tags 693283 +patch
thanks
Here is a patch. Stupid me forgot to bring his OpenPGP card to the BSP.
Simon
diff -Nru mantis-1.2.11/debian/changelog mantis-1.2.11/debian/changelog
--- mantis-1.2.11/debian/changelog 2012-08-06 06:07:15.000000000 +0000
+++ mantis-1.2.11/debian/changelog 2012-11-24 18:27:01.000000000 +0000
@@ -1,3 +1,13 @@
+mantis (1.2.11-1.2) unstable; urgency=high
+
+ * Non-maintainer upload.
+ * Refresh quilt patches
+ * Fix two CVEs (Closes: #693283)
+ - CVE-2012-5522
+ - CVS-2012-5523
+
+ -- Simon Richter <s...@debian.org> Sat, 24 Nov 2012 18:04:54 +0000
+
mantis (1.2.11-1.1) unstable; urgency=low
* Non-maintainer upload.
diff -Nru mantis-1.2.11/debian/patches/000-disallow-admin-warning-directory.diff mantis-1.2.11/debian/patches/000-disallow-admin-warning-directory.diff
--- mantis-1.2.11/debian/patches/000-disallow-admin-warning-directory.diff 2012-06-15 15:24:55.000000000 +0000
+++ mantis-1.2.11/debian/patches/000-disallow-admin-warning-directory.diff 2012-11-24 18:16:58.000000000 +0000
@@ -8,11 +8,11 @@
# Author: Silvia Alvarez <s...@powered-by-linux.com>
# Last-Update: 2011-03-01
#
-Index: mantis/login_page.php
+Index: mantis-1.2.11/login_page.php
===================================================================
---- mantis.orig/login_page.php 2011-03-06 03:14:32.376403532 +0100
-+++ mantis/login_page.php 2011-03-06 03:15:24.935392877 +0100
-@@ -188,7 +188,8 @@
+--- mantis-1.2.11.orig/login_page.php 2012-06-15 15:27:38.000000000 +0000
++++ mantis-1.2.11/login_page.php 2012-11-24 17:52:39.000000000 +0000
+@@ -202,7 +202,8 @@
$t_admin_dir = dirname( __FILE__ ) . DIRECTORY_SEPARATOR . 'admin' . DIRECTORY_SEPARATOR;
if ( is_dir( $t_admin_dir ) ) {
echo '<div class="warning" align="center">', "\n";
diff -Nru mantis-1.2.11/debian/patches/001-cve-2012-5522-followup.diff mantis-1.2.11/debian/patches/001-cve-2012-5522-followup.diff
--- mantis-1.2.11/debian/patches/001-cve-2012-5522-followup.diff 1970-01-01 00:00:00.000000000 +0000
+++ mantis-1.2.11/debian/patches/001-cve-2012-5522-followup.diff 2012-11-24 18:19:31.000000000 +0000
@@ -0,0 +1,174 @@
+From d982fc99e55f6b07fe0c737f8011d7e6c6fd2a69 Mon Sep 17 00:00:00 2001
+From: Damien Regad <damien.re...@merckgroup.com>
+Date: Sun, 28 Oct 2012 23:47:15 +0100
+Subject: [PATCH] Workflow config: delete override if identical to parent
+
+The code in manage_config_workflow_set.php now deletes the config
+override for the current project if the new settings are identical to
+the parent's (ALL_PROJECTS level if project, or file-level if all
+projects).
+
+Follow-up fix for issue #14496
+---
+ manage_config_workflow_set.php | 104 ++++++++++++++++++++++++++++++----------
+ 1 file changed, 80 insertions(+), 24 deletions(-)
+
+diff --git a/manage_config_workflow_set.php b/manage_config_workflow_set.php
+index c960770..e1a9d41 100644
+--- a/manage_config_workflow_set.php
++++ b/manage_config_workflow_set.php
+@@ -31,6 +31,22 @@
+
+ auth_reauthenticate();
+
++ /**
++ * Retrieves the value of config option for the project's parent
++ * (ALL_PROJECTS level if project, or file-level if all projects)
++ * @param $p_project project
++ * @param $p_option config option to retrieve
++ * @return mixed config option value
++ */
++ function config_get_parent( $p_project, $p_option ) {
++ if( $p_project == ALL_PROJECTS ) {
++ return config_get_global( $p_option );
++ } else {
++ return config_get( $p_option, null, null, ALL_PROJECTS );
++ }
++ }
++
++
+ $t_can_change_level = min( config_get_access( 'notify_flags' ), config_get_access( 'default_notify_flags' ) );
+ access_ensure_project_level( $t_can_change_level );
+
+@@ -41,14 +57,23 @@
+ html_page_top( lang_get( 'manage_workflow_config' ), $t_redirect_url );
+
+ # process the changes to threshold values
+- $t_valid_thresholds = array( 'bug_submit_status', 'bug_resolved_status_threshold', 'bug_reopen_status' );
++ $t_valid_thresholds = array(
++ 'bug_submit_status',
++ 'bug_resolved_status_threshold',
++ 'bug_reopen_status',
++ );
+
+ foreach( $t_valid_thresholds as $t_threshold ) {
+- if( config_get_access( $t_threshold ) <= $t_access ) {
++ $t_access_current = config_get_access( $t_threshold );
++ if( $t_access >= $t_access_current ) {
+ $f_value = gpc_get( 'threshold_' . $t_threshold );
++ $t_value_current = config_get( $t_threshold );
+ $f_access = gpc_get( 'access_' . $t_threshold );
+- if ( ( $f_value != config_get( $t_threshold ) )
+- || ( $f_access != config_get_access( $t_threshold ) ) ) {
++ if( $f_value == $t_value_current && $f_access == $t_access_current ) {
++ # If new value is equal to parent and access has not changed
++ config_delete( $t_threshold, ALL_USERS , $t_project );
++ } else if( $f_value != $t_value_current || $f_access != $t_access_current ) {
++ # Set config if value or access have changed
+ config_set( $t_threshold, $f_value, NO_USER, $t_project, $f_access );
+ }
+ }
+@@ -90,8 +115,27 @@
+ $t_workflow[$t_state] = $t_workflow_row;
+ }
+ }
+- if ( ( $t_workflow != config_get( 'status_enum_workflow' ) )
+- || ( $f_access != config_get_access( 'status_enum_workflow' ) ) ) {
++
++ # Get the parent's workflow, if not set default to all transitions
++ $t_access_current = config_get_access( 'status_enum_workflow' );
++ $t_workflow_parent = config_get_parent( $t_project, 'status_enum_workflow' );
++ if ( 0 == count( $t_workflow_parent ) ) {
++ foreach( $t_enum_status as $t_status => $t_label ) {
++ $t_temp_workflow = array();
++ foreach( $t_enum_status as $t_next => $t_next_label ) {
++ if( $t_status != $t_next ) {
++ $t_temp_workflow[] = "$t_next:$t_next_label";
++ }
++ }
++ $t_workflow_parent[$t_status] = implode( ',', $t_temp_workflow );
++ }
++ }
++
++ if( $t_workflow == $t_workflow_parent && $f_access == $t_access_current ) {
++ # If new value is equal to parent and access has not changed
++ config_delete( 'status_enum_workflow', ALL_USERS , $t_project );
++ } else if( $t_workflow != config_get( 'status_enum_workflow' ) || $f_access != $t_access_current ) {
++ # Set config if value or access have changed
+ config_set( 'status_enum_workflow', $t_workflow, NO_USER, $t_project, $f_access );
+ }
+ }
+@@ -100,40 +144,52 @@
+ if( config_get_access( 'status_enum_workflow' ) <= $t_access ) {
+ # get changes to access level to change these values
+ $f_access = gpc_get( 'status_access' );
