The vulnerable lines and the developers' counter measure can be inspected at http://mantisbt.cvs.sourceforge.net/mantisbt/mantisbt/view_all_set.php?r1=1.60&r2=1.61
The package state is as follows: STABLE The package in Debian stable is currently at version 0.19.2-5sarge2: http://packages.debian.org/stable/web/mantis This version is based on upstream version v0.19.2 http://ftp.debian.org/debian/pool/main/m/mantis/mantis_0.19.2.orig.tar.gz This version is vulnerable, lines 126-131 contain the vulnerable code. The debian patchset http://ftp.debian.org/debian/pool/main/m/mantis/mantis_0.19.2-5sarge2.diff.gz does not modify or fix these lines. As such, the Debian package should be considered vulnerable. A patch is attached. OLDSTABLE The package in Debian oldstable is currently at version 0.17.1-3: http://packages.debian.org/oldstable/web/mantis This version is based on upstream version v0.17.1 http://security.debian.org/debian-security/pool/updates/main/m/mantis/mantis_0.17.1.orig.tar.gz This version is not vulnerable, it does not contain the vulnerable code. The debian patchset http://security.debian.org/debian-security/pool/updates/main/m/mantis/mantis_0.17.1-3.diff.gz does not introduce the vulnerable code. As such, the Debian package should be considered unaffected. Hth, Moritz (yet another, resistance is futile)
diff -Naur mantis-0.19.2.orig/view_all_set.php mantis-0.19.2/view_all_set.php
--- mantis-0.19.2.orig/view_all_set.php 2004-10-28 02:31:06.000000000 +0200
+++ mantis-0.19.2/view_all_set.php 2006-06-03 03:11:47.000000000 +0200
@@ -123,12 +123,12 @@
$f_sort = gpc_get_string( 'sort',
'last_updated' );
$f_dir = gpc_get_string( 'dir', 'DESC'
);
# date values
- $f_start_month = gpc_get_string( 'start_month', date(
'm' ) );
- $f_end_month = gpc_get_string( 'end_month', date(
'm' ) );
- $f_start_day = gpc_get_string( 'start_day', 1 );
- $f_end_day = gpc_get_string( 'end_day',
date( 'd' ) );
- $f_start_year = gpc_get_string( 'start_year', date(
'Y' ) );
- $f_end_year = gpc_get_string( 'end_year',
date( 'Y' ) );
+ $f_start_month = gpc_get_int( 'start_month', date( 'm'
) );
+ $f_end_month = gpc_get_int( 'end_month', date( 'm' )
);
+ $f_start_day = gpc_get_int( 'start_day', 1 );
+ $f_end_day = gpc_get_int( 'end_day', date(
'd' ) );
+ $f_start_year = gpc_get_int( 'start_year', date( 'Y'
) );
+ $f_end_year = gpc_get_int( 'end_year',
date( 'Y' ) );
$f_search = gpc_get_string( 'search', ''
);
$f_and_not_assigned = gpc_get_bool( 'and_not_assigned' );
$f_do_filter_by_date = gpc_get_bool( 'do_filter_by_date' );
signature.asc
Description: OpenPGP digital signature
