The vulnerable lines and the developers' counter measure can be inspected at http://mantisbt.cvs.sourceforge.net/mantisbt/mantisbt/view_all_set.php?r1=1.60&r2=1.61
The package state is as follows: STABLE The package in Debian stable is currently at version 0.19.2-5sarge2: http://packages.debian.org/stable/web/mantis This version is based on upstream version v0.19.2 http://ftp.debian.org/debian/pool/main/m/mantis/mantis_0.19.2.orig.tar.gz This version is vulnerable, lines 126-131 contain the vulnerable code. The debian patchset http://ftp.debian.org/debian/pool/main/m/mantis/mantis_0.19.2-5sarge2.diff.gz does not modify or fix these lines. As such, the Debian package should be considered vulnerable. A patch is attached. OLDSTABLE The package in Debian oldstable is currently at version 0.17.1-3: http://packages.debian.org/oldstable/web/mantis This version is based on upstream version v0.17.1 http://security.debian.org/debian-security/pool/updates/main/m/mantis/mantis_0.17.1.orig.tar.gz This version is not vulnerable, it does not contain the vulnerable code. The debian patchset http://security.debian.org/debian-security/pool/updates/main/m/mantis/mantis_0.17.1-3.diff.gz does not introduce the vulnerable code. As such, the Debian package should be considered unaffected. Hth, Moritz (yet another, resistance is futile)
diff -Naur mantis-0.19.2.orig/view_all_set.php mantis-0.19.2/view_all_set.php --- mantis-0.19.2.orig/view_all_set.php 2004-10-28 02:31:06.000000000 +0200 +++ mantis-0.19.2/view_all_set.php 2006-06-03 03:11:47.000000000 +0200 @@ -123,12 +123,12 @@ $f_sort = gpc_get_string( 'sort', 'last_updated' ); $f_dir = gpc_get_string( 'dir', 'DESC' ); # date values - $f_start_month = gpc_get_string( 'start_month', date( 'm' ) ); - $f_end_month = gpc_get_string( 'end_month', date( 'm' ) ); - $f_start_day = gpc_get_string( 'start_day', 1 ); - $f_end_day = gpc_get_string( 'end_day', date( 'd' ) ); - $f_start_year = gpc_get_string( 'start_year', date( 'Y' ) ); - $f_end_year = gpc_get_string( 'end_year', date( 'Y' ) ); + $f_start_month = gpc_get_int( 'start_month', date( 'm' ) ); + $f_end_month = gpc_get_int( 'end_month', date( 'm' ) ); + $f_start_day = gpc_get_int( 'start_day', 1 ); + $f_end_day = gpc_get_int( 'end_day', date( 'd' ) ); + $f_start_year = gpc_get_int( 'start_year', date( 'Y' ) ); + $f_end_year = gpc_get_int( 'end_year', date( 'Y' ) ); $f_search = gpc_get_string( 'search', '' ); $f_and_not_assigned = gpc_get_bool( 'and_not_assigned' ); $f_do_filter_by_date = gpc_get_bool( 'do_filter_by_date' );
signature.asc
Description: OpenPGP digital signature