Add patch to address local file inclusion/path traversal, bug 381417 wrt David Hicks.

Package-Manager: portage-2.1.10.11/cvs/Linux x86_64

4 files changed, 196 insertions, 12 deletions

diff --git a/www-apps/mantisbt/ChangeLog b/www-apps/mantisbt/ChangeLog
index 44854a0a4e64..39af9b94aa67 100644
--- a/www-apps/mantisbt/ChangeLog
+++ b/www-apps/mantisbt/ChangeLog
@@ -1,6 +1,13 @@
 # ChangeLog for www-apps/mantisbt
 # Copyright 1999-2011 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/www-apps/mantisbt/ChangeLog,v 1.107 2011/08/26 11:13:32 chainsaw Exp $
+# $Header: /var/cvsroot/gentoo-x86/www-apps/mantisbt/ChangeLog,v 1.108 2011/09/01 19:30:23 pva Exp $
+
+*mantisbt-1.2.7-r1 (01 Sep 2011)
+
+  01 Sep 2011; Peter Volkov <pva@gentoo.org> +mantisbt-1.2.7-r1.ebuild,
+  +files/mantisbt-1.2.7-file-inclusion.patch:
+  Add patch to address local file inclusion/path traversal, bug 381417 wrt
+  David Hicks.
 
   26 Aug 2011; Tony Vroon <chainsaw@gentoo.org> mantisbt-1.2.7.ebuild:
   Marked stable on AMD64 based on arch testing by Agostino "ago" Sarubbo in
diff --git a/www-apps/mantisbt/Manifest b/www-apps/mantisbt/Manifest
index f9b09b34e397..54ac167bb13f 100644
--- a/www-apps/mantisbt/Manifest
+++ b/www-apps/mantisbt/Manifest
@@ -1,6 +1,4 @@
------BEGIN PGP SIGNED MESSAGE-----
-Hash: SHA1
-
+AUX mantisbt-1.2.7-file-inclusion.patch 5835 RMD160 f6e692b294977201fdab93d93a78a608526bb5f9 SHA1 2cf123e20a277a55d76f2118347affbd3ad139b4 SHA256 4c8db1efb5f6ab4bd465ac4b85c19e741d64c28b55160818c5870f9d5f64ce86
 AUX postinstall-en-1.0.0.txt 640 RMD160 1e0a077db936ab8c2a6bf06c9091d4b5194b0b9c SHA1 1fb4a3c4e32b7ddca4b37017e8c8101d8d0c83c7 SHA256 af60f6f6be915164f420f5e9ae04fa18d8bf85e73a9a59668ba4a6b7ba41900d
 DIST mantisbt-1.2.4.tar.gz 3287059 RMD160 0a8ecfbdf4931263d5cb8e01938ffdc2de2c53af SHA1 87e0eef8e1d01f7785ebd7964ef3340ec407c091 SHA256 f7c4abeea41dec9f0e7be03d27147f6dec183c55f53b7fabc9383e4b749130cf
 DIST mantisbt-1.2.5.tar.gz 3331571 RMD160 97bb2f43bc72891d4dabdca95f98a423f7378544 SHA1 a0ea8856125b2c6f383125533bb9763a80805dbd SHA256 61ee5f65ec3bde92ee918934a5f463a5af6a603ff2684cf7125a6925bb802efe
@@ -9,13 +7,7 @@ DIST mantisbt-1.2.7.tar.gz 3366560 RMD160 99fc5e1eb278da5372356d7d1f7e615962fcf1
 EBUILD mantisbt-1.2.4.ebuild 1385 RMD160 b313f76f94c7858377fe0420e894d517ddf6212c SHA1 b0bdf7b9f054e5be54ece11bce5cce295c2b34f5 SHA256 77b80aa48400c18715b680d4b938068c745706610c2bf3dea9896d3923f46983
 EBUILD mantisbt-1.2.5.ebuild 1387 RMD160 2357537687ba451beb638442487550e472d5052b SHA1 2924e04d7c5648a828b6fd75659f52f1820bb2df SHA256 9d789062f8d80afdbb57fd32f757616e408b6484ca35adfa37ef4e956bd24b09
 EBUILD mantisbt-1.2.6.ebuild 1387 RMD160 a805556c36b59638a62aacc1ec61834a3ad6ecca SHA1 ca7a9444b79828fcf10fdb6d3365729829614e9f SHA256 48df91d361c12031a91e25ce54cfa9f3282cf7640d2be828ec56208fc2a6b7d9
+EBUILD mantisbt-1.2.7-r1.ebuild 1450 RMD160 01b840a1ba39f22a18fd8223e7545d16ddff03be SHA1 d63e8300e45c28df6f134a51f85fdd4819c789f7 SHA256 bacde140ec42d6d78c848397482680b7ddd60cd96e7d9ae830853f86bb941646
 EBUILD mantisbt-1.2.7.ebuild 1383 RMD160 0968fe35407ecc82dce7f64f1ed5588088fb8d96 SHA1 08d3a15e58b74c29de589990e8815b848bfe6b56 SHA256 a5e60bcd752f2d46f4fd7bf0269bed0993061709e48b0ed5b03455ee2a7aed95
-MISC ChangeLog 16439 RMD160 24375b62a34e377a65224c4b40d857958bd3259f SHA1 84d886ae76587b3a4b19737ef368c7ce0c26cb1c SHA256 68015dbb77638234e43d910ad08adcfa1afda375a9a476d3e525e89a4cd9ba99
+MISC ChangeLog 16677 RMD160 96ca2da6e1f01d15bbd9a8fc4add73df5d865d21 SHA1 d30cd43dae683d4db129fcc44c759696571b97e6 SHA256 e374ff75659140dfe09fdd0394157335831b496e5cd8f523ba114e4571f2d674
 MISC metadata.xml 366 RMD160 be1feafbfb549012d470d936aa41c08c91095bc4 SHA1 6e106454a73bf919be7166d803aebc3d0d684812 SHA256 3b6f2f305a83f7c7c6a9a3e8f0a4e4266976d8a2b555bb70caba49410f465445
------BEGIN PGP SIGNATURE-----
-Version: GnuPG v2.0.18 (GNU/Linux)
-
-iEYEARECAAYFAk5Xf+QACgkQp5vW4rUFj5oIxgCeLTnnzpAwTTz0wCxkFba2TXMm
-jq4AoIIV5xhKhzd1QSz3G5G+0MprTXhm
-=IXwp
------END PGP SIGNATURE-----
diff --git a/www-apps/mantisbt/files/mantisbt-1.2.7-file-inclusion.patch b/www-apps/mantisbt/files/mantisbt-1.2.7-file-inclusion.patch
new file mode 100644
index 000000000000..320e6b748aff
--- /dev/null
+++ b/www-apps/mantisbt/files/mantisbt-1.2.7-file-inclusion.patch
@@ -0,0 +1,134 @@
+commit a7eacc181185eff1dd7bd8ceaa34a91cf86cc298
+Author: David Hicks <d@hx.id.au>
+Date:   Thu Sep 1 19:36:31 2011 +1000
+
+    Fix #13282, #13283: bug_actiongroup_ext_page.php LFI and XSS
+    
+    High-Tech Bridge SA Security Research Lab reported 2 issues with the
+    'action' parameter to bug_actiongroup_ext_page.php
+    
+    Issue #13282
+    
+    XSS issue with require_once() call failures returning an unescaped
+    user-supplied filename. There has been a fair amount of recent public
+    talk about PHP error messages being a source of XSS issues. This is an
+    example.
+    
+    Issue #12283
+    
+    Local file inclusion/path traversal vulnerability on web servers that
+    allow translations like:
+    http://example.com/directory/file.htm/../file2.htm ==>
+    http://example.com/directory/file2.htm
+    
+    Vulnerable (default configuration): Apache
+    Not vulnerable (default configuration): nginx
+    
+    This issue has _SEVERE_ consequences for people using web servers which
+    don't check each segment of a path from top to bottom for validity. It
+    shouldn't be possible to include the contents of config_inc.php to
+    retrieve MantisBT database passwords because
+    require_once('config_inc.php') will parse the document as a PHP script
+    (echoing nothing). However it may allow attackers to view private files
+    accessible to the web server user account. It also allows an attacker to
+    guess the file structure of a server (existence of installed software,
+    user accounts, etc).
+    
+    nginx will produce a 404 error when it determines that file.htm is not a
+    directory. This makes too much sense, doesn't it?
+
+diff --git a/bug_actiongroup_ext_page.php b/bug_actiongroup_ext_page.php
+index 2a599d3..0a0ab91 100644
+--- a/bug_actiongroup_ext_page.php
++++ b/bug_actiongroup_ext_page.php
+@@ -40,12 +40,18 @@
+   # redirect to view issues page if action doesn't have ext_* prefix.
+   # This should only occur if this page is called directly.
+ 	$t_external_action_prefix = 'EXT_';
+-	if ( strpos( $f_action, $t_external_action_prefix ) !== 0 ) {
++	$t_matches = array();
++	preg_match( '/^EXT_(\w+)$/', $f_action, $t_matches );
++	if ( count( $t_matches ) !== 2 ) {
+ 		print_header_redirect( 'view_all_bug_page.php' );
+-  }
++		exit;
++	}
++	$t_external_action = $t_matches[1];
++	$t_include_file = 'bug_actiongroup_' . $t_external_action . '_inc.php';
++	if ( !file_exists( $t_include_file ) ) {
++		trigger_error( ERROR_GENERIC, ERROR );
++	}
+ 
+-	$t_external_action = utf8_strtolower( utf8_substr( $f_action, utf8_strlen( $t_external_action_prefix ) ) );
+-	$t_form_fields_page = 'bug_actiongroup_' . $t_external_action . '_inc.php';
+ 	$t_form_name = 'bug_actiongroup_' . $t_external_action;
+ 
+ 	bug_group_action_print_top();
+diff --git a/core/bug_group_action_api.php b/core/bug_group_action_api.php
+index bd80ea6..30e71ed 100644
+--- a/core/bug_group_action_api.php
++++ b/core/bug_group_action_api.php
+@@ -94,7 +94,14 @@ function bug_group_action_print_hidden_fields( $p_bug_ids_array ) {
+  * @param $p_action   The custom action name without the "EXT_" prefix.
+  */
+ function bug_group_action_print_action_fields( $p_action ) {
+-	require_once( dirname( dirname( __FILE__ ) ) . DIRECTORY_SEPARATOR . 'bug_actiongroup_' . $p_action . '_inc.php' );
++	if ( !preg_match( '/^\w+$/', $p_action ) ) {
++		trigger_error( ERROR_GENERIC, ERROR );
++	}
++	$t_include_file = 'bug_actiongroup_' . $p_action . '_inc.php';
++	if ( !file_exists( $t_include_file ) ) {
++		trigger_error( ERROR_GENERIC, ERROR );
++	}
++	require_once( $t_include_file );
+ 	$t_function_name = 'action_' . $p_action . '_print_fields';
+ 	$t_function_name();
+ }
+@@ -106,7 +113,14 @@ function bug_group_action_print_action_fields( $p_action ) {
+  * @param $p_action   The custom action name without the "EXT_" prefix.
