Hi Team, Attached you will find the fixes for mantis: CVE-2010-2574 [0] xss vulnerability, reported in BTS #595510 [1] yesterday, affecting lenny, testing and sid packages (all of them). I contacted with the security-team about the CVE and I was told to contact directly with the release team, because the CVE is not critical and they said it would be nice if the update is made via regular point contact with your team at first. Due to the current freeze state, I did not uploaded any package until receive a confirmation or guidelines from the release team about how to proceed. In the case of unstable, I understand that you have to grant an exception for mantis. When you review these fixes, should I ask for the exception and upload the package or you can arrange it directly? Please let me know if any other steps should be taken on my side. Please note that BTS #595510 [1] regarding this issue, is closed in 1.1.8+dfsg-6. Don't hesitate to contact me if you need any further info. Thanks for your time, you are doing a great job and I don't want to disturb you too much. Best regards, Sils Patch headers: # # Description: Fix for CVE-2010-2574 XSS vulnerability when deleting # categories that have been maliciously named. # The malicious message string is now passed through # string_display_line() function (which takes care of removing # any potencially dangerous HTML tags) before printing it. # This prevents the reported XSS injection. # # Author: Silvia Alvarez <sils@powered-by-linux.com> # Bug: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2574 # Bug: http://secunia.com/advisories/40832/ # Bug: http://www.mantisbt.org/bugs/view.php?id=12230 # Bug-Debian: http://bugs.debian.org/595510 # Last-Update: 2010-09-04 # Changelog for each affected versions: mantis (1.1.6+dfsg-2lenny2) stable-proposed-updates; urgency=low * debian/patches: + Added 05-CVE-2010-2574.diff: Fix for CVE-2010-2574 XSS vulnerability when deleting categories that have been maliciously named. * debian/control: + Set myself as new maintainer -- Silvia Alvarez <sils@powered-by-linux.com> Sun, 05 Sep 2010 14:25:42 +0200 mantis (1.1.8+dfsg-6) unstable; urgency=high * debian/patches: + Added 08-CVE-2010-2574.diff: Fix for CVE-2010-2574 XSS vulnerability when deleting categories that have been maliciously named.(Closes: #595510) -- Silvia Alvarez <sils@powered-by-linux.com> Sun, 05 Sep 2010 01:58:01 +0200 [0] http://security-tracker.debian.org/tracker/CVE-2010-2574 [1] http://bugs.debian.org/595510
Attachment:
mantis_1.1.6+dfsg-2lenny2.diff.gz
Description: application/gzip
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.0 Source: mantis Binary: mantis Architecture: all Version: 1.1.6+dfsg-2lenny2 Maintainer: Silvia Alvarez <sils@powered-by-linux.com> Homepage: http://www.mantisbugtracker.com Standards-Version: 3.8.0 Vcs-Browser: http://svn.debian.org/wsvn/collab-maint/ext-maint/mantis Vcs-Svn: svn://svn.debian.org/svn/collab-maint/ext-maint/mantis/trunk Build-Depends: debhelper (>= 5), quilt, po-debconf Checksums-Sha1: e6c7bd4bccf8f26a13fd4ee44bcb61cf332afd0e 2044082 mantis_1.1.6+dfsg.orig.tar.gz 95e9aeb8e29eddeb9c60da8c796fc0d446ab72e7 45975 mantis_1.1.6+dfsg-2lenny2.diff.gz Checksums-Sha256: 98fd890c1580c9ae554d51e5087da0eb61c0425a43993923d99637dcd54c2903 2044082 mantis_1.1.6+dfsg.orig.tar.gz 05d254be492c56b8c3de742d078e913cc154648d354eab85e96deacb1789c400 45975 mantis_1.1.6+dfsg-2lenny2.diff.gz Files: 429853b8caacc9e713b686524524418a 2044082 mantis_1.1.6+dfsg.orig.tar.gz 5744c8fe12175531be1fb796931a4730 45975 mantis_1.1.6+dfsg-2lenny2.diff.gz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQIcBAEBCAAGBQJMg4/qAAoJEEovp1gx7ts57nwP/j6c3SKo6lJmIoOB7nBYvw4K cfen0+KMn69uRZdyQPn7+hDIRt8vgP4MOZzV3s6WGWKEawRDjxppOVrDunxeXW+8 KRJW7kTvE6uVI0En9r8+3LH9Y+5NbTv79a0olbrfVIKUQI0MI1944MZhivMkmago QxpFnMVRbdv475zLqQJTNKPaf8l5l5rW4YMWTIMIpc+KjEy9hcquqBx63GQWJxvw iLEABGQUfVrpSB55dmGAxUrzEqREQc3yvSzCx9x964/scFz4vqVFIWk7HfVYMvw5 pGsi3q1j/PfnlNMvCSHf08DVOfh8J+IpYunTn63gWwmW4rrVpCFeerKTj0X65zfh mnl40W8qXOa/+V8+nzaDXjl57KwBLVsXnKasZ5auEFy1ytXMVMT3Ls4NeCmIWMIs 1FDquVccLUOQT2XD19JrKD6Y0nHehS+Q8HbTkokFD0motqqYB3pxjaoSoELvXK4U JDJZ//W5DIt73dJuxvbjHvn7tocupvQQRnygzSkaiTduulzUCas9iAIEa1zUbsvv YUqcVbke4HxF9djwyWU6Lr8ZM17++G/sA9IIUUDPyZWckqV4XpYIh+1NiQHVyOrz CGEO2vji8BG6G3hZ3EFuElj6EmD52sTlq8Fn6J04yluJFaqE0QVm7vqUmhhKZhwC K5ln8b2lMq21APrp+u/z =fm1Y -----END PGP SIGNATURE-----
diff -u mantis-1.1.6+dfsg/debian/control mantis-1.1.6+dfsg/debian/control --- mantis-1.1.6+dfsg/debian/control +++ mantis-1.1.6+dfsg/debian/control @@ -1,7 +1,7 @@ Source: mantis Section: web Priority: optional -Maintainer: Patrick Schoenfeld <schoenfeld@debian.org> +Maintainer: Silvia Alvarez <sils@powered-by-linux.com> Homepage: http://www.mantisbugtracker.com Vcs-Svn: svn://svn.debian.org/svn/collab-maint/ext-maint/mantis/trunk Vcs-Browser: http://svn.debian.org/wsvn/collab-maint/ext-maint/mantis diff -u mantis-1.1.6+dfsg/debian/changelog mantis-1.1.6+dfsg/debian/changelog --- mantis-1.1.6+dfsg/debian/changelog +++ mantis-1.1.6+dfsg/debian/changelog @@ -1,3 +1,14 @@ +mantis (1.1.6+dfsg-2lenny2) stable-proposed-updates; urgency=low + + * debian/patches: + + Added 05-CVE-2010-2574.diff: Fix for CVE-2010-2574 XSS + vulnerability when deleting categories that have been + maliciously named. + * debian/control: + + Set myself as new maintainer + + -- Silvia Alvarez <sils@powered-by-linux.com> Sun, 05 Sep 2010 14:25:42 +0200 + mantis (1.1.6+dfsg-2lenny1) stable-security; urgency=high * Urgency high because this upload fixes a security issue diff -u mantis-1.1.6+dfsg/debian/patches/series mantis-1.1.6+dfsg/debian/patches/series --- mantis-1.1.6+dfsg/debian/patches/series +++ mantis-1.1.6+dfsg/debian/patches/series @@ -4,0 +5 @@ +05-CVE-2010-2574.diff only in patch2: unchanged: --- mantis-1.1.6+dfsg.orig/debian/patches/05-CVE-2010-2574.diff +++ mantis-1.1.6+dfsg/debian/patches/05-CVE-2010-2574.diff @@ -0,0 +1,37 @@ +# +# Description: Fix for CVE-2010-2574 XSS vulnerability when deleting +# categories that have been maliciously named. +# The malicious message