Debian Bug report logs - #335938
mantis: Mantis "t_core_path" File Inclusion Vulnerability

version graph

Package: mantis; Maintainer for mantis is Silvia Alvarez <sils@powered-by-linux.com>; Source for mantis is src:mantis.

Reported by: Moritz Muehlenhoff <jmm@inutil.org>

Date: Wed, 26 Oct 2005 21:33:01 UTC

Severity: grave

Tags: fixed, security

Found in version mantis/0.19.2-4

Fixed in version mantis/0.19.4-1

Done: Igor Genibel <igenibel@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, security@debian.org, Hilko Bengen <bengen@debian.org>:
Bug#335938; Package mantis. Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to security@debian.org, Hilko Bengen <bengen@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: mantis: Mantis "t_core_path" File Inclusion Vulnerability
Date: Wed, 26 Oct 2005 23:30:30 +0200
Package: mantis
Version: 0.19.2-4
Severity: grave
Tags: security
Justification: user security hole

Another security problem has been found in mantis. Insufficient
input sanitising of the t_core_path parameter may be exploited
to perform arbitrary file inclusion. Please see 
http://secunia.com/secunia_research/2005-46/advisory/ for details.

Cheers,
          Moritz

-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.4.29-vs1.2.10
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

Versions of packages mantis depends on:
pn  apache | apache-ssl                      Not found.
ii  debconf                  1.4.30.13       Debian configuration management sy
ii  grep                     2.5.1.ds1-4     GNU grep, egrep and fgrep
ii  mysql-client-4.1 [mysql- 4.1.11a-4sarge2 mysql database client binaries
pn  php3 | php4                              Not found.
ii  php4-mysql               4:4.3.10-16     MySQL module for php4
pn  wwwconfig-common                         Not found.



Information forwarded to debian-bugs-dist@lists.debian.org, Hilko Bengen <bengen@debian.org>:
Bug#335938; Package mantis. Full text and rfc822 format available.

Acknowledgement sent to "Thijs Kinkhorst" <kink@squirrelmail.org>:
Extra info received and forwarded to list. Copy sent to Hilko Bengen <bengen@debian.org>. Full text and rfc822 format available.

Message #10 received at 335938@bugs.debian.org (full text, mbox):

From: "Thijs Kinkhorst" <kink@squirrelmail.org>
To: "Moritz Muehlenhoff" <jmm@inutil.org>, 335938@bugs.debian.org
Cc: luk@debian.org
Subject: Re: Bug#335938: mantis: Mantis 't_core_path' File Inclusion Vulnerability
Date: Thu, 27 Oct 2005 09:19:13 +0200 (CEST)
On Wed, October 26, 2005 23:30, Moritz Muehlenhoff wrote:
> Another security problem has been found in mantis. Insufficient
> input sanitising of the t_core_path parameter may be exploited to perform
> arbitrary file inclusion. Please see
> http://secunia.com/secunia_research/2005-46/advisory/ for details.

Hello Moritz,

Thank you for your report. I've prepared an NMU for all the recent
security problems in Mantis which is now awaiting review by my sponsor.


Thijs




Information forwarded to debian-bugs-dist@lists.debian.org, Hilko Bengen <bengen@debian.org>:
Bug#335938; Package mantis. Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Hilko Bengen <bengen@debian.org>. Full text and rfc822 format available.

Message #15 received at 335938@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Thijs Kinkhorst <kink@squirrelmail.org>
Cc: 335938@bugs.debian.org, luk@debian.org, secure-testing-team@lists.alioth.debian.org, security@debian.org
Subject: Re: Bug#335938: mantis: Mantis 't_core_path' File Inclusion Vulnerability
Date: Thu, 27 Oct 2005 11:26:56 +0200
Thijs Kinkhorst wrote:
> > Another security problem has been found in mantis. Insufficient
> > input sanitising of the t_core_path parameter may be exploited to perform
> > arbitrary file inclusion. Please see
> > http://secunia.com/secunia_research/2005-46/advisory/ for details.
> 
> Hello Moritz,
> 
> Thank you for your report. I've prepared an NMU for all the recent
> security problems in Mantis which is now awaiting review by my sponsor.