+  */
+ function bug_group_action_print_title( $p_action ) {
+-	require_once( dirname( dirname( __FILE__ ) ) . DIRECTORY_SEPARATOR . 'bug_actiongroup_' . $p_action . '_inc.php' );
++	if ( !preg_match( '/^\w+$/', $p_action ) ) {
++		trigger_error( ERROR_GENERIC, ERROR );
++	}
++	$t_include_file = 'bug_actiongroup_' . $p_action . '_inc.php';
++	if ( !file_exists( $t_include_file ) ) {
++		trigger_error( ERROR_GENERIC, ERROR );
++	}
++	require_once( $t_include_file );
+ 	$t_function_name = 'action_' . $p_action . '_print_title';
+ 	$t_function_name();
+ }
+@@ -121,7 +135,14 @@ function bug_group_action_print_title( $p_action ) {
+  * @returns true|array true if action can be applied or array of ( bug_id => reason for failure to validate )
+  */
+ function bug_group_action_validate( $p_action, $p_bug_id ) {
+-	require_once( dirname( dirname( __FILE__ ) ) . DIRECTORY_SEPARATOR . 'bug_actiongroup_' . $p_action . '_inc.php' );
++	if ( !preg_match( '/^\w+$/', $p_action ) ) {
++		trigger_error( ERROR_GENERIC, ERROR );
++	}
++	$t_include_file = 'bug_actiongroup_' . $p_action . '_inc.php';
++	if ( !file_exists( $t_include_file ) ) {
++		trigger_error( ERROR_GENERIC, ERROR );
++	}
++	require_once( $t_include_file );
+ 	$t_function_name = 'action_' . $p_action . '_validate';
+ 	return $t_function_name( $p_bug_id );
+ }
+@@ -136,7 +157,14 @@ function bug_group_action_validate( $p_action, $p_bug_id ) {
+  * @returns true|array Action can be applied., ( bug_id => reason for failure to process )
+  */
+ function bug_group_action_process( $p_action, $p_bug_id ) {
+-	require_once( dirname( dirname( __FILE__ ) ) . DIRECTORY_SEPARATOR . 'bug_actiongroup_' . $p_action . '_inc.php' );
++	if ( !preg_match( '/^\w+$/', $p_action ) ) {
++		trigger_error( ERROR_GENERIC, ERROR );
++	}
++	$t_include_file = 'bug_actiongroup_' . $p_action . '_inc.php';
++	if ( !file_exists( $t_include_file ) ) {
++		trigger_error( ERROR_GENERIC, ERROR );
++	}
++	require_once( $t_include_file );
+ 	$t_function_name = 'action_' . $p_action . '_process';
+ 	return $t_function_name( $p_bug_id );
+ }
diff --git a/www-apps/mantisbt/mantisbt-1.2.7-r1.ebuild b/www-apps/mantisbt/mantisbt-1.2.7-r1.ebuild
new file mode 100644
index 000000000000..0866934d039a
--- /dev/null
+++ b/www-apps/mantisbt/mantisbt-1.2.7-r1.ebuild
@@ -0,0 +1,51 @@
+# Copyright 1999-2011 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/www-apps/mantisbt/mantisbt-1.2.7-r1.ebuild,v 1.1 2011/09/01 19:30:23 pva Exp $
+
+EAPI="2"
+
+inherit eutils webapp depend.php
+
+DESCRIPTION="PHP/MySQL/Web based bugtracking system"
+HOMEPAGE="http://www.mantisbt.org/"
+SRC_URI="mirror://sourceforge/${PN}/${P}.tar.gz"
+
+LICENSE="GPL-2"
+KEYWORDS="~amd64 ~x86"
+IUSE=""
+
+RDEPEND="
+	virtual/httpd-php
+	virtual/httpd-cgi
+	|| ( <dev-lang/php-5.3[pcre] >=dev-lang/php-5.3 )
+	>=dev-php5/ezc-Base-1.8
+	>=dev-php5/ezc-Graph-1.5
+	>=dev-php/adodb-5.10"
+
+src_prepare() {
+	epatch "${FILESDIR}/mantisbt-1.2.7-file-inclusion.patch" #381417
+
+	# Drop external libraries
+	rm -r "${S}/library/adodb/"
+	rm -r "${S}/library/ezc/"{Base,Graph}
+	sed -e 's:ezc/Base/src/base.php:ezc/Base/base.php:' \
+		-i "${S}"/plugins/MantisGraph/{core/graph_api.php,pages/summary_graph_cumulative_bydate2.php} \
+			|| die
+	# Fix incorrect filename
+	sed -e 's:config_default_inc.php:config_defaults_inc.php:' \
+		-i "${S}/lang/strings_russian.txt" || die
+}
+
+src_install() {
+	webapp_src_preinst
+	rm doc/{LICENSE,INSTALL}
+	dodoc doc/{CREDITS,CUSTOMIZATION,RELEASE} doc/en/*
+
+	rm -rf doc packages
+	mv config_inc.php.sample config_inc.php
+	cp -R . "${D}/${MY_HTDOCSDIR}"
+
+	webapp_configfile "${MY_HTDOCSDIR}/config_inc.php"
+	webapp_postinst_txt en "${FILESDIR}/postinstall-en-1.0.0.txt"
+	webapp_src_install
+}