tags 669927 +patch thanks Hi,
Attached you'll find a possible patch for CVE-2012-1122. Description: Fix for CVE-2012-1122: Incorrect access checks performed when moving bugs between projects Bug-Mantis: http://www.mantisbt.org/bugs/view.php?id=13748 Bug-Debian: http://bugs.debian.org/669927 Origin: https://github.com/mantisbt/mantisbt/commit/64af3ef8c0b43bd007664d84e0177716daac4a84 Last-Update: 2012-04-21 Note: Needs some testing! Regards, -- Dario Minnucci <mid...@debian.org> Phone: +34 902884117 | Fax: +34 902024417 | Support: +34 807450000 Key fingerprint = BAA1 7AAF B21D 6567 D457 D67D A82F BB83 F3D5 7033
Description: Fix for CVE-2012-1122: Incorrect access checks performed when moving bugs between projects Bug-Mantis: http://www.mantisbt.org/bugs/view.php?id=13748 Bug-Debian: http://bugs.debian.org/669927 Origin: https://github.com/mantisbt/mantisbt/commit/64af3ef8c0b43bd007664d84e0177716daac4a84 Last-Update: 2012-04-21 Index: mantis/bug_actiongroup.php =================================================================== --- mantis.orig/bug_actiongroup.php 2012-04-21 22:16:58.760666308 +0200 +++ mantis/bug_actiongroup.php 2012-04-21 22:20:42.921354198 +0200 @@ -96,7 +96,8 @@ break; case 'MOVE': - if ( access_has_bug_level( config_get( 'move_bug_threshold' ), $t_bug_id ) ) { + if( access_has_bug_level( config_get( 'move_bug_threshold' ), $t_bug_id ) && + access_has_project_level( config_get( 'report_bug_threshold', null, null, $f_project_id ), $f_project_id ) ) { # @@@ we need to issue a helper_call_custom_function( 'issue_update_validate', array( $t_bug_id, $t_bug_data, $f_bugnote_text ) ); $f_project_id = gpc_get_int( 'project_id' ); bug_set_field( $t_bug_id, 'project_id', $f_project_id );
signature.asc
Description: OpenPGP digital signature