I assume you've prepared packages of 0.19.3?
This would address the SQL injection issue and the other XSS in view_all_set
as well, which are both not yet in the BTS.

The latest issues have been assigned CVE-2005-333[6789], BTW.

Cheers,
        Moritz



Information forwarded to debian-bugs-dist@lists.debian.org, Hilko Bengen <bengen@debian.org>:
Bug#335938; Package mantis. Full text and rfc822 format available.

Acknowledgement sent to "Thijs Kinkhorst" <kink@squirrelmail.org>:
Extra info received and forwarded to list. Copy sent to Hilko Bengen <bengen@debian.org>. Full text and rfc822 format available.

Message #20 received at 335938@bugs.debian.org (full text, mbox):

From: "Thijs Kinkhorst" <kink@squirrelmail.org>
To: "Moritz Muehlenhoff" <jmm@inutil.org>
Cc: 335938@bugs.debian.org, luk@debian.org, secure-testing-team@lists.alioth.debian.org, security@debian.org
Subject: Re: Bug#335938: mantis: Mantis 't_core_path' File Inclusion Vulnerability
Date: Thu, 27 Oct 2005 14:10:39 +0200 (CEST)
On Thu, October 27, 2005 11:26, Moritz Muehlenhoff wrote:
> I assume you've prepared packages of 0.19.3?
> This would address the SQL injection issue and the other XSS in
> view_all_set as well, which are both not yet in the BTS.

Yes, I have.



Thijs




Tags added: pending Request was from "Thijs Kinkhorst" <kink@squirrelmail.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Hilko Bengen <bengen@debian.org>:
Bug#335938; Package mantis. Full text and rfc822 format available.

Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Hilko Bengen <bengen@debian.org>. Full text and rfc822 format available.

Message #27 received at 335938@bugs.debian.org (full text, mbox):

From: Martin Schulze <joey@infodrom.org>
To: Moritz Muehlenhoff <jmm@inutil.org>
Cc: Thijs Kinkhorst <kink@squirrelmail.org>, 335938@bugs.debian.org, luk@debian.org, secure-testing-team@lists.alioth.debian.org, security@debian.org
Subject: Re: Bug#335938: mantis: Mantis 't_core_path' File Inclusion Vulnerability
Date: Thu, 27 Oct 2005 14:56:48 +0200
Moritz Muehlenhoff wrote:
> Thijs Kinkhorst wrote:
> > > Another security problem has been found in mantis. Insufficient
> > > input sanitising of the t_core_path parameter may be exploited to perform
> > > arbitrary file inclusion. Please see
> > > http://secunia.com/secunia_research/2005-46/advisory/ for details.
> > 
> > Hello Moritz,
> > 
> > Thank you for your report. I've prepared an NMU for all the recent
> > security problems in Mantis which is now awaiting review by my sponsor.
> 
> I assume you've prepared packages of 0.19.3?
> This would address the SQL injection issue and the other XSS in view_all_set
> as well, which are both not yet in the BTS.
> 
> The latest issues have been assigned CVE-2005-333[6789], BTW.

Do you have an idea which of them affect woody/sarge?

Regards,

	Joey

-- 
A mathematician is a machine for converting coffee into theorems.   Paul Erdös

Please always Cc to me when replying to me on the lists.



Information forwarded to debian-bugs-dist@lists.debian.org, Hilko Bengen <bengen@debian.org>:
Bug#335938; Package mantis. Full text and rfc822 format available.

Acknowledgement sent to "Thijs Kinkhorst" <kink@squirrelmail.org>:
Extra info received and forwarded to list. Copy sent to Hilko Bengen <bengen@debian.org>. Full text and rfc822 format available.

Message #32 received at 335938@bugs.debian.org (full text, mbox):

From: "Thijs Kinkhorst" <kink@squirrelmail.org>
To: "Martin Schulze" <joey@infodrom.org>
Cc: "Moritz Muehlenhoff" <jmm@inutil.org>, 335938@bugs.debian.org, luk@debian.org, secure-testing-team@lists.alioth.debian.org, security@debian.org
Subject: Re: Bug#335938: mantis: Mantis 't_core_path' File Inclusion Vulnerability
Date: Thu, 27 Oct 2005 15:04:11 +0200 (CEST)
On Thu, October 27, 2005 14:56, Martin Schulze wrote:
>> I assume you've prepared packages of 0.19.3?
>> This would address the SQL injection issue and the other XSS in
>> view_all_set as well, which are both not yet in the BTS.
>>
>> The latest issues have been assigned CVE-2005-333[6789], BTW.
>>
>
> Do you have an idea which of them affect woody/sarge?

I do about sarge, all of them affect sarge, don't know about woody. I will
be preparing an upload for sarge soon, and investigate into woody. Can't
promise anything about woody though since the version is very different
from the current sarge/sid versions. But I will keep you all posted.


Thijs




Information forwarded to debian-bugs-dist@lists.debian.org, Hilko Bengen <bengen@debian.org>:
Bug#335938; Package mantis. Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Hilko Bengen <bengen@debian.org>. Full text and rfc822 format available.

Message #37 received at 335938@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Martin Schulze <joey@infodrom.org>
Cc: Thijs Kinkhorst <kink@squirrelmail.org>, 335938@bugs.debian.org, luk@debian.org, secure-testing-team@lists.alioth.debian.org, security@debian.org
Subject: Re: Bug#335938: mantis: Mantis 't_core_path' File Inclusion Vulnerability
Date: Thu, 27 Oct 2005 15:49:50 +0200
[Message part 1 (text/plain, inline)]
Martin Schulze wrote:
> > Thijs Kinkhorst wrote:
> > > > Another security problem has been found in mantis. Insufficient
> > > > input sanitising of the t_core_path parameter may be exploited to perform
> > > > arbitrary file inclusion. Please see
> > > > http://secunia.com/secunia_research/2005-46/advisory/ for details.
> > > 
> > > Hello Moritz,
> > > 
> > > Thank you for your report. I've prepared an NMU for all the recent
> > > security problems in Mantis which is now awaiting review by my sponsor.
> > 
> > I assume you've prepared packages of 0.19.3?
> > This would address the SQL injection issue and the other XSS in view_all_set
> > as well, which are both not yet in the BTS.
> > 
> > The latest issues have been assigned CVE-2005-333[6789], BTW.
> 
> Do you have an idea which of them affect woody/sarge?

All affect Sarge. 0.19.2 -> 0.19.3 only contains the security fixes plus a minor
non-security bug fix, so it should be rather easy to extract the patches.
I've attached a white-space-cleaned interdiff. More could be stripped, but
I'm not entirely sure which code is related to
" [bugtracker] System warning in login_page.php when no new installation (vboctor)"
(this is the only non-security change listed, but I'm not sure which one it is)

Woody seems unaffected, but 3337 should be double-checked in a real-life
environment.

CVE-2005-3339: (mantis bug 6097)
 The vulnerable code is not present.

CVE-2005-3338: (mantis bug 5247)
 The vulnerable code isn't present, either.

CVE-2005-3337: (mantis bugs 5959, 5751)
 Access to the bug description of 5959 is restricted, but view_all_set.php is not
 present in Woody's version, so it shouldn't be vulnerable.
 The XSS from 5751 can only be triggered through code from bug_actiongroup_page.php,
 which is not present in Woody, but might have an equivalent in 0.17. I couldn't
 find it with grep, but it should again be tested in a production mantis environment,
 as the bug contains a demo page with the XSS.

CVE-2005-3336: (mantis bug 6275)
 This one is denied as well, but judging from the interdiff the injection would
 take place in lost_pwd.php and that code isn't present in 0.17

CVE-2005-3335: (mantis bug 6273)
 Denied again, but with the information from the original Secunia advisory I'm sure
 Woody isn't affected either, as the vulnerable functionality isn't present in 0.17.

Cheers,
        Moritz
[mantis-interdiff-0.19.2-3.diff (text/plain, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Hilko Bengen <bengen@debian.org>:
Bug#335938; Package mantis. Full text and rfc822 format available.

Acknowledgement sent to Thijs Kinkhorst <kink@squirrelmail.org>:
Extra info received and forwarded to list. Copy sent to Hilko Bengen <bengen@debian.org>. Full text and rfc822 format available.

Message #42 received at 335938@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <kink@squirrelmail.org>
To: 335938@bugs.debian.org, Moritz Muehlenhoff <jmm@inutil.org>
Cc: Martin Schulze <joey@infodrom.org>, luk@debian.org, secure-testing-team@lists.alioth.debian.org, security@debian.org
Subject: Re: Bug#335938: mantis: Mantis 't_core_path' File Inclusion Vulnerability
Date: Sat, 29 Oct 2005 22:33:56 +0200
[Message part 1 (text/plain, inline)]
Hello All,

On Thu, 2005-10-27 at 15:49 +0200, Moritz Muehlenhoff wrote:
> All affect Sarge. 

I've prepared updated packages for sarge. My updated package for sid is
still pending with my sponsor Luk Claes. The updated packages for sarge
are available here:
http://www.a-eskwadraat.nl/~kink/mantis_sec/

They are not signed since I'm not a DD yet. 
Please let me know if you have comments or questions.


Regarding woody:

> Woody seems unaffected, but 3337 should be double-checked in a real-life
> environment.

>  which is not present in Woody, but might have an equivalent in 0.17. I couldn't
>  find it with grep, but it should again be tested in a production mantis environment,
>  as the bug contains a demo page with the XSS.

I've tried, but I can't even get the woody version to run on woody...
Any login or account-creation step yields errors. Hence, I can't test
them, but agree with Moritz assertions that woody is most probably not
vulnerable.


regards
Thijs Kinkhorst
[signature.asc (application/pgp-signature, inline)]

Tags added: fixed Request was from Thijs Kinkhorst <kink@squirrelmail.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Hilko Bengen <bengen@debian.org>:
Bug#335938; Package mantis. Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Hilko Bengen <bengen@debian.org>. Full text and rfc822 format available.

Message #49 received at 335938@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Thijs Kinkhorst <kink@squirrelmail.org>
Cc: 335938@bugs.debian.org, Moritz Muehlenhoff <jmm@inutil.org>, Martin Schulze <joey@infodrom.org>, luk@debian.org, secure-testing-team@lists.alioth.debian.org, security@debian.org
Subject: Re: Bug#335938: mantis: Mantis 't_core_path' File Inclusion Vulnerability
Date: Mon, 31 Oct 2005 16:07:41 +0100
Thijs Kinkhorst wrote:
> > All affect Sarge. 
> 
> I've prepared updated packages for sarge. My updated package for sid is
> still pending with my sponsor Luk Claes. The updated packages for sarge
> are available here:
> http://www.a-eskwadraat.nl/~kink/mantis_sec/
> 
> They are not signed since I'm not a DD yet. 
> Please let me know if you have comments or questions.

The included patches look fine and correlate to what I extracted from the
interdiff. But where's the fix for CVE-2005-3337 aka mantis bug 5959?

The mantis bug is non-public, but according to the description it's
a cross-site-scripting vulnerability in mantis/view_all_set.php

They claim to have fixed it in 0.19.3 as well, but the interdiff doesn't
show anything. So CVE-2005-3337 either doesn't apply to 0.19.x and the
changelog was a mistake or the fix is missing in 0.19.3 or the fix
is very non-obvious. But it should be checked back with upstream.

Cheers,
        Moritz



Information forwarded to debian-bugs-dist@lists.debian.org, Hilko Bengen <bengen@debian.org>:
Bug#335938; Package mantis. Full text and rfc822 format available.

Acknowledgement sent to "Thijs Kinkhorst" <kink@squirrelmail.org>:
Extra info received and forwarded to list. Copy sent to Hilko Bengen <bengen@debian.org>. Full text and rfc822 format available.

