summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat (limited to 'www-apps/mantisbt')
-rw-r--r--www-apps/mantisbt/ChangeLog9
-rw-r--r--www-apps/mantisbt/files/mantisbt-1.2.7-file-inclusion.patch134
-rw-r--r--www-apps/mantisbt/mantisbt-1.2.7-r1.ebuild51
3 files changed, 193 insertions, 1 deletions
diff --git a/www-apps/mantisbt/ChangeLog b/www-apps/mantisbt/ChangeLog
index 44854a0a4e64..39af9b94aa67 100644
--- a/www-apps/mantisbt/ChangeLog
+++ b/www-apps/mantisbt/ChangeLog
@@ -1,6 +1,13 @@
# ChangeLog for www-apps/mantisbt
# Copyright 1999-2011 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/www-apps/mantisbt/ChangeLog,v 1.107 2011/08/26 11:13:32 chainsaw Exp $
+# $Header: /var/cvsroot/gentoo-x86/www-apps/mantisbt/ChangeLog,v 1.108 2011/09/01 19:30:23 pva Exp $
+
+*mantisbt-1.2.7-r1 (01 Sep 2011)
+
+ 01 Sep 2011; Peter Volkov <pva@gentoo.org> +mantisbt-1.2.7-r1.ebuild,
+ +files/mantisbt-1.2.7-file-inclusion.patch:
+ Add patch to address local file inclusion/path traversal, bug 381417 wrt
+ David Hicks.
26 Aug 2011; Tony Vroon <chainsaw@gentoo.org> mantisbt-1.2.7.ebuild:
Marked stable on AMD64 based on arch testing by Agostino "ago" Sarubbo in
diff --git a/www-apps/mantisbt/files/mantisbt-1.2.7-file-inclusion.patch b/www-apps/mantisbt/files/mantisbt-1.2.7-file-inclusion.patch
new file mode 100644
index 000000000000..320e6b748aff
--- /dev/null
+++ b/www-apps/mantisbt/files/mantisbt-1.2.7-file-inclusion.patch
@@ -0,0 +1,134 @@
+commit a7eacc181185eff1dd7bd8ceaa34a91cf86cc298
+Author: David Hicks <d@hx.id.au>
+Date: Thu Sep 1 19:36:31 2011 +1000
+
+ Fix #13282, #13283: bug_actiongroup_ext_page.php LFI and XSS
+
+ High-Tech Bridge SA Security Research Lab reported 2 issues with the
+ 'action' parameter to bug_actiongroup_ext_page.php
+
+ Issue #13282
+
+ XSS issue with require_once() call failures returning an unescaped
+ user-supplied filename. There has been a fair amount of recent public
+ talk about PHP error messages being a source of XSS issues. This is an
+ example.
+
+ Issue #12283
+
+ Local file inclusion/path traversal vulnerability on web servers that
+ allow translations like:
+ http://example.com/directory/file.htm/../file2.htm ==>
+ http://example.com/directory/file2.htm
+
+ Vulnerable (default configuration): Apache
+ Not vulnerable (default configuration): nginx
+
+ This issue has _SEVERE_ consequences for people using web servers which
+ don't check each segment of a path from top to bottom for validity. It
+ shouldn't be possible to include the contents of config_inc.php to
+ retrieve MantisBT database passwords because
+ require_once('config_inc.php') will parse the document as a PHP script
+ (echoing nothing). However it may allow attackers to view private files
+ accessible to the web server user account. It also allows an attacker to
+ guess the file structure of a server (existence of installed software,
+ user accounts, etc).
+
+ nginx will produce a 404 error when it determines that file.htm is not a
+ directory. This makes too much sense, doesn't it?
+
+diff --git a/bug_actiongroup_ext_page.php b/bug_actiongroup_ext_page.php
+index 2a599d3..0a0ab91 100644
+--- a/bug_actiongroup_ext_page.php
++++ b/bug_actiongroup_ext_page.php
+@@ -40,12 +40,18 @@
+ # redirect to view issues page if action doesn't have ext_* prefix.
