diff options
| author |   Peter Volkov <pva@gentoo.org> | 2011-10-08 15:51:49 +0000 |
|---|---|---|
| committer | Peter Volkov <pva@gentoo.org> | 2011-10-08 15:51:49 +0000 |
| commit | 88fd9bb1a14b821808fa0f51f2d538dd1e484e54 (patch) | |
| tree | e9d5189ad8e3e4093e28baa65e656dd9795804e6 /www-apps/mantisbt | |
| parent | Version bump, update VCS ebuild, thank Nikoli for this job. (diff) | |
| download | gentoo-2-88fd9bb1a14b821808fa0f51f2d538dd1e484e54.tar.gz gentoo-2-88fd9bb1a14b821808fa0f51f2d538dd1e484e54.tar.bz2 gentoo-2-88fd9bb1a14b821808fa0f51f2d538dd1e484e54.zip | |
Drop vulnerable version, bug #386153, thank GLSAMaker/CVETool Bot for report.
(Portage version: 2.1.10.20/cvs/Linux x86_64)
Diffstat (limited to 'www-apps/mantisbt')
| -rw-r--r-- | www-apps/mantisbt/ChangeLog | 6 | ||||
| -rw-r--r-- | www-apps/mantisbt/files/mantisbt-1.2.7-file-inclusion.patch | 134 | ||||
| -rw-r--r-- | www-apps/mantisbt/mantisbt-1.2.7-r1.ebuild | 51 |
3 files changed, 5 insertions, 186 deletions
diff --git a/www-apps/mantisbt/ChangeLog b/www-apps/mantisbt/ChangeLog index f0cb0e6f812b..f439fed65f81 100644 --- a/www-apps/mantisbt/ChangeLog +++ b/www-apps/mantisbt/ChangeLog @@ -1,6 +1,10 @@ # ChangeLog for www-apps/mantisbt # Copyright 1999-2011 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/www-apps/mantisbt/ChangeLog,v 1.113 2011/09/12 21:05:59 maekke Exp $ +# $Header: /var/cvsroot/gentoo-x86/www-apps/mantisbt/ChangeLog,v 1.114 2011/10/08 15:51:49 pva Exp $ + + 08 Oct 2011; Peter Volkov <pva@gentoo.org> -mantisbt-1.2.7-r1.ebuild, + -files/mantisbt-1.2.7-file-inclusion.patch: + Drop vulnerable version, bug #386153, thank GLSAMaker/CVETool Bot for report. 12 Sep 2011; Markus Meier <maekke@gentoo.org> mantisbt-1.2.8.ebuild: amd64/x86 stable, bug #381785 diff --git a/www-apps/mantisbt/files/mantisbt-1.2.7-file-inclusion.patch b/www-apps/mantisbt/files/mantisbt-1.2.7-file-inclusion.patch deleted file mode 100644 index 320e6b748aff..000000000000 --- a/www-apps/mantisbt/files/mantisbt-1.2.7-file-inclusion.patch +++ /dev/null @@ -1,134 +0,0 @@ -commit a7eacc181185eff1dd7bd8ceaa34a91cf86cc298 -Author: David Hicks <d@hx.id.au> -Date: Thu Sep 1 19:36:31 2011 +1000 - - Fix #13282, #13283: bug_actiongroup_ext_page.php LFI and XSS - - High-Tech Bridge SA Security Research Lab reported 2 issues with the - 'action' parameter to bug_actiongroup_ext_page.php - - Issue #13282 - - XSS issue with require_once() call failures returning an unescaped - user-supplied filename. There has been a fair amount of recent public - talk about PHP error messages being a source of XSS issues. This is an - example. - - Issue #12283 - - Local file inclusion/path traversal vulnerability on web servers that - allow translations like: - http://example.com/directory/file.htm/../file2.htm ==> - http://example.com/directory/file2.htm - - Vulnerable (default configuration): Apache - Not vulnerable (default configuration): nginx - - This issue has _SEVERE_ consequences for people using web servers which - don't check each segment of a path from top to bottom for validity. It - shouldn't be possible to include the contents of config_inc.php to - retrieve MantisBT database passwords because - require_once('config_inc.php') will parse the document as a PHP script - (echoing nothing). However it may allow attackers to view private files - accessible to the web server user account. It also allows an attacker to - guess the file structure of a server (existence of installed software, - user accounts, etc). - - nginx will produce a 404 error when it determines that file.htm is not a - directory. This makes too much sense, doesn't it? - -diff --git a/bug_actiongroup_ext_page.php b/bug_actiongroup_ext_page.php -index 2a599d3..0a0ab91 100644 ---- a/bug_actiongroup_ext_page.php -+++ b/bug_actiongroup_ext_page.php -@@ -40,12 +40,18 @@ - # redirect to view issues page if action doesn't have ext_* prefix. - # This should only occur if this page is called directly. - $t_external_action_prefix = 'EXT_'; -- if ( strpos( $f_action, $t_external_action_prefix ) !== 0 ) { -+ $t_matches = array(); -+ preg_match( '/^EXT_(\w+)$/', $f_action, $t_matches ); -+ if ( count( $t_matches ) !== 2 ) { - print_header_redirect( 'view_all_bug_page.php' ); -- } -+ exit; -+ } -+ $t_external_action = $t_matches[1]; -+ $t_include_file = 'bug_actiongroup_' . $t_external_action . '_inc.php'; -+ if ( !file_exists( $t_include_file ) ) { -+ trigger_error( ERROR_GENERIC, ERROR ); -+ } - -- $t_external_action = utf8_strtolower( utf8_substr( $f_action, utf8_strlen( $t_external_action_prefix ) ) ); -- $t_form_fields_page = 'bug_actiongroup_' . $t_external_action . '_inc.php'; - $t_form_name = 'bug_actiongroup_' . $t_external_action; - - bug_group_action_print_top(); -diff --git a/core/bug_group_action_api.php b/core/bug_group_action_api.php -index bd80ea6..30e71ed 100644 ---- a/core/bug_group_action_api.php -+++ b/core/bug_group_action_api.php -@@ -94,7 +94,14 @@ function bug_group_action_print_hidden_fields( $p_bug_ids_array ) { - * @param $p_action The custom action name without the "EXT_" prefix. - */ - function bug_group_action_print_action_fields( $p_action ) { -- require_once( dirname( dirname( __FILE__ ) ) . DIRECTORY_SEPARATOR . 'bug_actiongroup_' . $p_action . '_inc.php' ); -+ if ( !preg_match( '/^\w+$/', $p_action ) ) { -+ trigger_error( ERROR_GENERIC, ERROR ); -+ } -+ $t_include_file = 'bug_actiongroup_' . $p_action . '_inc.php'; -+ if ( !file_exists( $t_include_file ) ) { -+ trigger_error( ERROR_GENERIC, ERROR ); -+ } -+ require_once( $t_include_file ); - $t_function_name = 'action_' . $p_action . '_print_fields'; - $t_function_name(); - } -@@ -106,7 +113,14 @@ function bug_group_action_print_action_fields( $p_action ) { - * @param $p_action The custom action name without the "EXT_" prefix. - */ - function bug_group_action_print_title( $p_action ) { -- require_once( dirname( dirname( __FILE__ ) ) . DIRECTORY_SEPARATOR . 'bug_actiongroup_' . $p_action . '_inc.php' ); -+ if ( !preg_match( '/^\w+$/', $p_action ) ) { -+ trigger_error( ERROR_GENERIC, ERROR ); -+ } -+ $t_include_file = 'bug_actiongroup_' . $p_action . '_inc.php'; -+ if ( !file_exists( $t_include_file ) ) { -+ trigger_error( ERROR_GENERIC, ERROR ); -+ } -+ require_once( $t_include_file ); - $t_function_name = 'action_' . $p_action . '_print_title'; - $t_function_name(); - } -@@ -121,7 +135,14 @@ function bug_group_action_print_title( $p_action ) { - * @returns true|array true if action can be applied or array of ( bug_id => reason for failure to validate ) - */ - function bug_group_action_validate( $p_action, $p_bug_id ) { -- require_once( dirname( dirname( __FILE__ ) ) . DIRECTORY_SEPARATOR . 