Debian Bug report logs - #378353
mantis: some more vulnerabilities

version graph

Package: mantis; Maintainer for mantis is Silvia Alvarez <sils@powered-by-linux.com>; Source for mantis is src:mantis.

Reported by: Thijs Kinkhorst <thijs@debian.org>

Date: Sat, 15 Jul 2006 15:48:09 UTC

Severity: important

Tags: fixed, security

Found in version mantis/0.19.2-5sarge2

Fixed in version 0.19.2-5sarge4.1

Done: "Thijs Kinkhorst" <thijs@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Igor Genibel <igenibel@debian.org>:
Bug#378353; Package mantis. Full text and rfc822 format available.

Acknowledgement sent to Thijs Kinkhorst <thijs@debian.org>:
New Bug report received and forwarded. Copy sent to Igor Genibel <igenibel@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <thijs@debian.org>
To: submit@bugs.debian.org
Cc: team@security.debian.org
Subject: mantis: some more vulnerabilities
Date: Sat, 15 Jul 2006 17:35:46 +0200
[Message part 1 (text/plain, inline)]
Package: mantis
Version: 0.19.2-5sarge2
Severity: important
Tags: security

Hello,

While looking at the mantis security situation for sarge, I discovered
that the following CVE id's have not yet been fixed in sid. I'm not yet
sure of their status so I'm setting this as important now.

CVE-2006-0841
Multiple cross-site scripting (XSS) vulnerabilities in Mantis 1.00rc4
and earlier allow remote attackers to inject arbitrary web script or
HTML via the (1) hide_status, (2) handler_id, (3) user_monitor, (4)
reporter_id, (5) view_type, (6) show_severity, (7) show_category, (8)
show_status, (9) show_resolution, (10) show_build, (11) show_profile,
(12) show_priority, (13) highlight_changed, (14) relationship_type, and
(15) relationship_bug parameters in (a) view_all_set.php; the (16) sort
parameter in (b) manage_user_page.php; the (17) view_type parameter in
(c) view_filters_page.php; and the (18) title parameter in (d)
proj_doc_delete.php. NOTE: item 17 might be subsumed by CVE-2005-4522.

CVE-2006-0840
manage_user_page.php in Mantis 1.00rc4 and earlier does not properly
handle a sort parameter containing a ' (quote) character, which allows
remote attackers to trigger a SQL error that may be repeatedly reported
to a user who makes subsequent web accesses with the
MANTIS_MANAGE_COOKIE cookie. NOTE: this issue might be the same as
vector 2 in CVE-2005-4519.

CVE-2006-0665
Unspecified vulnerability in (1) query_store.php and (2)
manage_proj_create.php in Mantis before 1.0.0 has unknown impact and
attack vectors. NOTE: the provenance of this information is unknown; the
details are obtained solely from third party information. An original
vendor bug report is referenced, but not accessible to the general
public.

CVE-2006-0664
Cross-site scripting (XSS) vulnerability in config_defaults_inc.php in
Mantis before 1.0 allows remote attackers to inject arbitrary web script
or HTML via unknown attack vectors. NOTE: the provenance of this
information is unknown; the details are obtained solely from third party
information. An original vendor bug report is referenced, but not
accessible to the general public.

Since there hasn't been a maintainer response to #361138 /
CVE-2006-1577, I'll probably prepare an NMU for that and these issues,
because I'm already researching them. Please voice any concerns right
away.


Thijs
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Igor Genibel <igenibel@debian.org>:
Bug#378353; Package mantis. Full text and rfc822 format available.

Acknowledgement sent to Thijs Kinkhorst <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Igor Genibel <igenibel@debian.org>. Full text and rfc822 format available.