+ # This should only occur if this page is called directly.
+ $t_external_action_prefix = 'EXT_';
+- if ( strpos( $f_action, $t_external_action_prefix ) !== 0 ) {
++ $t_matches = array();
++ preg_match( '/^EXT_(\w+)$/', $f_action, $t_matches );
++ if ( count( $t_matches ) !== 2 ) {
+ print_header_redirect( 'view_all_bug_page.php' );
+- }
++ exit;
++ }
++ $t_external_action = $t_matches[1];
++ $t_include_file = 'bug_actiongroup_' . $t_external_action . '_inc.php';
++ if ( !file_exists( $t_include_file ) ) {
++ trigger_error( ERROR_GENERIC, ERROR );
++ }
+
+- $t_external_action = utf8_strtolower( utf8_substr( $f_action, utf8_strlen( $t_external_action_prefix ) ) );
+- $t_form_fields_page = 'bug_actiongroup_' . $t_external_action . '_inc.php';
+ $t_form_name = 'bug_actiongroup_' . $t_external_action;
+
+ bug_group_action_print_top();
+diff --git a/core/bug_group_action_api.php b/core/bug_group_action_api.php
+index bd80ea6..30e71ed 100644
+--- a/core/bug_group_action_api.php
++++ b/core/bug_group_action_api.php
+@@ -94,7 +94,14 @@ function bug_group_action_print_hidden_fields( $p_bug_ids_array ) {
+ * @param $p_action The custom action name without the "EXT_" prefix.
+ */
+ function bug_group_action_print_action_fields( $p_action ) {
+- require_once( dirname( dirname( __FILE__ ) ) . DIRECTORY_SEPARATOR . 'bug_actiongroup_' . $p_action . '_inc.php' );
++ if ( !preg_match( '/^\w+$/', $p_action ) ) {
++ trigger_error( ERROR_GENERIC, ERROR );
++ }
++ $t_include_file = 'bug_actiongroup_' . $p_action . '_inc.php';
++ if ( !file_exists( $t_include_file ) ) {
++ trigger_error( ERROR_GENERIC, ERROR );
++ }
++ require_once( $t_include_file );
+ $t_function_name = 'action_' . $p_action . '_print_fields';
+ $t_function_name();
+ }
+@@ -106,7 +113,14 @@ function bug_group_action_print_action_fields( $p_action ) {
+ * @param $p_action The custom action name without the "EXT_" prefix.
+ */
+ function bug_group_action_print_title( $p_action ) {
+- require_once( dirname( dirname( __FILE__ ) ) . DIRECTORY_SEPARATOR . 'bug_actiongroup_' . $p_action . '_inc.php' );
++ if ( !preg_match( '/^\w+$/', $p_action ) ) {
++ trigger_error( ERROR_GENERIC, ERROR );
++ }
++ $t_include_file = 'bug_actiongroup_' . $p_action . '_inc.php';
++ if ( !file_exists( $t_include_file ) ) {
++ trigger_error( ERROR_GENERIC, ERROR );
++ }
++ require_once( $t_include_file );
+ $t_function_name = 'action_' . $p_action . '_print_title';
+ $t_function_name();
+ }
+@@ -121,7 +135,14 @@ function bug_group_action_print_title( $p_action ) {
+ * @returns true|array true if action can be applied or array of ( bug_id => reason for failure to validate )
+ */
+ function bug_group_action_validate( $p_action, $p_bug_id ) {
+- require_once( dirname( dirname( __FILE__ ) ) . DIRECTORY_SEPARATOR . 'bug_actiongroup_' . $p_action . '_inc.php' );
++ if ( !preg_match( '/^\w+$/', $p_action ) ) {
++ trigger_error( ERROR_GENERIC, ERROR );
++ }
++ $t_include_file = 'bug_actiongroup_' . $p_action . '_inc.php';
++ if ( !file_exists( $t_include_file ) ) {
++ trigger_error( ERROR_GENERIC, ERROR );
++ }
++ require_once( $t_include_file );
+ $t_function_name = 'action_' . $p_action . '_validate';
+ return $t_function_name( $p_bug_id );
+ }
+@@ -136,7 +157,14 @@ function bug_group_action_validate( $p_action, $p_bug_id ) {
+ * @returns true|array Action can be applied., ( bug_id => reason for failure to process )
+ */
+ function bug_group_action_process( $p_action, $p_bug_id ) {
+- require_once( dirname( dirname( __FILE__ ) ) . DIRECTORY_SEPARATOR . 'bug_actiongroup_' . $p_action . '_inc.php' );
++ if ( !preg_match( '/^\w+$/', $p_action ) ) {
++ trigger_error( ERROR_GENERIC, ERROR );
++ }
++ $t_include_file = 'bug_actiongroup_' . $p_action . '_inc.php';
++ if ( !file_exists( $t_include_file ) ) {
++ trigger_error( ERROR_GENERIC, ERROR );
++ }
++ require_once( $t_include_file );
+ $t_function_name = 'action_' . $p_action . '_process';
+ return $t_function_name( $p_bug_id );
+ }
diff --git a/www-apps/mantisbt/mantisbt-1.2.7-r1.ebuild b/www-apps/mantisbt/mantisbt-1.2.7-r1.ebuild
new file mode 100644
index 000000000000..0866934d039a
--- /dev/null
+++ b/www-apps/mantisbt/mantisbt-1.2.7-r1.ebuild
@@ -0,0 +1,51 @@
+# Copyright 1999-2011 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/www-apps/mantisbt/mantisbt-1.2.7-r1.ebuild,v 1.1 2011/09/01 19:30:23 pva Exp $
+
+EAPI="2"
+
+inherit eutils webapp depend.php
+
+DESCRIPTION="PHP/MySQL/Web based bugtracking system"
+HOMEPAGE="http://www.mantisbt.org/"
+SRC_URI="mirror://sourceforge/${PN}/${P}.tar.gz"
+
+LICENSE="GPL-2"
+KEYWORDS="~amd64 ~x86"
+IUSE=""
+
+RDEPEND="
+ virtual/httpd-php
+ virtual/httpd-cgi
+ || ( <dev-lang/php-5.3[pcre] >=dev-lang/php-5.3 )
+ >=dev-php5/ezc-Base-1.8
+ >=dev-php5/ezc-Graph-1.5
+ >=dev-php/adodb-5.10"
+
+src_prepare() {
+ epatch "${FILESDIR}/mantisbt-1.2.7-file-inclusion.patch" #381417
+
+ # Drop external libraries
+ rm -r "${S}/library/adodb/"
+ rm -r "${S}/library/ezc/"{Base,Graph}
+ sed -e 's:ezc/Base/src/base.php:ezc/Base/base.php:' \
+ -i "${S}"/plugins/MantisGraph/{core/graph_api.php,pages/summary_graph_cumulative_bydate2.php} \
+ || die
+ # Fix incorrect filename
+ sed -e 's:config_default_inc.php:config_defaults_inc.php:' \
+ -i "${S}/lang/strings_russian.txt" || die
+}
+
+src_install() {
+ webapp_src_preinst
+ rm doc/{LICENSE,INSTALL}
+ dodoc doc/{CREDITS,CUSTOMIZATION,RELEASE} doc/en/*
+
+ rm -rf doc packages
+ mv config_inc.php.sample config_inc.php
+ cp -R . "${D}/${MY_HTDOCSDIR}"
+
+ webapp_configfile "${MY_HTDOCSDIR}/config_inc.php"
+ webapp_postinst_txt en "${FILESDIR}/postinstall-en-1.0.0.txt"
+ webapp_src_install
+}