Message #54 received at 335938@bugs.debian.org (full text, mbox):

From: "Thijs Kinkhorst" <kink@squirrelmail.org>
To: "Moritz Muehlenhoff" <jmm@inutil.org>
Cc: 335938@bugs.debian.org, "Moritz Muehlenhoff" <jmm@inutil.org>, "Martin Schulze" <joey@infodrom.org>, luk@debian.org, secure-testing-team@lists.alioth.debian.org, security@debian.org
Subject: Re: Bug#335938: mantis: Mantis 't_core_path' File Inclusion Vulnerability
Date: Mon, 31 Oct 2005 16:29:35 +0100 (CET)
On Mon, October 31, 2005 16:07, Moritz Muehlenhoff wrote:
> The included patches look fine and correlate to what I extracted from the
>  interdiff. But where's the fix for CVE-2005-3337 aka mantis bug 5959?
>
> The mantis bug is non-public, but according to the description it's
> a cross-site-scripting vulnerability in mantis/view_all_set.php
>
> They claim to have fixed it in 0.19.3 as well, but the interdiff doesn't
> show anything. So CVE-2005-3337 either doesn't apply to 0.19.x and the
> changelog was a mistake or the fix is missing in 0.19.3 or the fix is very
> non-obvious. But it should be checked back with upstream.

According to the changelog, this was already fixed in Debian package
0.19.2-3 uploaded in September. Since this was uploaded by the security
team, can we assume that this was double-checked to be fixed...?


Thijs


Thijs




Information forwarded to debian-bugs-dist@lists.debian.org, Hilko Bengen <bengen@debian.org>:
Bug#335938; Package mantis. Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Hilko Bengen <bengen@debian.org>. Full text and rfc822 format available.

Message #59 received at 335938@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Thijs Kinkhorst <kink@squirrelmail.org>
Cc: Moritz Muehlenhoff <jmm@inutil.org>, 335938@bugs.debian.org, Martin Schulze <joey@infodrom.org>, luk@debian.org, secure-testing-team@lists.alioth.debian.org, security@debian.org
Subject: Re: Bug#335938: mantis: Mantis 't_core_path' File Inclusion Vulnerability
Date: Mon, 31 Oct 2005 17:22:26 +0100
Thijs Kinkhorst wrote:
> On Mon, October 31, 2005 16:07, Moritz Muehlenhoff wrote:
> > The included patches look fine and correlate to what I extracted from the
> >  interdiff. But where's the fix for CVE-2005-3337 aka mantis bug 5959?
> >
> > The mantis bug is non-public, but according to the description it's
> > a cross-site-scripting vulnerability in mantis/view_all_set.php
> >
> > They claim to have fixed it in 0.19.3 as well, but the interdiff doesn't
> > show anything. So CVE-2005-3337 either doesn't apply to 0.19.x and the
> > changelog was a mistake or the fix is missing in 0.19.3 or the fix is very
> > non-obvious. But it should be checked back with upstream.
> 
> According to the changelog, this was already fixed in Debian package
> 0.19.2-3 uploaded in September. Since this was uploaded by the security
> team, can we assume that this was double-checked to be fixed...?

It's hard to tell, whether it's the same issue as #5959 is non-public, but at
least there are two different CVE mappings. (CVE-2005-2557 and CVE-2005-3337).
But it might very well be that the CVE description is wrong, as all these mantis
issues are really confusing.

So #5959 probably refers to this hunk from the interdiff from the latest mantis
DSA. (I'm not 100% sure as #6002 is non-public as well and I don't know the
mantis code in detail):

--- mantis-0.19.2.orig/bug_actiongroup_page.php
+++ mantis-0.19.2/bug_actiongroup_page.php
@@ -114,7 +114,7 @@
 foreach( $f_bug_arr as $t_bug_id ) {
        $t_class = sprintf( "row-%d", ($t_i++ % 2) + 1 );
        $t_bug_rows .= sprintf( "<tr bgcolor=\"%s\"> <td>%s</td> <td>%s</td> </tr>\n"
-               , get_status_color( bug_get_field( $t_bug_id, 'status' ) ), string_get_bug_view_link( $t_bug_id ), bug_get_field( $t_bug_id, 'summary' )
+               , get_status_color( bug_get_field( $t_bug_id, 'status' ) ), string_get_bug_view_link( $t_bug_id ), htmlentities(bug_get_field( $t_bug_id, 'summary' ))
     );
        echo '<input type="hidden" name="bug_arr[]" value="' . $t_bug_id . '" />' . "\n";
 }

This would mean that they didn't pull over this security fix into 0.19.3 and in fact it
is unfixed in sid's 0.19.3 package as well.