++ $t_access_current = config_get_access( 'status_enum_workflow' );
+
+- # Build default
+- $t_file_set = config_get_global( 'set_status_threshold' );
++ # Build access level reference arrays (parent level and current config)
++ $t_set_parent = config_get_parent( $t_project, 'set_status_threshold' );
++ $t_set_current = config_get( 'set_status_threshold' );
+ $t_bug_submit_status = config_get( 'bug_submit_status' );
+- foreach ( $t_enum_status as $t_status => $t_status_label) {
+- if ( !isset( $t_file_set[$t_status] ) ) {
+- if ( $t_bug_submit_status == $t_status ) {
+- $t_file_set[$t_status] = config_get_global('report_bug_threshold');
++ foreach( $t_enum_status as $t_status => $t_status_label ) {
++ if( !isset( $t_set_parent[$t_status] ) ) {
++ if( $t_bug_submit_status == $t_status ) {
++ $t_set_parent[$t_status] = config_get_parent( $t_project, 'report_bug_threshold' );
+ } else {
+- $t_file_set[$t_status] = config_get_global('update_bug_status_threshold');
++ $t_set_parent[$t_status] = config_get_parent( $t_project, 'update_bug_status_threshold' );
++ }
++ }
++ if( !isset( $t_set_current[$t_status] ) ) {
++ if( $t_bug_submit_status == $t_status ) {
++ $t_set_current[$t_status] = config_get( 'report_bug_threshold' );
++ } else {
++ $t_set_current[$t_status] = config_get( 'update_bug_status_threshold' );
+ }
+ }
+ }
+
+ # walk through the status labels to set the status threshold
+- $t_set_status = array();
++ $t_set_new = array();
+ foreach( $t_enum_status as $t_status_id => $t_status_label) {
+- $f_level = gpc_get( 'access_change_' . $t_status_id );
++ $f_level = gpc_get_int( 'access_change_' . $t_status_id );
+ if ( config_get( 'bug_submit_status' ) == $t_status_id ) {
+- if ( (int)$f_level != config_get( 'report_bug_threshold' ) ) {
++ if ( $f_level != config_get( 'report_bug_threshold' ) ) {
+ config_set( 'report_bug_threshold', (int)$f_level, ALL_USERS, $t_project, $f_access );
++ } else {
++ config_delete( 'report_bug_threshold', ALL_USERS , $t_project );
+ }
+- unset( $t_file_set[$t_status_id] );
++ unset( $t_set_parent[$t_status_id] );
++ unset( $t_set_current[$t_status_id] );
+ } else {
+- $t_set_status[$t_status_id] = (int)$f_level;
++ $t_set_new[$t_status_id] = $f_level;
+ }
+ }
+
+- if( ( $t_set_status != $t_file_set
+- && $t_set_status != config_get( 'set_status_threshold' )
+- )
+- || $f_access != config_get_access( 'status_enum_workflow' )
+- ) {
+- config_set( 'set_status_threshold', $t_set_status, ALL_USERS, $t_project, $f_access );
++ if( $t_set_new == $t_set_parent && $f_access == $t_access_current ) {
++ # If new value is equal to parent and access has not changed
++ config_delete( 'set_status_threshold', ALL_USERS , $t_project );
++ } else if( $t_set_new != $t_set_current || $f_access != $t_access_current ) {
++ # Set config if value or access have changed
++ config_set( 'set_status_threshold', $t_set_new, ALL_USERS, $t_project, $f_access );
+ }
+ }
+
+--
+1.7.10
+
diff -Nru mantis-1.2.11/debian/patches/001-cve-2012-5522.diff mantis-1.2.11/debian/patches/001-cve-2012-5522.diff
--- mantis-1.2.11/debian/patches/001-cve-2012-5522.diff 1970-01-01 00:00:00.000000000 +0000
+++ mantis-1.2.11/debian/patches/001-cve-2012-5522.diff 2012-11-24 18:17:16.000000000 +0000
@@ -0,0 +1,94 @@
+From d893ca3fd5dfb5304f8193ea694de17807ac488a Mon Sep 17 00:00:00 2001
+From: Damien Regad <damien.re...@merckgroup.com>
+Date: Sat, 13 Oct 2012 00:37:06 +0200
+Subject: [PATCH] Manage config workflow page does not reflect actual config
+
+The code did not properly reflect the configuration state when building
+the Access Levels form, if the minimum access level was defined using
+update_bug_status_threshold and set_status_threshold wass empty, showing
+'viewer' for each status except 'new'.