Message #10 received at 378353@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <thijs@debian.org>
To: 378353@bugs.debian.org
Cc: team@security.debian.org
Subject: Re: Bug#378353: mantis: some more vulnerabilities
Date: Wed, 19 Jul 2006 22:32:50 +0200
[Message part 1 (text/plain, inline)]
Hello Moritz et al.,

> mantis
> CVE-2005-3337 CVE-2006-0664 CVE-2006-0665
> CVE-2006-0840 CVE-2006-0841 CVE-2006-1577

I've supplied updated packages for sid and sarge, addressing all
relevant issues. A short breakdown:

CVE-2006-1577 - Fixed with upstream patch in sarge and sid;
CVE-2006-0840 - This was already addressed in sarge and sid;
CVE-2006-0841 - Fixed with selected patches from upstream, some parts
were already present.
CVE-2006-0664 - Fixed in sarge, sid was already fixed.
CVE-2006-0665 - Fixed in sarge, sid was already fixed.
CVE-2005-3337 - This is a mistery; the description is vague and the
upstream CVS repository doesn't seem to provide a distinct fix. I
believe this might actually be a duplicate of another already fixed
issue, CVE-2005-2557. We really need more positive proof that there's
actually something vulnerable here if you ask me.

By the way, the package in sid is not in a very good shape and the
maintainer seems to be MIA...


Thijs
[signature.asc (application/pgp-signature, inline)]

Tags added: fixed Request was from Thijs Kinkhorst <thijs@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Igor Genibel <igenibel@debian.org>:
Bug#378353; Package mantis. Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Igor Genibel <igenibel@debian.org>. Full text and rfc822 format available.

Message #17 received at 378353@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: coley@linus.mitre.org
Cc: 378353@bugs.debian.org, team@security.debian.org, thijs@debian.org
Subject: Re: Bug#378353: mantis: some more vulnerabilities
Date: Wed, 19 Jul 2006 23:18:49 +0200
Thijs Kinkhorst wrote:

[This is about mantis]

> CVE-2005-3337 - This is a mistery; the description is vague and the
> upstream CVS repository doesn't seem to provide a distinct fix. I
> believe this might actually be a duplicate of another already fixed
> issue, CVE-2005-2557. We really need more positive proof that there's
> actually something vulnerable here if you ask me.

Let's forward this to the relevant person at MITRE. Steven, could you
please check, whether this might be a duplicate?

Cheers,
        Moritz



Information forwarded to debian-bugs-dist@lists.debian.org, Igor Genibel <igenibel@debian.org>:
Bug#378353; Package mantis. Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Igor Genibel <igenibel@debian.org>. Full text and rfc822 format available.

Message #22 received at 378353@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Thijs Kinkhorst <thijs@debian.org>
Cc: 378353@bugs.debian.org, team@security.debian.org
Subject: Re: Bug#378353: mantis: some more vulnerabilities
Date: Wed, 19 Jul 2006 23:26:16 +0200
Thijs Kinkhorst wrote:
> > mantis
> > CVE-2005-3337 CVE-2006-0664 CVE-2006-0665
> > CVE-2006-0840 CVE-2006-0841 CVE-2006-1577
> 
> I've supplied updated packages for sid and sarge, addressing all
> relevant issues. A short breakdown:

Thank you very much!
 
> CVE-2006-0840 - This was already addressed in sarge and sid;

I see, this seems fixed en passant in DSA-944.

> CVE-2006-1577 - Fixed with upstream patch in sarge and sid;
> CVE-2006-0841 - Fixed with selected patches from upstream, some parts
> were already present.
> CVE-2006-0664 - Fixed in sarge, sid was already fixed.
> CVE-2006-0665 - Fixed in sarge, sid was already fixed.

Could you place patches or a preliminary package available for download
somewhere?

> CVE-2005-3337 - This is a mistery; the description is vague and the
> upstream CVS repository doesn't seem to provide a distinct fix. I
> believe this might actually be a duplicate of another already fixed
> issue, CVE-2005-2557. We really need more positive proof that there's
> actually something vulnerable here if you ask me.

I forwarded this to MITRE for clarification, let's see what Steven has
in his notes.
 
> By the way, the package in sid is not in a very good shape and the
> maintainer seems to be MIA...

If this shouldn't change over the next one or two months it should rather
be removed for Etch. It's notoriously prone to security issues and sid is
way behind current upstream.

Cheers,
        Moritz



Information forwarded to debian-bugs-dist@lists.debian.org, Igor Genibel <igenibel@debian.org>:
Bug#378353; Package mantis. Full text and rfc822 format available.

Acknowledgement sent to "Steven M. Christey" <coley@linus.mitre.org>:
Extra info received and forwarded to list. Copy sent to Igor Genibel <igenibel@debian.org>. Full text and rfc822 format available.

Message #27 received at 378353@bugs.debian.org (full text, mbox):

From: "Steven M. Christey" <coley@linus.mitre.org>
To: Moritz Muehlenhoff <jmm@inutil.org>
Cc: coley@linus.mitre.org, 378353@bugs.debian.org, team@security.debian.org, thijs@debian.org
Subject: Re: Bug#378353: mantis: some more vulnerabilities
Date: Wed, 19 Jul 2006 17:31:16 -0400 (EDT)
On Wed, 19 Jul 2006, Moritz Muehlenhoff wrote:

> Let's forward this to the relevant person at MITRE. Steven, could you
> please check, whether this might be a duplicate?

Looks like a partial duplicate.  CVE-2005-3337 lists two items, and the
second one appears to be a dupe of CVE-2005-2557 based on the Mantis bug
number.

Actually, the first item in CVE-2005-3337 appears to be a dupe of
CVE-2005-3091 based on Mantis bug number too :(

Does this make sense?

- Steve


======================================================
Name: CVE-2005-2557
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2557
Acknowledged: yes
Announced: 20050822
Flaw: XSS
Reference: BUGTRAQ:20050926 Mantis Bugtracker - Remote Database Scanner and XSS Vulnerabilities
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=112786017426276&w=2
Reference: CONFIRM:http://www.mantisbt.org/changelog.php
Reference: DEBIAN:DSA-778
Reference: URL:http://www.debian.org/security/2005/dsa-778
Reference: GENTOO:GLSA-200509-16
Reference: URL:http://www.gentoo.org/security/en/glsa/glsa-200509-16.xml
Reference: BID:14604
Reference: URL:http://www.securityfocus.com/bid/14604
Reference: SECUNIA:16506
Reference: URL:http://secunia.com/advisories/16506/
Reference: XF:mantis-bug-report-xss(21958)
Reference: URL:http://xforce.iss.net/xforce/xfdb/21958

Cross-site scripting (XSS) vulnerability in view_all_set.php in Mantis
0.19.0a1 through 1.0.0a3 allows remote attackers to inject arbitrary
web script or HTML via the dir parameter, as identified by
bug#0005959, and a different vulnerability than CVE-2005-3090.


Analysis:
ACKNOWLEDGEMENT: in the mantis changelog it says "0005959: [security]
Cross Site Scripting Vulnerabilty in the mantis/view_all_set.php
Script (thraxisp)"

ABSTRACTION: bug#0005959, bug#0006002, and bug#0005751 were SPLIT per
e-mail discussions with Martin Schulze on August 25, 2005.  Some bugs
were fixed by Debian and some did not have to be, suggesting different
affected versions.



======================================================
Name: CVE-2005-3091
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3091
Acknowledged: yes
Announced: 20050822
Flaw: XSS
Reference: CONFIRM:http://www.mantisbt.org/changelog.php
Reference: DEBIAN:DSA-905
Reference: URL:http://www.debian.org/security/2005/dsa-905
Reference: BID:15227
Reference: URL:http://www.securityfocus.com/bid/15227
Reference: SECUNIA:16506
Reference: URL:http://secunia.com/advisories/16506
Reference: SECUNIA:17654
Reference: URL:http://secunia.com/advisories/17654

Cross-site scripting (XSS) vulnerability in Mantis before 1.0.0rc1
allows remote attackers to inject arbitrary web script or HTML via
unknown attack vectors, as identified by bug#0005751 "thraxisp".