'bug_actiongroup_' . $p_action . '_inc.php' ); -+ if ( !preg_match( '/^\w+$/', $p_action ) ) { -+ trigger_error( ERROR_GENERIC, ERROR ); -+ } -+ $t_include_file = 'bug_actiongroup_' . $p_action . '_inc.php'; -+ if ( !file_exists( $t_include_file ) ) { -+ trigger_error( ERROR_GENERIC, ERROR ); -+ } -+ require_once( $t_include_file ); - $t_function_name = 'action_' . $p_action . '_validate'; - return $t_function_name( $p_bug_id ); - } -@@ -136,7 +157,14 @@ function bug_group_action_validate( $p_action, $p_bug_id ) { - * @returns true|array Action can be applied., ( bug_id => reason for failure to process ) - */ - function bug_group_action_process( $p_action, $p_bug_id ) { -- require_once( dirname( dirname( __FILE__ ) ) . DIRECTORY_SEPARATOR . 'bug_actiongroup_' . $p_action . '_inc.php' ); -+ if ( !preg_match( '/^\w+$/', $p_action ) ) { -+ trigger_error( ERROR_GENERIC, ERROR ); -+ } -+ $t_include_file = 'bug_actiongroup_' . $p_action . '_inc.php'; -+ if ( !file_exists( $t_include_file ) ) { -+ trigger_error( ERROR_GENERIC, ERROR ); -+ } -+ require_once( $t_include_file ); - $t_function_name = 'action_' . $p_action . '_process'; - return $t_function_name( $p_bug_id ); - } diff --git a/www-apps/mantisbt/mantisbt-1.2.7-r1.ebuild b/www-apps/mantisbt/mantisbt-1.2.7-r1.ebuild deleted file mode 100644 index aaa3f96012aa..000000000000 --- a/www-apps/mantisbt/mantisbt-1.2.7-r1.ebuild +++ /dev/null @@ -1,51 +0,0 @@ -# Copyright 1999-2011 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/www-apps/mantisbt/mantisbt-1.2.7-r1.ebuild,v 1.3 2011/09/04 00:55:38 phajdan.jr Exp $ - -EAPI="2" - -inherit eutils webapp depend.php - -DESCRIPTION="PHP/MySQL/Web based bugtracking system" -HOMEPAGE="http://www.mantisbt.org/" -SRC_URI="mirror://sourceforge/${PN}/${P}.tar.gz" - -LICENSE="GPL-2" -KEYWORDS="amd64 x86" -IUSE="" - -RDEPEND=" - virtual/httpd-php - virtual/httpd-cgi - || ( <dev-lang/php-5.3[pcre] >=dev-lang/php-5.3 ) - >=dev-php5/ezc-Base-1.8 - >=dev-php5/ezc-Graph-1.5 - >=dev-php/adodb-5.10" - -src_prepare() { - epatch "${FILESDIR}/mantisbt-1.2.7-file-inclusion.patch" #381417 - - # Drop external libraries - rm -r "${S}/library/adodb/" - rm -r "${S}/library/ezc/"{Base,Graph} - sed -e 's:ezc/Base/src/base.php:ezc/Base/base.php:' \ - -i "${S}"/plugins/MantisGraph/{core/graph_api.php,pages/summary_graph_cumulative_bydate2.php} \ - || die - # Fix incorrect filename - sed -e 's:config_default_inc.php:config_defaults_inc.php:' \ - -i "${S}/lang/strings_russian.txt" || die -} - -src_install() { - webapp_src_preinst - rm doc/{LICENSE,INSTALL} - dodoc doc/{CREDITS,CUSTOMIZATION,RELEASE} doc/en/* - - rm -rf doc packages - mv config_inc.php.sample config_inc.php - cp -R . "${D}/${MY_HTDOCSDIR}" - - webapp_configfile "${MY_HTDOCSDIR}/config_inc.php" - webapp_postinst_txt en "${FILESDIR}/postinstall-en-1.0.0.txt" - webapp_src_install -} |