantisbt/core/utility_api.php?r1=5679&r2=5678&pathrev=5679
Reference: CONFIRM:http://www.mantisbt.org/bugs/changelog_page.php
Reference: CONFIRM:http://www.mantisbt.org/bugs/view.php?id=0009704
Reference: CONFIRM:https://bugs.gentoo.org/show_bug.cgi?id=242722

manage_proj_page.php in Mantis before 1.1.4 allows remote
authenticated users to execute arbitrary code via a sort parameter
containing PHP sequences, which are processed by create_function
within the multi_sort function in core/utility_api.php.
Comment 6 Christian Hoffmann (RETIRED) gentoo-dev 2008-10-22 17:10:20 UTC
Yet another issue:

Name: CVE-2008-4688
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4688
Reference: MLIST:[oss-security] 20081020 Re: CVE request: mantisbt < 1.1.4: RCE
Reference: URL:http://www.openwall.com/lists/oss-security/2008/10/20/1
Reference: CONFIRM:http://mantisbt.svn.sourceforge.net/viewvc/mantisbt/branches/BRANCH_1_1_0/mantisbt/core/string_api.php?r1=5285&r2=5384&pathrev=5384
Reference: CONFIRM:http://www.mantisbt.org/bugs/changelog_page.php
Reference: CONFIRM:http://www.mantisbt.org/bugs/view.php?id=9321

core/string_api.php in Mantis before 1.1.3 does not check the
privileges of the viewer before composing a link with issue data in
the source anchor, which allows remote attackers to discover an
issue's title and status via a request with a modified issue number.

---
Going back to 1.1.2 is a no-go and leaving stable users with broken setups is not too nice either, so I'd be in favor of getting a working and fixed version stable rather quickly. Just my opinion though.

(And sorry for the spam, forgot the second CVE when submitting the first change)
Comment 7 Stefan Behte (RETIRED) gentoo-dev Security 2008-10-23 08:41:51 UTC
CVE-2008-4687 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4687):
  manage_proj_page.php in Mantis before 1.1.4 allows remote
  authenticated users to execute arbitrary code via a sort parameter
  containing PHP sequences, which are processed by create_function
  within the multi_sort function in core/utility_api.php.

CVE-2008-4688 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4688):
  core/string_api.php in Mantis before 1.1.3 does not check the
  privileges of the viewer before composing a link with issue data in
  the source anchor, which allows remote attackers to discover an
  issue's title and status via a request with a modified issue number.

Comment 8 Markus Meier gentoo-dev 2008-10-25 13:26:31 UTC
amd64/x86 stable
Comment 9 Markus Meier gentoo-dev 2008-10-25 13:29:58 UTC
version: www-apps/mantisbt-1.1.4-r2 (as requested by pva)
Comment 10 Tobias Scherbaum (RETIRED) gentoo-dev 2008-10-30 19:17:09 UTC
ppc stable
Comment 11 Tobias Heinlein (RETIRED) gentoo-dev 2008-10-31 21:34:40 UTC
GLSA request filed.
Comment 12 Robert Buchholz (RETIRED) gentoo-dev 2008-12-02 17:55:56 UTC
GLSA 200812-07