Fixed - mantis: CVE-2010-3303 xss vulnerability (Permission to upload)
Hi Team,
Attached you will find the diff between mantis_1.1.6+dfsg-2lenny2
(currently in s-p-u) and mantis_1.1.6+dfsg-2lenny3 with the fix for
CVE-2010-3303.
I did not uploaded any package until receive a confirmation or
guidelines from the release team about how to proceed.
Please let me know if any other steps should be taken on my side.
Don't hesitate to contact me if you need any further info.
Best regards,
Sils
diff -u mantis-1.1.6+dfsg/debian/changelog mantis-1.1.6+dfsg/debian/changelog
--- mantis-1.1.6+dfsg/debian/changelog
+++ mantis-1.1.6+dfsg/debian/changelog
@@ -1,3 +1,13 @@
+mantis (1.1.6+dfsg-2lenny3) stable-proposed-updates; urgency=low
+
+ * debian/patches/06-CVE-2010-3303-04-and-05.diff:
+ Fixes for CVE-2010-3303 (4) and (5) vulnerabilities.
+ Note: Mantis debian packages (1.1.6 and 1.1.8) are not affected
+ for vulnerabilities described as 1, 2 and 3 at
+ CVE-2010-3303">http://security-tracker.debian.org/tracker/CVE-2010-3303
+
+ -- Silvia Alvarez <sils@powered-by-linux.com> Sun, 24 Oct 2010 18:31:19 +0200
+
mantis (1.1.6+dfsg-2lenny2) stable-proposed-updates; urgency=low
* debian/patches:
diff -u mantis-1.1.6+dfsg/debian/patches/series mantis-1.1.6+dfsg/debian/patches/series
--- mantis-1.1.6+dfsg/debian/patches/series
+++ mantis-1.1.6+dfsg/debian/patches/series
@@ -5,0 +6 @@
+06-CVE-2010-3303-04-and-05.diff
diff -u mantis-1.1.6+dfsg/debian/patches/05-CVE-2010-2574.diff mantis-1.1.6+dfsg/debian/patches/05-CVE-2010-2574.diff
--- mantis-1.1.6+dfsg/debian/patches/05-CVE-2010-2574.diff
+++ mantis-1.1.6+dfsg/debian/patches/05-CVE-2010-2574.diff
@@ -16,8 +16,8 @@
Index: mantis-1.1.6+dfsg/manage_proj_cat_delete.php
===================================================================
---- mantis-1.1.6+dfsg.orig/manage_proj_cat_delete.php 2010-09-05 02:54:47.631129913 +0200
-+++ mantis-1.1.6+dfsg/manage_proj_cat_delete.php 2010-09-05 02:54:57.255130408 +0200
+--- mantis-1.1.6+dfsg.orig/manage_proj_cat_delete.php 2010-09-05 14:34:11.000000000 +0200
++++ mantis-1.1.6+dfsg/manage_proj_cat_delete.php 2010-09-05 14:34:54.000000000 +0200
@@ -26,6 +26,7 @@
$t_core_path = config_get( 'core_path' );
only in patch2:
unchanged:
--- mantis-1.1.6+dfsg.orig/debian/patches/06-CVE-2010-3303-04-and-05.diff
+++ mantis-1.1.6+dfsg/debian/patches/06-CVE-2010-3303-04-and-05.diff
@@ -0,0 +1,33 @@
+#
+# Description: Fix for CVE-2010-3303 (4) and (5) vulnerabilities.
+#
+# Patch based on upstream repository commit:
+# http://git.mantisbt.org/?p=mantisbt.git;a=commitdiff;h=3bc117fc87003af07d8871f7ad81b5c999215efd#patch1
+#
+# CVE-2010-3303 : Multiple cross-site scripting (XSS) vulnerabilities
+# in MantisBT before 1.2.3 allow remote authenticated administrators to
+# inject arbitrary web script or HTML via (1) a plugin name, related to
+# manage_plugin_uninstall.php; (2) an enumeration value or (3) a String
+# value of a custom field, related to core/cfdefs/cfdef_standard.php; or
+# a (4) project or (5) category name to print_all_bug_page_word.php.
+#
+# Author: Dario Minnucci <midget@debian.org>
+# Bug: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3303
+# Bug: http://security-tracker.debian.org/tracker/CVE-2010-3303
+# Bug: http://www.mantisbt.org/bugs/view.php?id=12371
+# Bug-Debian: http://bugs.debian.org/599710
+# Last-Update: 2010-10-13
+#
+Index: mantis-1.1.8+dfsg/print_all_bug_page_word.php
+===================================================================
+--- mantis-1.1.8+dfsg.orig/print_all_bug_page_word.php 2010-10-13 17:17:36.767106519 +0200
++++ mantis-1.1.8+dfsg/print_all_bug_page_word.php 2010-10-13 17:17:55.062831594 +0200
+@@ -160,7 +160,7 @@
+ <?php echo $v_id ?>
+ </td>
+ <td class="print">
+- <?php echo "[$t_project_name] $v_category" ?>
++ <?php echo '[' . string_display_line( $t_project_name ) . '] ' . string_display_line( $v_category ) ?>
+ </td>
+ <td class="print">
+ <?php echo get_enum_element( 'severity', $v_severity ) ?>
Reply to: