diff options
| author |   Peter Volkov <pva@gentoo.org> | 2011-09-01 19:30:23 +0000 |
|---|---|---|
| committer | Peter Volkov <pva@gentoo.org> | 2011-09-01 19:30:23 +0000 |
| commit | a9e10679aa3a7e8b493c389d8de0fd89187b9b9e (patch) | |
| tree | 53540c29975690408811322453b09bad261ab6b9 /www-apps/mantisbt | |
| parent | Added -f to rm in src_install to fix installation as non root on prefix (diff) | |
| download | gentoo-2-a9e10679aa3a7e8b493c389d8de0fd89187b9b9e.tar.gz gentoo-2-a9e10679aa3a7e8b493c389d8de0fd89187b9b9e.tar.bz2 gentoo-2-a9e10679aa3a7e8b493c389d8de0fd89187b9b9e.zip | |
Add patch to address local file inclusion/path traversal, bug 381417 wrt David Hicks.
(Portage version: 2.1.10.11/cvs/Linux x86_64)
Diffstat (limited to 'www-apps/mantisbt')
| -rw-r--r-- | www-apps/mantisbt/ChangeLog | 9 | ||||
| -rw-r--r-- | www-apps/mantisbt/files/mantisbt-1.2.7-file-inclusion.patch | 134 | ||||
| -rw-r--r-- | www-apps/mantisbt/mantisbt-1.2.7-r1.ebuild | 51 |
3 files changed, 193 insertions, 1 deletions
diff --git a/www-apps/mantisbt/ChangeLog b/www-apps/mantisbt/ChangeLog index 44854a0a4e64..39af9b94aa67 100644 --- a/www-apps/mantisbt/ChangeLog +++ b/www-apps/mantisbt/ChangeLog @@ -1,6 +1,13 @@ # ChangeLog for www-apps/mantisbt # Copyright 1999-2011 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/www-apps/mantisbt/ChangeLog,v 1.107 2011/08/26 11:13:32 chainsaw Exp $ +# $Header: /var/cvsroot/gentoo-x86/www-apps/mantisbt/ChangeLog,v 1.108 2011/09/01 19:30:23 pva Exp $ + +*mantisbt-1.2.7-r1 (01 Sep 2011) + + 01 Sep 2011; Peter Volkov <pva@gentoo.org> +mantisbt-1.2.7-r1.ebuild, + +files/mantisbt-1.2.7-file-inclusion.patch: + Add patch to address local file inclusion/path traversal, bug 381417 wrt + David Hicks. 26 Aug 2011; Tony Vroon <chainsaw@gentoo.org> mantisbt-1.2.7.ebuild: Marked stable on AMD64 based on arch testing by Agostino "ago" Sarubbo in diff --git a/www-apps/mantisbt/files/mantisbt-1.2.7-file-inclusion.patch b/www-apps/mantisbt/files/mantisbt-1.2.7-file-inclusion.patch new file mode 100644 index 000000000000..320e6b748aff --- /dev/null +++ b/www-apps/mantisbt/files/mantisbt-1.2.7-file-inclusion.patch @@ -0,0 +1,134 @@ +commit a7eacc181185eff1dd7bd8ceaa34a91cf86cc298 +Author: David Hicks <d@hx.id.au> +Date: Thu Sep 1 19:36:31 2011 +1000 + + Fix #13282, #13283: bug_actiongroup_ext_page.php LFI and XSS + + High-Tech Bridge SA Security Research Lab reported 2 issues with the + 'action' parameter to bug_actiongroup_ext_page.php + + Issue #13282 + + XSS issue with require_once() call failures returning an unescaped + user-supplied filename. There has been a fair amount of recent public + talk about PHP error messages being a source of XSS issues. This is an + example. + + Issue #12283 + + Local file inclusion/path traversal vulnerability on web servers that + allow translations like: + http://example.com/directory/file.htm/../file2.htm ==> + http://example.com/directory/file2.htm + + Vulnerable (default configuration): Apache + Not vulnerable (default configuration): nginx + + This issue has _SEVERE_ consequences for people using web servers which + don't check each segment of a path from top to bottom for validity. It + shouldn't be possible to include the contents of config_inc.php to + retrieve MantisBT database passwords because + require_once('config_inc.php') will parse the document as a PHP script + (echoing nothing). However it may allow attackers to view private files + accessible to the web server user account. It also allows an attacker to + guess the file structure of a server (existence of installed software, + user accounts, etc). + + nginx will produce a 404 error when it determines that file.htm is not a + directory. This makes too much sense, doesn't it? + +diff --git a/bug_actiongroup_ext_page.php b/bug_actiongroup_ext_page.php +index 2a599d3..0a0ab91 100644 +--- a/bug_actiongroup_ext_page.php ++++ b/bug_actiongroup_ext_page.php +@@ -40,12 +40,18 @@ + # redirect to view issues page if action doesn't have ext_* prefix. + # This should only occur if this page is called directly. + $t_external_action_prefix = 'EXT_'; +- if ( strpos( $f_action, $t_external_action_prefix ) !== 0 ) { ++ $t_matches = array(); ++ preg_match( '/^EXT_(\w+)$/', $f_action, $t_matches ); ++ if ( count( $t_matches ) !== 2 ) { + print_header_redirect( 'view_all_bug_page.php' ); +- } ++ exit; ++ } ++ $t_external_action = $t_matches[1]; ++ $t_include_file = 'bug_actiongroup_' . $t_external_action . '_inc.php'; ++ if ( !file_exists( $t_include_file ) ) { ++ trigger_error( ERROR_GENERIC, ERROR ); ++ } + +- $t_external_action = utf8_strtolower( utf8_substr( $f_action, utf8_strlen( $t_external_action_prefix ) ) ); +- $t_form_fields_page = 'bug_actiongroup_' . $t_external_action . '_inc.php'; + $t_form_name = 'bug_actiongroup_' . $t_external_action; + + bug_group_action_print_top(); +diff --git a/core/bug_group_action_api.php b/core/bug_group_action_api.php +index bd80ea6..30e71ed 100644 +--- a/core/bug_group_action_api.php ++++ b/core/bug_group_action_api.php +@@ -94,7 +94,14 @@ function bug_group_action_print_hidden_fields( $p_bug_ids_array ) { + * @param $p_action The custom action name without the "EXT_" prefix. + */ + function bug_group_action_print_action_fields( $p_action ) { +- require_once( dirname( dirname( __FILE__ ) ) . DIRECTORY_SEPARATOR . 'bug_actiongroup_' . $p_action . '_inc.php' ); ++ if ( !preg_match( '/^\w+$/', $p_action ) ) { ++ trigger_error( ERROR_GENERIC, ERROR ); ++ } ++ $t_include_file = 'bug_actiongroup_' . $p_action . '_inc.php'; ++ if ( !file_exists( $t_include_file ) ) { ++ trigger_error( ERROR_GENERIC, ERROR ); ++ } ++ require_once( $t_include_file ); + $t_function_name = 'action_' . $p_action . '_print_fields'; + $t_function_name(); + } +@@ -106,7 +113,14 @@ function bug_group_action_print_action_fields( $p_action ) { + * @param $p_action The custom action name without the "EXT_" prefix. + */ + function bug_group_action_print_title( $p_action ) { +- require_once( dirname( dirname( __FILE__ ) ) . DIRECTORY_SEPARATOR . 'bug_actiongroup_' . $p_action . '_inc.php' ); ++ if ( !preg_match( '/^\w+$/', $p_action ) ) { ++ trigger_error( ERROR_GENERIC, ERROR ); ++ } ++ $t_include_file = 'bug_actiongroup_' . $p_action . '_inc.php'; ++ if ( !file_exists( $t_include_file ) ) { ++ trigger_error( ERROR_GENERIC, ERROR ); ++ } ++ require_once( $t_include_file ); + $t_function_name = 'action_' . $p_action . '_print_title'; + $t_function_name(); + } +@@ -121,7 +135,14 @@ function bug_group_action_print_title( $p_action ) { + * @returns true|array true if action can be applied or array of ( bug_id => reason for failure to validate ) + */ + function bug_group_action_validate( $p_action, $p_bug_id ) { +- require_once( dirname( dirname( __FILE__ ) ) . DIRECTORY_SEPARATOR . 