The other XSS issues from the DSA are fixed in the sid version.

This hunk from the mantis DSA (#5956 and again non-public, CVE-2005-2556) is also unfixed
in sid (or has an alternate fix been applied?)

diff -u mantis-0.19.2/core/database_api.php mantis-0.19.2/core/database_api.php
--- mantis-0.19.2/core/database_api.php
+++ mantis-0.19.2/core/database_api.php
@@ -6,9 +6,16 @@

+       #
+       # Patch for #0005956: Database system scanner via variable poisoning
+       #
+
+       if (isset($_REQUEST["g_db_type"]))
+               die("");
+
        ### Database ###

Cheers,
        Moritz



Information forwarded to debian-bugs-dist@lists.debian.org, Hilko Bengen <bengen@debian.org>:
Bug#335938; Package mantis. Full text and rfc822 format available.

Acknowledgement sent to Thijs Kinkhorst <kink@squirrelmail.org>:
Extra info received and forwarded to list. Copy sent to Hilko Bengen <bengen@debian.org>. Full text and rfc822 format available.

Message #64 received at 335938@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <kink@squirrelmail.org>
To: 335938@bugs.debian.org, Moritz Muehlenhoff <jmm@inutil.org>
Cc: Martin Schulze <joey@infodrom.org>, luk@debian.org, secure-testing-team@lists.alioth.debian.org, security@debian.org
Subject: Re: Bug#335938: mantis: Mantis 't_core_path' File Inclusion Vulnerability
Date: Mon, 31 Oct 2005 21:30:19 +0100
[Message part 1 (text/plain, inline)]
On Mon, 2005-10-31 at 17:22 +0100, Moritz Muehlenhoff wrote:
> It's hard to tell, whether it's the same issue as #5959 is non-public, but at
> least there are two different CVE mappings. (CVE-2005-2557 and CVE-2005-3337).
> But it might very well be that the CVE description is wrong, as all these mantis
> issues are really confusing.

> So #5959 probably refers to this hunk from the interdiff from the latest mantis
> DSA. (I'm not 100% sure as #6002 is non-public as well and I don't know the
> mantis code in detail):
> 
> --- mantis-0.19.2.orig/bug_actiongroup_page.php
> +++ mantis-0.19.2/bug_actiongroup_page.php
> @@ -114,7 +114,7 @@
>  foreach( $f_bug_arr as $t_bug_id ) {
>         $t_class = sprintf( "row-%d", ($t_i++ % 2) + 1 );
>         $t_bug_rows .= sprintf( "<tr bgcolor=\"%s\"> <td>%s</td> <td>%s</td> </tr>\n"
> -               , get_status_color( bug_get_field( $t_bug_id, 'status' ) ), string_get_bug_view_link( $t_bug_id ), bug_get_field( $t_bug_id, 'summary' )
> +               , get_status_color( bug_get_field( $t_bug_id, 'status' ) ), string_get_bug_view_link( $t_bug_id ), htmlentities(bug_get_field( $t_bug_id, 'summary' ))
>      );
>         echo '<input type="hidden" name="bug_arr[]" value="' . $t_bug_id . '" />' . "\n";
>  }
> 
> This would mean that they didn't pull over this security fix into 0.19.3 and in fact it
> is unfixed in sid's 0.19.3 package as well.

This actually _is_ fixed in sid, but upstream fixed it differently from
the previous Debian fix: instead of htmlentities() they used
string_attribute() there which essentially does a htmlspecialchars().

> The other XSS issues from the DSA are fixed in the sid version.

> This hunk from the mantis DSA (#5956 and again non-public, CVE-2005-2556) is also unfixed
> in sid (or has an alternate fix been applied?)
> 
> diff -u mantis-0.19.2/core/database_api.php mantis-0.19.2/core/database_api.php
> --- mantis-0.19.2/core/database_api.php
> +++ mantis-0.19.2/core/database_api.php
> @@ -6,9 +6,16 @@
> 
> +       #
> +       # Patch for #0005956: Database system scanner via variable poisoning
> +       #
> +
> +       if (isset($_REQUEST["g_db_type"]))
> +               die("");
> +
>         ### Database ###

I don't know why you think this patch is not applied in sid, since this
code is exactly in the sid version, including that comment with the bug
number.

Concluding, I think current sid covers all of the previous DSA.


regards,
Thijs
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Hilko Bengen <bengen@debian.org>:
Bug#335938; Package mantis. Full text and rfc822 format available.

Acknowledgement sent to "Thijs Kinkhorst" <kink@squirrelmail.org>:
Extra info received and forwarded to list. Copy sent to Hilko Bengen <bengen@debian.org>. Full text and rfc822 format available.

Message #69 received at 335938@bugs.debian.org (full text, mbox):

From: "Thijs Kinkhorst" <kink@squirrelmail.org>
To: mantisbt-dev@lists.sourceforge.net
Cc: 335938@bugs.debian.org, luk@debian.org
Subject: Request to open up bug reports
Date: Wed, 2 Nov 2005 11:40:50 +0100 (CET)
Hello,

I'm writing on behalf of the Debian project; we're addressing the recent
security issues in Mantis. One of the things that still need to be done is
to fix the version in "woody", our old stable release, which is at version
0.17.1. Following Debian security policy, we're backporting any relevant
fixes to that branch.

To judge what a bug is actually about, we rely on the description provided
by upstream (you). However, some bugs are still "access denied" for us,
even though they are already fixed in your release. It concerns the
following bugs:

#5959 (CVE-2005-3337)
#6273 (CVE-2005-3335)
#6275 (CVE-2005-3336)

We currently assert that woody is not vulnerable to these bugs. I would
like to request to open up those bugs to the public to allow us to get a
better view of the vulnerabilities. If you could confirm that 0.17.1 is
not vulnerable to these bugs, that would also suffice.

Thanks in advance.


Thijs Kinkhorst




Information forwarded to debian-bugs-dist@lists.debian.org, Hilko Bengen <bengen@debian.org>:
Bug#335938; Package mantis. Full text and rfc822 format available.

Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Hilko Bengen <bengen@debian.org>. Full text and rfc822 format available.

Message #74 received at 335938@bugs.debian.org (full text, mbox):

From: Martin Schulze <joey@infodrom.org>
To: Thijs Kinkhorst <kink@squirrelmail.org>
Cc: 335938@bugs.debian.org, Moritz Muehlenhoff <jmm@inutil.org>, secure-testing-team@lists.alioth.debian.org, security@debian.org
Subject: Re: Bug#335938: mantis: Mantis 't_core_path' File Inclusion Vulnerability
Date: Sun, 20 Nov 2005 13:23:33 +0100
Thijs Kinkhorst wrote:
> On Thu, 2005-10-27 at 15:49 +0200, Moritz Muehlenhoff wrote:
> > All affect Sarge. 
> 
> I've prepared updated packages for sarge. My updated package for sid is
> still pending with my sponsor Luk Claes. The updated packages for sarge
> are available here:
> http://www.a-eskwadraat.nl/~kink/mantis_sec/
> 
> They are not signed since I'm not a DD yet. 
> Please let me know if you have comments or questions.

Sorry for the delay.  I've finally got to it and will release an advisory
soon.  Thijs and Moritz, great work!

Package        : mantis
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE IDs        : CVE-2005-3091 CVE-2005-3335 CVE-2005-3336 CVE-2005-3338
                 CVE-2005-3339
CERT advisory  :
BugTraq ID     :
Debian Bugs    : 330682 335938

Several security related problems have been discovered in Mantis, a
web-based bug tracking system.  The Common Vulnerabilities and
Exposures project identifies the following problems:

CVE-2005-3091

    A cross-site scripting vulnerability allows attackers to inject
    arbitrary web script or HTML.

CVE-2005-3335

    A file inclusion vulnerability allows remote attackers to execute
    arbitrary PHP code and include arbitrary local files.

CVE-2005-3336

    An SQL injection vulnerability allows remote attackers to execute
    arbitrary SQL commands.

CVE-2005-3338

    Mantis can be tricked into displaying the otherwise hidden real
    mail address of its users.

Regards,

	Joey

-- 
Life is a lot easier when you have someone to share it with.  -- Sean Perry

Please always Cc to me when replying to me on the lists.



Tags added: fixed Request was from Thijs Kinkhorst <kink@squirrelmail.org> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: fixed Request was from Thijs Kinkhorst <kink@squirrelmail.org> to control@bugs.debian.org. Full text and rfc822 format available.

Reply sent to Igor Genibel <igenibel@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #83 received at 335938-close@bugs.debian.org (full text, mbox):

From: Igor Genibel <igenibel@debian.org>
To: 335938-close@bugs.debian.org
Subject: Bug#335938: fixed in mantis 0.19.4-1
Date: Wed, 04 Jan 2006 07:32:06 -0800
Source: mantis
Source-Version: 0.19.4-1

We believe that the bug you reported is fixed in the latest version of
mantis, which is due to be installed in the Debian FTP archive:

mantis_0.19.4-1.diff.gz
  to pool/main/m/mantis/mantis_0.19.4-1.diff.gz
mantis_0.19.4-1.dsc
  to pool/main/m/mantis/mantis_0.19.4-1.dsc
mantis_0.19.4-1_all.deb
  to pool/main/m/mantis/mantis_0.19.4-1_all.deb
mantis_0.19.4.orig.tar.gz
  to pool/main/m/mantis/mantis_0.19.4.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 335938@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Igor Genibel <igenibel@debian.org> (supplier of updated mantis package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed,  4 Jan 2006 15:45:57 +0100
Source: mantis
Binary: mantis
Architecture: source all
Version: 0.19.4-1
Distribution: unstable
Urgency: high
Maintainer: Igor Genibel <igenibel@debian.org>
Changed-By: Igor Genibel <igenibel@debian.org>
Description: 
 mantis     - web-based bug tracking system
Closes: 312749 319625 323914 328959 330682 332021 334523 335938 335992 336516 340484 345288 345353
Changes: 
 mantis (0.19.4-1) unstable; urgency=high
 .
   * New upstream release
   * New Maintainer (Closes: #335992,#345353)
   * Added Swedish translation
       (Thanks to Daniel Nylander <yeager@lidkoping.net>)
       (Closes: #340484)
   * Fix several security issues:
     - CVE-2005-4524, CVE-2005-4523, CVE-2005-4522, CVE-2005-4521,
       CVE-2005-4520, CVE-2005-4519, CVE-2005-4518, CVE-2005-4238
       (Closes: #345288)
   * Acknowledge Security Fixes NMUs (Closes: #330682,#335938)
   * Acknowledge Important Fixes NMUs (Closes: #323914)
   * Acknowledge Normal Fixes NMUs (Closes: #328959,#332021,#334523)
   * Acknowledge Minor and Wishlist Fixes NMUs (Closes: #319625,#312749)
   * Ack Thijs Kinkhorst <kink@squirrelmail.org> NMUs patch (Closes: 336516)
Files: 
 f03a602dc4b4f8da292aeeaa28e7feed 570 web optional mantis_0.19.4-1.dsc
 368b98bd737ea7b1a86631aac064074e 1301470 web optional mantis_0.19.4.orig.tar.gz
 e52a3e7ec9249d2e44406de4a85a4501 36174 web optional mantis_0.19.4-1.diff.gz
 36b6301ec54c1f4c7e84b986fe77ecd2 903224 web optional mantis_0.19.4-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDu+Zc+xgdMBZI9sgRAjXtAKCQGO78rtewHoySUdZiKLUWjv+NiwCdFzQE
mGU4VNwllVnUMmskSeCjG2Q=
=++y6
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 25 Jun 2007 06:46:24 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 00:03:46 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.