Analysis:

ABSTRACTION: bug#0005959, bug#0006002, and bug#0005751 were SPLIT per
e-mail discussions with Martin Schulze on August 25, 2005.  Some bugs
were fixed by Debian and some did not have to be, suggesting different
affected versions.
ACKNOWLEDGEMENT: in the mantis changelog it says "0005751: [security]
Javascript XSS vulnerability (thraxisp)"


======================================================
Name: CVE-2005-3337
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3337
Acknowledged: yes changelog
Announced: 20051026
Flaw: XSS
Reference: CONFIRM:http://bugs.mantisbt.org/changelog_page.php
Reference: CONFIRM:http://sourceforge.net/project/shownotes.php?release_id=362673
Reference: GENTOO:GLSA-200510-24
Reference: URL:http://www.gentoo.org/security/en/glsa/glsa-200510-24.xml
Reference: OSVDB:20321
Reference: URL:http://www.osvdb.org/20321
Reference: SECUNIA:17362
Reference: URL:http://secunia.com/advisories/17362

Multiple cross-site scripting (XSS) vulnerabilities in Mantis before
0.19.3 allow remote attackers to inject arbitrary web script or HTML
via (1) unknown vectors involving Javascript and (2)
mantis/view_all_set.php.


Analysis:
ACK: the vendor changelog for 0.19.3 includes two items "0006332:
[security] Port #5751 to 0.19.3: Javascript XSS vulnerability
(vboctor)" and "- 0006333: [security] Port #5959 to 0.19.3: Cross Site
Scripting Vulnerabilty in the mantis/view_all_set.php Script
(vboctor)"





Information forwarded to debian-bugs-dist@lists.debian.org, Igor Genibel <igenibel@debian.org>:
Bug#378353; Package mantis. Full text and rfc822 format available.

Acknowledgement sent to Thijs Kinkhorst <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Igor Genibel <igenibel@debian.org>. Full text and rfc822 format available.

Message #32 received at 378353@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <thijs@debian.org>
To: 361138@bugs.debian.org, 378353@bugs.debian.org
Subject: Diff for 19-7 NMU's
Date: Thu, 20 Jul 2006 13:13:06 +0200
[Message part 1 (text/plain, inline)]
Hello Igor,

Here's the diffs for the NMU's of yesterday (sorry for the delay).

The diff for sid is very large because something in the build process
creates a huge diff in the po files. I haven't changed that since it's
an NMU, but I don't think a simple rebuild without touching any debconf
templates should generate such a diff.


Thijs
[mantis.sarge-security.diff (text/x-patch, attachment)]
[mantis.sid.diff (text/x-patch, attachment)]
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Igor Genibel <igenibel@debian.org>:
Bug#378353; Package mantis. Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Igor Genibel <igenibel@debian.org>. Full text and rfc822 format available.

Message #37 received at 378353@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: "Steven M. Christey" <coley@linus.mitre.org>
Cc: 378353@bugs.debian.org, team@security.debian.org, thijs@debian.org
Subject: Re: Bug#378353: mantis: some more vulnerabilities
Date: Tue, 1 Aug 2006 22:28:23 +0200
Steven M. Christey wrote:
> > Let's forward this to the relevant person at MITRE. Steven, could you
> > please check, whether this might be a duplicate?
> 
> Looks like a partial duplicate.  CVE-2005-3337 lists two items, and the
> second one appears to be a dupe of CVE-2005-2557 based on the Mantis bug
> number.
> 
> Actually, the first item in CVE-2005-3337 appears to be a dupe of
> CVE-2005-3091 based on Mantis bug number too :(
> 
> Does this make sense?

Makes sense; I suggest to remove CVE-2005-3337 entirely.

Cheers,
        Moritz



Tags added: fixed Request was from Thijs Kinkhorst <thijs@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Reply sent to "Thijs Kinkhorst" <thijs@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Thijs Kinkhorst <thijs@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #44 received at 378353-done@bugs.debian.org (full text, mbox):

From: "Thijs Kinkhorst" <thijs@debian.org>
To: 378353-done@bugs.debian.org
Subject: versioned close
Date: Thu, 3 Jul 2008 13:03:32 +0200 (CEST)
Version: 0.19.2-5sarge4.1

This bug has been marked with a 'fixed' tag, I'm now closing it with the
relevant version info.


Thijs





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Fri, 01 Aug 2008 07:36:20 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 22:00:12 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.