string is now passed through +# string_display_line() function (which takes care of removing +# any potencially dangerous HTML tags) before printing it. +# This prevents the reported XSS injection. +# +# Author: Silvia Alvarez <sils@powered-by-linux.com> +# Bug: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2574 +# Bug: http://secunia.com/advisories/40832/ +# Bug: http://www.mantisbt.org/bugs/view.php?id=12230 +# Bug-Debian: http://bugs.debian.org/595510 +# Last-Update: 2010-09-04 +# + +Index: mantis-1.1.6+dfsg/manage_proj_cat_delete.php +=================================================================== +--- mantis-1.1.6+dfsg.orig/manage_proj_cat_delete.php 2010-09-05 02:54:47.631129913 +0200 ++++ mantis-1.1.6+dfsg/manage_proj_cat_delete.php 2010-09-05 02:54:57.255130408 +0200 +@@ -26,6 +26,7 @@ + $t_core_path = config_get( 'core_path' ); + + require_once( $t_core_path.'category_api.php' ); ++ require_once( $t_core_path.'string_api.php' ); + + form_security_validate( 'manage_proj_cat_delete' ); + +@@ -38,7 +39,7 @@ + + # Confirm with the user + helper_ensure_confirmed( lang_get( 'category_delete_sure_msg' ) . +- '<br/>' . lang_get( 'category' ) . ': ' . $f_category, ++ '<br/>' . lang_get( 'category' ) . ': ' . string_display_line($f_category), + lang_get( 'delete_category_button' ) ); + + category_remove( $f_project_id, $f_category );
Attachment:
mantis_1.1.8+dfsg-6.debian.tar.gz
Description: application/gzip
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 3.0 (quilt) Source: mantis Binary: mantis Architecture: all Version: 1.1.8+dfsg-6 Maintainer: Silvia Alvarez <sils@powered-by-linux.com> Uploaders: Dario Minnucci <midget@debian.org> Homepage: http://www.mantisbugtracker.com Standards-Version: 3.8.4 Build-Depends: debhelper (>= 7), po-debconf Checksums-Sha1: 4482268075470b5e93f25cd6ee61adecb4ae189f 1965397 mantis_1.1.8+dfsg.orig.tar.gz d4e63893fe06cb28541dccfe96281f51d33cb58a 50041 mantis_1.1.8+dfsg-6.debian.tar.gz Checksums-Sha256: 350885db48f6298f6d956871777219b011331e9a413bd3e8a4e748fa1be3f573 1965397 mantis_1.1.8+dfsg.orig.tar.gz dc3ccfe639f7ba029b6b2fce3c1f6a478e1c5d3c837da060ea18490d0de1982e 50041 mantis_1.1.8+dfsg-6.debian.tar.gz Files: 730527e12f160ce1e13bb2a5c51bdb81 1965397 mantis_1.1.8+dfsg.orig.tar.gz 2a33d58206862744799856bab36974f2 50041 mantis_1.1.8+dfsg-6.debian.tar.gz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQIcBAEBCAAGBQJMgvW8AAoJEEovp1gx7ts57F0P/jtTHWyVPKnZF/syC0jMBMcc 0c4VsJtuijmcRZYAUxlBe9MGIQqHYP2/V6Chk5NXfcvsBT0uKsEzkypppMwlBf/P oZSBVBmF7DxTEKK1LSxL7ssfzED+liVj8PxxqW0ZeR8PnXgJprdIo3VllSAqGKsU VOcCENBpfcmJRL5ceVn+fBtAZbPjeqVFQd/37dNGGzuYV94s7Z1685MKOhRMwtwM lkSRFiOiAs0q1LHblgQtPczTEGKkuTYBD0zrZsaJcQgG/xY6WFSJUhQQ6siiqrkD 94ABKqn8hv3CvQc9CuCnPTPBvav8GCQ+xHh66iZWf91xLEtGmafE1lXiH2cNv5qc 501jUGbQirkkKXMacODp76rWlfE/PEyyEzgZ9Blbv9Z4oy3e4NX+2tmT0RBvW9JT T3znNqm1Kej7/A1G6Tjvz4RL8KQdhDs7sQ3mJLJCMduT/v9NttbwJV5p8pHT5BaM TUiCSrt07ZrkmYj2mCVTXBF7zmWWmGa98y2rcjjb6mOMIwGCRTPqTM0P3uGuNUmL dPbby4hMeNJ5ah0tb3jQrzomMje0NJg1vM+LEAxioklsS359jBrgq8dYxgK1c517 hvZJDgOO5ER3y6Eo94d10SJMPTGLf74kwekvuqiYiT9PEoVio2onfPn/+AGKHvvJ Xfa4x0Na/zWRN8ChUlay =0bel -----END PGP SIGNATURE-----
diff -Nru mantis-1.1.8+dfsg/debian/changelog mantis-1.1.8+dfsg/debian/changelog --- mantis-1.1.8+dfsg/debian/changelog 2010-02-28 19:32:41.000000000 +0100 +++ mantis-1.1.8+dfsg/debian/changelog 2010-09-05 01:58:14.000000000 +0200 @@ -1,3 +1,12 @@ +mantis (1.1.8+dfsg-6) unstable; urgency=high + + * debian/patches: + + Added 08-CVE-2010-2574.diff: Fix for CVE-2010-2574 XSS + vulnerability when deleting categories that have been + maliciously named.(Closes: #595510) + + -- Silvia Alvarez <sils@powered-by-linux.com> Sun, 05 Sep 2010 01:58:01 +0200 + mantis (1.1.8+dfsg-5) unstable; urgency=low * Switch to dpkg-source 3.0 (quilt) format diff -Nru mantis-1.1.8+dfsg/debian/patches/08-CVE-2010-2574.diff mantis-1.1.8+dfsg/debian/patches/08-CVE-2010-2574.diff --- mantis-1.1.8+dfsg/debian/patches/08-CVE-2010-2574.diff 1970-01-01 01:00:00.000000000 +0100 +++ mantis-1.1.8+dfsg/debian/patches/08-CVE-2010-2574.diff 2010-09-05 01:57:50.000000000 +0200 @@ -0,0 +1,37 @@ +# +# Description: Fix for CVE-2010-2574 XSS vulnerability when deleting +# categories that have been maliciously named. +# The malicious message string is now passed through +# string_display_line() function (which takes care of removing +# any potencially dangerous HTML tags) before printing it. +# This prevents the reported XSS injection. +# +# Author: Silvia Alvarez <sils@powered-by-linux.com> +# Bug: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2574 +# Bug: http://secunia.com/advisories/40832/ +# Bug: http://www.mantisbt.org/bugs/view.php?id=12230 +# Bug-Debian: http://bugs.debian.org/595510 +# Last-Update: 2010-09-04 +# + +Index: mantis-1.1.8+dfsg/manage_proj_cat_delete.php +=================================================================== +--- mantis-1.1.8+dfsg.orig/manage_proj_cat_delete.php 2010-09-05 00:08:56.734839078 +0200 ++++ mantis-1.1.8+dfsg/manage_proj_cat_delete.php 2010-09-05 00:35:16.189838315 +0200 +@@ -26,6 +26,7 @@ + $t_core_path = config_get( 'core_path' ); + + require_once( $t_core_path.'category_api.php' ); ++ require_once( $t_core_path.'string_api.php' ); + + form_security_validate( 'manage_proj_cat_delete' ); + +@@ -38,7 +39,7 @@ + + # Confirm with the user + helper_ensure_confirmed( lang_get( 'category_delete_sure_msg' ) . +- '<br/>' . lang_get( 'category' ) . ': ' . $f_category, ++ '<br/>' . lang_get( 'category' ) . ': ' . string_display_line($f_category), + lang_get( 'delete_category_button' ) ); + + category_remove( $f_project_id, $f_category ); diff -Nru mantis-1.1.8+dfsg/debian/patches/series mantis-1.1.8+dfsg/debian/patches/series --- mantis-1.1.8+dfsg/debian/patches/series 2010-02-28 18:50:54.000000000 +0100 +++ mantis-1.1.8+dfsg/debian/patches/series 2010-09-05 00:53:04.000000000 +0200 @@ -5,3 +5,4 @@ 04-disable-use-of-projax.patch 05-fix-phpmailer.patch 06-use-libnusoap-php.patch +08-CVE-2010-2574.diff
Attachment:
signature.asc
Description: OpenPGP digital signature