+
+Consequently, saving the page without changes would cause the config to
+be saved with all access levels as 'viewer'.
+
+Fixes #14496
+---
+ manage_config_workflow_page.php | 5 +++--
+ manage_config_workflow_set.php | 28 ++++++++++++++++++++++------
+ 2 files changed, 25 insertions(+), 8 deletions(-)
+
+Index: mantis-1.2.11/manage_config_workflow_page.php
+===================================================================
+--- mantis-1.2.11.orig/manage_config_workflow_page.php 2012-06-15 15:27:38.000000000 +0000
++++ mantis-1.2.11/manage_config_workflow_page.php 2012-11-24 18:17:12.345036444 +0000
+@@ -318,9 +318,10 @@
+ }
+ }
+ } else {
+- $t_level = ( isset( $t_project_set[$t_status] ) ? $t_project_set[$t_status] : false );
+- $t_level_global = ( isset( $t_global_set[$t_status] ) ? $t_global_set[$t_status] : false );
+ $t_level_file = ( isset( $t_file_set[$t_status] ) ? $t_file_set[$t_status] : false );
++ $t_level_global = ( isset( $t_global_set[$t_status] ) ? $t_global_set[$t_status] : $t_level_file );
++ $t_level = ( isset( $t_project_set[$t_status] ) ? $t_project_set[$t_status] : $t_level_global );
++
+ $t_can_change = ( $t_access >= config_get_access( 'set_status_threshold' ) );
+ $t_colour = '';
+ if ( $t_level_global != $t_level_file ) {
+Index: mantis-1.2.11/manage_config_workflow_set.php
+===================================================================
+--- mantis-1.2.11.orig/manage_config_workflow_set.php 2012-06-15 15:27:38.000000000 +0000
++++ mantis-1.2.11/manage_config_workflow_set.php 2012-11-24 18:17:12.349036459 +0000
+@@ -64,8 +64,8 @@
+ list( $t_from, $t_to ) = explode( ':', $t_transition );
+ $t_matrix[$t_from][$t_to] = '';
+ }
+- $t_statuses = MantisEnum::getAssocArrayIndexedByValues( config_get( 'status_enum_string' ) );
+- foreach( $t_statuses as $t_state => $t_label) {
++ $t_enum_status = MantisEnum::getAssocArrayIndexedByValues( config_get( 'status_enum_string' ) );
++ foreach( $t_enum_status as $t_state => $t_label) {
+ $t_workflow_row = '';
+ $t_default = gpc_get_int( 'default_' . $t_state );
+ if ( isset( $t_matrix[$t_state] ) && isset( $t_matrix[$t_state][$t_default] ) ) {
+@@ -101,22 +101,38 @@
+ # get changes to access level to change these values
+ $f_access = gpc_get( 'status_access' );
+
++ # Build default
++ $t_file_set = config_get_global( 'set_status_threshold' );
++ $t_bug_submit_status = config_get( 'bug_submit_status' );
++ foreach ( $t_enum_status as $t_status => $t_status_label) {
++ if ( !isset( $t_file_set[$t_status] ) ) {
++ if ( $t_bug_submit_status == $t_status ) {
++ $t_file_set[$t_status] = config_get_global('report_bug_threshold');
++ } else {
++ $t_file_set[$t_status] = config_get_global('update_bug_status_threshold');
++ }
++ }
++ }
++
+ # walk through the status labels to set the status threshold
+- $t_enum_status = explode( ',', config_get( 'status_enum_string' ) );
+ $t_set_status = array();
+- foreach( $t_statuses as $t_status_id => $t_status_label) {
++ foreach( $t_enum_status as $t_status_id => $t_status_label) {
+ $f_level = gpc_get( 'access_change_' . $t_status_id );
+ if ( config_get( 'bug_submit_status' ) == $t_status_id ) {
