[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Fixed - mantis: CVE-2010-3763 xss vulnerability (Permission to upload)



Hi Team,

Attached you will find the diff between mantis_1.1.6+dfsg-2lenny3
(currently in s-p-u) and mantis_1.1.6+dfsg-2lenny4 with the fix for
CVE-2010-3763 [1].

Fixed in version mantis/1.1.8+dfsg-9 (unstable) [2]

I'll wait your permission to upload.

Don't hesitate to contact me if you need any further info.

Best regards,

Sils

[1] http://security-tracker.debian.org/tracker/CVE-2010-3303
[2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=601618
diff -u mantis-1.1.6+dfsg/debian/changelog mantis-1.1.6+dfsg/debian/changelog
--- mantis-1.1.6+dfsg/debian/changelog
+++ mantis-1.1.6+dfsg/debian/changelog
@@ -1,3 +1,10 @@
+mantis (1.1.6+dfsg-2lenny4) stable-proposed-updates; urgency=low
+
+  * debian/patches/07-CVE-2010-3763.diff:
+     Fixes for CVE-2010-3763. 
+
+ -- Silvia Alvarez <sils@powered-by-linux.com>  Sat, 30 Oct 2010 11:55:50 +0200
+
 mantis (1.1.6+dfsg-2lenny3) stable-proposed-updates; urgency=low
 
   * debian/patches/06-CVE-2010-3303-04-and-05.diff:
diff -u mantis-1.1.6+dfsg/debian/patches/series mantis-1.1.6+dfsg/debian/patches/series
--- mantis-1.1.6+dfsg/debian/patches/series
+++ mantis-1.1.6+dfsg/debian/patches/series
@@ -1,3 +1,4 @@
+07-CVE-2010-3303-04-and-05.diff
 01-use-libphp-phpmailer-instead-of-prepackaged-version.patch
 02-disable-admin-directory-check.patch
 03-fix-wrong-php-path-in-checkin.patch
only in patch2:
unchanged:
--- mantis-1.1.6+dfsg.orig/debian/patches/07-CVE-2010-3303-04-and-05.diff
+++ mantis-1.1.6+dfsg/debian/patches/07-CVE-2010-3303-04-and-05.diff
@@ -0,0 +1,39 @@
+#
+# Description: Fixes for CVE-2010-3763
+#
+#   Patch based on upstream repository commit:
+#   http://www.mantisbt.org/bugs/file_download.php?file_id=3017&type=bug
+#
+#   CVE-2010-3763 : Cross-site scripting (XSS) vulnerability in 
+#   core/summary_api.php in MantisBT before 1.2.3 allows remote 
+#   attackers to inject arbitrary web script or HTML via the 
+#   Summary field, a different vector than CVE-2010-3303. 
+#
+# Author: Dario Minnucci <midget@debian.org>
+# Bug: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3763
+# Bug: http://www.mantisbt.org/bugs/view.php?id=12309
+# Bug-Debian: http://bugs.debian.org/601618
+# Last-Update: 2010-10-30
+#
+Index: mantis-1.1.6+dfsg/core/summary_api.php
+===================================================================
+--- mantis-1.1.6+dfsg.orig/core/summary_api.php	2010-10-30 11:34:46.839462033 +0200
++++ mantis-1.1.6+dfsg/core/summary_api.php	2010-10-30 11:36:52.607470031 +0200
+@@ -322,7 +322,7 @@
+ 			if ( $t_count++ == 10 ) break;
+ 
+ 			$t_bugid = string_get_bug_view_link( $row['id'] );
+-			$t_summary = string_html_specialchars( $row['summary'] );
++			$t_summary = string_display_line( $row['summary'] );
+ 			$t_notescount = $row['count'];
+ 
+ 			print "<tr " . helper_alternate_class() . ">\n";
+@@ -362,7 +362,7 @@
+ 			if ( $t_count++ == 10 ) break;
+ 
+ 			$t_bugid = string_get_bug_view_link( $row['id'] );
+-			$t_summary = $row['summary'];
++			$t_summary = string_display_line( $row['summary'] );
+ 			$t_days_open = intval ( ( time() - strtotime( $row['date_submitted'] ) ) / 86400 );
+ 
+ 			print "<tr " . helper_alternate_class() . ">\n";

Attachment: signature.asc
Description: OpenPGP digital signature


Reply to: