Debian Bug report logs - #361138
CVE-2006-1577: Another XSS in mantis

Package: mantis; Maintainer for mantis is Silvia Alvarez <sils@powered-by-linux.com>; Source for mantis is src:mantis.

Reported by: Moritz Muehlenhoff <jmm@debian.org>

Date: Thu, 6 Apr 2006 21:48:05 UTC

Severity: important

Tags: fixed, patch, sarge, security

Done: Patrick Schönfeld <schoenfeld@in-medias-res.com>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Igor Genibel <igenibel@debian.org>:
Bug#361138; Package mantis. Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to Igor Genibel <igenibel@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CVE-2006-1577: Another XSS in mantis
Date: Thu, 06 Apr 2006 23:32:28 +0200
Package: mantis
Severity: important

Another XSS has been reported in Mantis:
http://pridels.blogspot.com/2006/03/mantis-xss-vuln.html

Can you please check, whether oldstable and stable are affected?
This is CVE-2006-1577.

Cheers,
        Moritz

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.16-1-686
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)



Information forwarded to debian-bugs-dist@lists.debian.org, Igor Genibel <igenibel@debian.org>:
Bug#361138; Package mantis. Full text and rfc822 format available.

Acknowledgement sent to Moritz Naumann <bugs.debian.org@moritz-naumann.com>:
Extra info received and forwarded to list. Copy sent to Igor Genibel <igenibel@debian.org>. Full text and rfc822 format available.

Message #10 received at 361138@bugs.debian.org (full text, mbox):

From: Moritz Naumann <bugs.debian.org@moritz-naumann.com>
To: 361138@bugs.debian.org
Subject: stable: vulnerable, oldstable: not affected
Date: Sat, 03 Jun 2006 03:38:23 +0200
[Message part 1 (text/plain, inline)]
The vulnerable lines and the developers' counter measure can be inspected at
http://mantisbt.cvs.sourceforge.net/mantisbt/mantisbt/view_all_set.php?r1=1.60&r2=1.61


The package state is as follows:


STABLE

The package in Debian stable is currently at version 0.19.2-5sarge2:
http://packages.debian.org/stable/web/mantis

This version is based on upstream version v0.19.2
http://ftp.debian.org/debian/pool/main/m/mantis/mantis_0.19.2.orig.tar.gz

This version is vulnerable, lines 126-131 contain the vulnerable code.

The debian patchset
http://ftp.debian.org/debian/pool/main/m/mantis/mantis_0.19.2-5sarge2.diff.gz
does not modify or fix these lines. As such, the Debian package should
be considered vulnerable. A patch is attached.



OLDSTABLE

The package in Debian oldstable is currently at version 0.17.1-3:
http://packages.debian.org/oldstable/web/mantis

This version is based on upstream version v0.17.1
http://security.debian.org/debian-security/pool/updates/main/m/mantis/mantis_0.17.1.orig.tar.gz

This version is not vulnerable, it does not contain the vulnerable code.

The debian patchset
http://security.debian.org/debian-security/pool/updates/main/m/mantis/mantis_0.17.1-3.diff.gz
does not introduce the vulnerable code. As such, the Debian package
should be considered unaffected.


Hth,
Moritz (yet another, resistance is futile)

[mantis-0.19.2_CVE-2006-1577.diff (text/plain, inline)]
diff -Naur mantis-0.19.2.orig/view_all_set.php mantis-0.19.2/view_all_set.php
--- mantis-0.19.2.orig/view_all_set.php	2004-10-28 02:31:06.000000000 +0200
+++ mantis-0.19.2/view_all_set.php	2006-06-03 03:11:47.000000000 +0200
@@ -123,12 +123,12 @@
 	$f_sort					= gpc_get_string( 'sort', 'last_updated' );
 	$f_dir					= gpc_get_string( 'dir', 'DESC' );
 	# date values
-	$f_start_month			= gpc_get_string( 'start_month', date( 'm' ) );
-	$f_end_month			= gpc_get_string( 'end_month', date( 'm' ) );
-	$f_start_day			= gpc_get_string( 'start_day', 1 );
-	$f_end_day				= gpc_get_string( 'end_day', date( 'd' ) );
-	$f_start_year			= gpc_get_string( 'start_year', date( 'Y' ) );
-	$f_end_year				= gpc_get_string( 'end_year', date( 'Y' ) );
+	$f_start_month			= gpc_get_int( 'start_month', date( 'm' ) );
+	$f_end_month			= gpc_get_int( 'end_month', date( 'm' ) );
+	$f_start_day			= gpc_get_int( 'start_day', 1 );
+	$f_end_day				= gpc_get_int( 'end_day', date( 'd' ) );
+	$f_start_year			= gpc_get_int( 'start_year', date( 'Y' ) );
+	$f_end_year				= gpc_get_int( 'end_year', date( 'Y' ) );
 	$f_search				= gpc_get_string( 'search', '' );
 	$f_and_not_assigned		= gpc_get_bool( 'and_not_assigned' );
 	$f_do_filter_by_date	= gpc_get_bool( 'do_filter_by_date' );
[signature.asc (application/pgp-signature, attachment)]

Tags added: patch Request was from Moritz Naumann <bugs.debian.org@moritz-naumann.com> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: security Request was from Moritz Naumann <bugs.debian.org@moritz-naumann.com> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: sarge Request was from Moritz Naumann <bugs.debian.org@moritz-naumann.com> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: fixed Request was from Thijs Kinkhorst <thijs@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Igor Genibel <igenibel@debian.org>:
Bug#361138; Package mantis. Full text and rfc822 format available.

Acknowledgement sent to Thijs Kinkhorst <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Igor Genibel <igenibel@debian.org>. Full text and rfc822 format available.

Message #23 received at 361138@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <thijs@debian.org>
To: 361138@bugs.debian.org, 378353@bugs.debian.org
Subject: Diff for 19-7 NMU's
Date: Thu, 20 Jul 2006 13:13:06 +0200
[Message part 1 (text/plain, inline)]
Hello Igor,

Here's the diffs for the NMU's of yesterday (sorry for the delay).

The diff for sid is very large because something in the build process
creates a huge diff in the po files. I haven't changed that since it's
an NMU, but I don't think a simple rebuild without touching any debconf
templates should generate such a diff.


Thijs
[mantis.sarge-security.diff (text/x-patch, attachment)]
[mantis.sid.diff (text/x-patch, attachment)]
[signature.asc (application/pgp-signature, inline)]

Tags added: fixed Request was from Thijs Kinkhorst <thijs@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Reply sent to Patrick Schönfeld <schoenfeld@in-medias-res.com>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #30 received at 361138-done@bugs.debian.org (full text, mbox):

From: Patrick Schönfeld <schoenfeld@in-medias-res.com>
To: 361138-done@bugs.debian.org
Subject: Problem already solved
Date: Sun, 03 Dec 2006 21:04:06 +0100
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

i have check current version for the problematic sections in source
code. It seems to be patched in current version, already. Therefore i
close this issue.

Best Regards
Patrick Schönfeld
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFcy22TKIzE6LY9r8RAoFBAJ9lXsEVOy5Nde/wUov8LWnXmbVGKwCfb2KI
/HdaDSQjdQSCTsGp9koTbt8=
=7PGe
-----END PGP SIGNATURE-----



Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 18 Jun 2007 02:00:00 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 19:02:04 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.