'bug_actiongroup_' . $p_action . '_inc.php' ); ++ if ( !preg_match( '/^\w+$/', $p_action ) ) { ++ trigger_error( ERROR_GENERIC, ERROR ); ++ } ++ $t_include_file = 'bug_actiongroup_' . $p_action . '_inc.php'; ++ if ( !file_exists( $t_include_file ) ) { ++ trigger_error( ERROR_GENERIC, ERROR ); ++ } ++ require_once( $t_include_file ); + $t_function_name = 'action_' . $p_action . '_validate'; + return $t_function_name( $p_bug_id ); + } +@@ -136,7 +157,14 @@ function bug_group_action_validate( $p_action, $p_bug_id ) { + * @returns true|array Action can be applied., ( bug_id => reason for failure to process ) + */ + function bug_group_action_process( $p_action, $p_bug_id ) { +- require_once( dirname( dirname( __FILE__ ) ) . DIRECTORY_SEPARATOR . 'bug_actiongroup_' . $p_action . '_inc.php' ); ++ if ( !preg_match( '/^\w+$/', $p_action ) ) { ++ trigger_error( ERROR_GENERIC, ERROR ); ++ } ++ $t_include_file = 'bug_actiongroup_' . $p_action . '_inc.php'; ++ if ( !file_exists( $t_include_file ) ) { ++ trigger_error( ERROR_GENERIC, ERROR ); ++ } ++ require_once( $t_include_file ); + $t_function_name = 'action_' . $p_action . '_process'; + return $t_function_name( $p_bug_id ); + } diff --git a/www-apps/mantisbt/mantisbt-1.2.7-r1.ebuild b/www-apps/mantisbt/mantisbt-1.2.7-r1.ebuild new file mode 100644 index 000000000000..0866934d039a --- /dev/null +++ b/www-apps/mantisbt/mantisbt-1.2.7-r1.ebuild @@ -0,0 +1,51 @@ +# Copyright 1999-2011 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/www-apps/mantisbt/mantisbt-1.2.7-r1.ebuild,v 1.1 2011/09/01 19:30:23 pva Exp $ + +EAPI="2" + +inherit eutils webapp depend.php + +DESCRIPTION="PHP/MySQL/Web based bugtracking system" +HOMEPAGE="http://www.mantisbt.org/" +SRC_URI="mirror://sourceforge/${PN}/${P}.tar.gz" + +LICENSE="GPL-2" +KEYWORDS="~amd64 ~x86" +IUSE="" + +RDEPEND=" + virtual/httpd-php + virtual/httpd-cgi + || ( <dev-lang/php-5.3[pcre] >=dev-lang/php-5.3 ) + >=dev-php5/ezc-Base-1.8 + >=dev-php5/ezc-Graph-1.5 + >=dev-php/adodb-5.10" + +src_prepare() { + epatch "${FILESDIR}/mantisbt-1.2.7-file-inclusion.patch" #381417 + + # Drop external libraries + rm -r "${S}/library/adodb/" + rm -r "${S}/library/ezc/"{Base,Graph} + sed -e 's:ezc/Base/src/base.php:ezc/Base/base.php:' \ + -i "${S}"/plugins/MantisGraph/{core/graph_api.php,pages/summary_graph_cumulative_bydate2.php} \ + || die + # Fix incorrect filename + sed -e 's:config_default_inc.php:config_defaults_inc.php:' \ + -i "${S}/lang/strings_russian.txt" || die +} + +src_install() { + webapp_src_preinst + rm doc/{LICENSE,INSTALL} + dodoc doc/{CREDITS,CUSTOMIZATION,RELEASE} doc/en/* + + rm -rf doc packages + mv config_inc.php.sample config_inc.php + cp -R . "${D}/${MY_HTDOCSDIR}" + + webapp_configfile "${MY_HTDOCSDIR}/config_inc.php" + webapp_postinst_txt en "${FILESDIR}/postinstall-en-1.0.0.txt" + webapp_src_install +} |