+ if ( (int)$f_level != config_get( 'report_bug_threshold' ) ) {
+ config_set( 'report_bug_threshold', (int)$f_level, ALL_USERS, $t_project, $f_access );
+ }
++ unset( $t_file_set[$t_status_id] );
+ } else {
+ $t_set_status[$t_status_id] = (int)$f_level;
+ }
+ }
+
+- if ( ( $t_set_status != config_get( 'set_status_threshold' ) )
+- || ( $f_access != config_get_access( 'status_enum_workflow' ) ) ) {
++ if( ( $t_set_status != $t_file_set
++ && $t_set_status != config_get( 'set_status_threshold' )
++ )
++ || $f_access != config_get_access( 'status_enum_workflow' )
++ ) {
+ config_set( 'set_status_threshold', $t_set_status, ALL_USERS, $t_project, $f_access );
+ }
+ }
diff -Nru mantis-1.2.11/debian/patches/001-cve-2012-5523.diff mantis-1.2.11/debian/patches/001-cve-2012-5523.diff
--- mantis-1.2.11/debian/patches/001-cve-2012-5523.diff 1970-01-01 00:00:00.000000000 +0000
+++ mantis-1.2.11/debian/patches/001-cve-2012-5523.diff 2012-11-24 18:22:01.000000000 +0000
@@ -0,0 +1,46 @@
+From 2cc83ca98e602f0d4232053a6ad3533e41462a35 Mon Sep 17 00:00:00 2001
+From: Damien Regad <damien.re...@merckgroup.com>
+Date: Wed, 12 Sep 2012 17:48:17 +0200
+Subject: [PATCH] Don't send email notices for a bug to which users have no
+ access
+
+Prior to this, users without viewer access to a bug could potentially
+receive email notifications for it. This could happen in case of
+permissions changes, or if an issue is moved to another project with
+different access rights.
+
+Added an access level check to exclude users who don't have at least
+VIEWER privilege to the bug.
+
+Fixes #14704
+---
+ core/email_api.php | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+diff --git a/core/email_api.php b/core/email_api.php
+index 805a925..ba99cd5 100644
+--- a/core/email_api.php
++++ b/core/email_api.php
+@@ -383,12 +383,13 @@ function email_collect_recipients( $p_bug_id, $p_notify_type, $p_extra_user_ids_
+ }
+ }
+
+- # check that user can see bugnotes if the last update included a bugnote
+- if( $t_bug_date == $t_bugnote_date ) {
+- if( !access_has_bugnote_level( VIEWER, $t_bugnote_id, $t_id ) ) {
+- log_event( LOG_EMAIL_RECIPIENT, sprintf( 'Issue = #%d, drop @U%d (access level)', $p_bug_id, $t_id ) );
+- continue;
+- }
++ # exclude users who don't have at least viewer access to the bug,
++ # or who can't see bugnotes if the last update included a bugnote
++ if( !access_has_bug_level( VIEWER, $p_bug_id, $t_id )
++ || $t_bug_date == $t_bugnote_date && !access_has_bugnote_level( VIEWER, $t_bugnote_id, $t_id )
++ ) {
++ log_event( LOG_EMAIL_RECIPIENT, sprintf( 'Issue = #%d, drop @U%d (access level)', $p_bug_id, $t_id ) );
++ continue;
+ }
+
+ # check to exclude users as specified by plugins
+--
+1.7.10
+
diff -Nru mantis-1.2.11/debian/patches/series mantis-1.2.11/debian/patches/series
--- mantis-1.2.11/debian/patches/series 2012-06-15 15:24:55.000000000 +0000
+++ mantis-1.2.11/debian/patches/series 2012-11-24 18:22:12.000000000 +0000
@@ -2,3 +2,6 @@
000-disallow-admin-functions-not-used.diff
000-force-check-config_inc-for-new-installation.diff
000-disallow-admin-warning-directory.diff
+001-cve-2012-5522.diff
+001-cve-2012-5522-followup.diff
+001-cve-2012-5523.diff
