Git-Url: http://git.frugalware.org/gitweb/gitweb.cgi?p=frugalware-1.9.git;a=commitdiff;h=d0801af75e91d5f9ab94cab137795fe30a076d23
commit d0801af75e91d5f9ab94cab137795fe30a076d23 Author: kikadf <kikadf...@gmail.com> Date: Thu Sep 25 08:36:08 2014 +0200 mantis-1.2.8-2arcturus1-x86_64 * Fix CVE-2014-1608, CVE-2014-1609 diff --git a/source/network-extra/mantis/CVE-2014-1608.patch b/source/network-extra/mantis/CVE-2014-1608.patch new file mode 100644 index 0000000..e0f5398 --- /dev/null +++ b/source/network-extra/mantis/CVE-2014-1608.patch @@ -0,0 +1,34 @@ +Patch by Henri Salo + +--- mantis-1.2.11.orig/api/soap/mc_file_api.php ++++ mantis-1.2.11/api/soap/mc_file_api.php +@@ -152,25 +152,21 @@ function mci_file_get( $p_file_id, $p_ty + + # we handle the case where the file is attached to a bug + # or attached to a project as a project doc. +- $query = ''; ++ $t_query = ''; + switch( $p_type ) { + case 'bug': + $t_bug_file_table = db_get_table( 'mantis_bug_file_table' ); +- $query = "SELECT * +- FROM $t_bug_file_table +- WHERE id='$p_file_id'"; ++ $t_query = "SELECT * FROM $t_bug_file_table WHERE id=" . db_param(); + break; + case 'doc': + $t_project_file_table = db_get_table( 'mantis_project_file_table' ); +- $query = "SELECT * +- FROM $t_project_file_table +- WHERE id='$p_file_id'"; ++ $t_query = "SELECT * FROM $t_project_file_table WHERE id=" . db_param(); + break; + default: + return new soap_fault( 'Server', '', 'Invalid file type '.$p_type. ' .' ); + } + +- $result = db_query( $query ); ++ $result = db_query_bound( $t_query, array( $p_file_id ) ); + + if ( $result->EOF ) { + return new soap_fault( 'Client', '', 'Unable to find an attachment with type ' . $p_type. ' and id ' . $p_file_id . ' .' ); diff --git a/source/network-extra/mantis/CVE-2014-1609.patch b/source/network-extra/mantis/CVE-2014-1609.patch new file mode 100644 index 0000000..6b8f4e0 --- /dev/null +++ b/source/network-extra/mantis/CVE-2014-1609.patch @@ -0,0 +1,264 @@ +Patch provided by Henri Salo + +--- mantis-1.2.11.orig/proj_doc_page.php ++++ mantis-1.2.11/proj_doc_page.php +@@ -71,14 +71,14 @@ + FROM $t_project_file_table pft + LEFT JOIN $t_project_table pt ON pft.project_id = pt.id + LEFT JOIN $t_project_user_list_table pult +- ON pft.project_id = pult.project_id AND pult.user_id = $t_user_id +- LEFT JOIN $t_user_table ut ON ut.id = $t_user_id ++ ON pft.project_id = pult.project_id AND pult.user_id = " . db_param() . " ++ LEFT JOIN $t_user_table ut ON ut.id = " . db_param() . " + WHERE pft.project_id in (" . implode( ',', $t_projects ) . ") AND +- ( ( ( pt.view_state = $t_pub OR pt.view_state is null ) AND pult.user_id is null AND ut.access_level $t_access_clause ) OR +- ( ( pult.user_id = $t_user_id ) AND ( pult.access_level $t_access_clause ) ) OR +- ( ut.access_level >= $t_admin ) ) ++ ( ( ( pt.view_state = " . db_param() . " OR pt.view_state is null ) AND pult.user_id is null AND ut.access_level $t_access_clause ) OR ++ ( ( pult.user_id = " . db_param() . " ) AND ( pult.access_level $t_access_clause ) ) OR ++ ( ut.access_level >= " . db_param() . " ) ) + ORDER BY pt.name ASC, pft.title ASC"; +- $result = db_query( $query ); ++ $result = db_query_bound( $query, array( $t_user_id, $t_user_id, $t_pub, $t_user_id, $t_admin ) ); + $num_files = db_num_rows( $result ); + + html_page_top( lang_get( 'docs_link' ) ); +--- mantis-1.2.11.orig/admin/db_stats.php ++++ mantis-1.2.11/admin/db_stats.php +@@ -30,11 +30,11 @@ access_ensure_global_level( config_get_g + # -------------------- + function helper_table_row_count( $p_table ) { + $t_table = $p_table; +- $query = "SELECT COUNT(*) FROM $t_table"; +- $result = db_query_bound( $query ); +- $t_users = db_result( $result ); ++ $t_query = "SELECT COUNT(*) FROM $t_table"; ++ $t_result = db_query_bound( $t_query ); ++ $t_count = db_result( $t_result ); + +- return $t_users; ++ return $t_count; + } + + # -------------------- +--- mantis-1.2.11.orig/plugins/MantisGraph/core/graph_api.php ++++ mantis-1.2.11/plugins/MantisGraph/core/graph_api.php +@@ -583,11 +583,15 @@ function create_bug_enum_summary( $p_enu + $t_metrics = array(); + $t_assoc_array = MantisEnum::getAssocArrayIndexedByValues( $p_enum_string ); + ++ if( !db_field_exists( $p_enum, $t_bug_table ) ) { ++ trigger_error( ERROR_DB_FIELD_NOT_FOUND, ERROR ); ++ } ++ + foreach ( $t_assoc_array as $t_value => $t_label ) { + $query = "SELECT COUNT(*) + FROM $t_bug_table +- WHERE $p_enum='$t_value' $specific_where"; +- $result = db_query( $query ); ++ WHERE $p_enum=" . db_param() . " $specific_where"; ++ $result = db_query_bound( $query, array( $t_value ) ); + $t_metrics[$t_label] = db_result( $result, 0 ); + } + +@@ -605,15 +609,19 @@ function enum_bug_group( $p_enum_string, + $t_clo_val = config_get( 'bug_closed_status_threshold' ); + $specific_where = " AND " . helper_project_specific_where( $t_project_id, $t_user_id ); + ++ if( !db_field_exists( $p_enum, $t_bug_table ) ) { ++ trigger_error( ERROR_DB_FIELD_NOT_FOUND, ERROR ); ++ } ++ + $t_array_indexed_by_enum_values = MantisEnum::getAssocArrayIndexedByValues( $p_enum_string ); + $enum_count = count( $t_array_indexed_by_enum_values ); + foreach ( $t_array_indexed_by_enum_values as $t_value => $t_label ) { + # Calculates the number of bugs opened and puts the results in a table + $query = "SELECT COUNT(*) + FROM $t_bug_table +- WHERE $p_enum='$t_value' AND +- status<'$t_res_val' $specific_where"; +- $result2 = db_query( $query ); ++ WHERE $p_enum=" . db_param() . " AND ++ status<" . db_param() . " $specific_where"; ++ $result2 = db_query( $query, array( $t_value, $t_res_val ) ); + $t_metrics['open'][$t_label] = db_result( $result2, 0, 0 ); + + # Calculates the number of bugs closed and puts the results in a table +@@ -627,10 +635,10 @@ function enum_bug_group( $p_enum_string, + # Calculates the number of bugs resolved and puts the results in a table + $query = "SELECT COUNT(*) + FROM $t_bug_table +- WHERE $p_enum='$t_value' AND +- status>='$t_res_val' AND +- status<'$t_clo_val' $specific_where"; +- $result2 = db_query( $query ); ++ WHERE $p_enum=" . db_param() . " AND ++ status>=" . db_param() . " AND ++ status<" . db_param() . " $specific_where"; ++ $result2 = db_query_bound( $query, array( $t_value, $t_res_val, $t_clo_val ) ); + $t_metrics['resolved'][$t_label] = db_result( $result2, 0, 0 ); + } + +@@ -818,12 +826,12 @@ function create_cumulative_bydate() { + FROM $t_bug_table LEFT JOIN $t_history_table + ON $t_bug_table.id = $t_history_table.bug_id + WHERE $specific_where +- AND $t_bug_table.status >= '$t_res_val' +- AND ( ( $t_history_table.new_value >= '$t_res_val' ++ AND $t_bug_table.status >= " . db_param() . " ++ AND ( ( $t_history_table.new_value >= " . db_param() . " + AND $t_history_table.field_name = 'status' ) + OR $t_history_table.id is NULL ) + ORDER BY $t_bug_table.id, date_modified ASC"; +- $result = db_query( $query ); ++ $result = db_query( $query, array( $t_res_val, $t_res_val ) ); + $bug_count = db_num_rows( $result ); + + $t_last_id = 0; +--- mantis-1.2.11.orig/plugins/MantisGraph/pages/bug_graph_bycategory.php ++++ mantis-1.2.11/plugins/MantisGraph/pages/bug_graph_bycategory.php +@@ -105,9 +105,9 @@ + ' WHERE bug_id in ('.implode(',', $t_bug).') and '. + '( (type='.NORMAL_TYPE.' and field_name=\'category\') or '. + '(type='.NORMAL_TYPE.' and field_name=\'status\') or type='.NEW_BUG.' ) and '. +- 'date_modified >= \''. $t_start .'\''. ++ 'date_modified >= ' . db_param() . + ' order by date_modified DESC'; +- $t_result = db_query( $t_select ); ++ $t_result = db_query_bound( $t_select, array( $t_start ) ); + $row = db_fetch_array( $t_result ); + + for ($t_now = time() - $t_incr; $t_now >= $t_start; $t_now -= $t_incr) { +--- mantis-1.2.11.orig/plugins/MantisGraph/pages/bug_graph_bystatus.php ++++ mantis-1.2.11/plugins/MantisGraph/pages/bug_graph_bystatus.php +@@ -101,9 +101,9 @@ + $t_select = 'SELECT bug_id, type, old_value, new_value, date_modified FROM '.$t_bug_hist_table. + ' WHERE bug_id in ('.implode(',', $t_bug). + ') and ( (type='.NORMAL_TYPE.' and field_name=\'status\') +- or type='.NEW_BUG.' ) and date_modified >= \''. $t_start .'\''. ++ or type='.NEW_BUG.' ) and date_modified >= ' . db_param() . + ' order by date_modified DESC'; +- $t_result = db_query( $t_select ); ++ $t_result = db_query_bound( $t_select, array( $t_start ) ); + $t_row = db_fetch_array( $t_result ); + + for ($t_now = time() - $t_incr; $t_now >= $t_start; $t_now -= $t_incr) { +--- mantis-1.2.11.orig/core/summary_api.php ++++ mantis-1.2.11/core/summary_api.php +@@ -58,7 +58,7 @@ function summary_print_by_enum( $p_enum + WHERE $t_project_filter + GROUP BY $p_enum $t_status_query + ORDER BY $p_enum $t_status_query"; +- $result = db_query( $query ); ++ $result = db_query_bound( $query ); + + $t_last_value = -1; + $t_bugs_open = 0; +@@ -355,10 +355,10 @@ function summary_print_by_age() { + return; + } + $query = "SELECT * FROM $t_mantis_bug_table +- WHERE status < $t_resolved ++ WHERE status < " . db_param() . " + AND $specific_where + ORDER BY date_submitted ASC, priority DESC"; +- $result = db_query( $query ); ++ $result = db_query_bound( $query, array( $t_resolved ) ); + + $t_count = 0; + $t_private_bug_threshold = config_get( 'private_bug_threshold' ); +@@ -404,7 +404,7 @@ function summary_print_by_developer() { + WHERE handler_id>0 AND $specific_where + GROUP BY handler_id, status + ORDER BY handler_id, status"; +- $result = db_query( $query ); ++ $result = db_query_bound( $query ); + + $t_last_handler = -1; + $t_bugs_open = 0; +@@ -505,7 +505,7 @@ function summary_print_by_reporter() { + WHERE $specific_where + GROUP BY reporter_id + ORDER BY num DESC"; +- $result = db_query( $query, $t_reporter_summary_limit ); ++ $result = db_query_bound( $query, null, $t_reporter_summary_limit ); + + $t_reporters = array(); + while( $row = db_fetch_array( $result ) ) { +@@ -517,11 +517,11 @@ function summary_print_by_reporter() { + foreach( $t_reporters as $t_reporter ) { + $v_reporter_id = $t_reporter; + $query = "SELECT COUNT(id) as bugcount, status FROM $t_mantis_bug_table +- WHERE reporter_id=$v_reporter_id ++ WHERE reporter_id=" . db_param() . " + AND $specific_where + GROUP BY status + ORDER BY status"; +- $result2 = db_query( $query ); ++ $result2 = db_query_bound( $query, array( $v_reporter_id ) ); + + $last_reporter = -1; + $t_bugs_open = 0; +@@ -589,7 +589,7 @@ function summary_print_by_category() { + GROUP BY $t_project_query category_id, c.name, b.status + ORDER BY $t_project_query category_id, c.name, b.status"; + +- $result = db_query( $query ); ++ $result = db_query_bound( $query ); + + $last_category_name = -1; + $last_category_id = -1; +--- mantis-1.2.11.orig/core/news_api.php ++++ mantis-1.2.11/core/news_api.php +@@ -204,9 +204,11 @@ function news_get_rows( $p_project_id, $ + + if( 1 == count( $t_projects ) ) { + $c_project_id = $t_projects[0]; +- $query .= " WHERE project_id='$c_project_id'"; ++ $query .= " WHERE project_id=" . db_params(); ++ $t_params = array( $c_project_id ); + } else { + $query .= ' WHERE project_id IN (' . join( $t_projects, ',' ) . ')'; ++ $t_params = null; + } + + $query .= " ORDER BY date_posted DESC"; +@@ -272,7 +274,7 @@ function news_get_limited_rows( $p_offse + } + + $query .= ' ORDER BY announcement DESC, id DESC'; +- $result = db_query( $query, $t_news_view_limit, $c_offset ); ++ $result = db_query_bound( $query, $t_params, $t_news_view_limit, $c_offset ); + break; + case 1: + +@@ -323,4 +325,4 @@ function news_ensure_enabled() { + if ( !news_is_enabled() ) { + access_denied(); + } +-} +\ No newline at end of file ++} +--- mantis-1.2.11.orig/api/soap/mc_project_api.php ++++ mantis-1.2.11/api/soap/mc_project_api.php +@@ -593,14 +593,14 @@ function mc_project_get_attachments( $p_ + FROM $t_project_file_table pft + LEFT JOIN $t_project_table pt ON pft.project_id = pt.id + LEFT JOIN $t_project_user_list_table pult +- ON pft.project_id = pult.project_id AND pult.user_id = $t_user_id +- LEFT JOIN $t_user_table ut ON ut.id = $t_user_id ++ ON pft.project_id = pult.project_id AND pult.user_id = " . db_param() . " ++ LEFT JOIN $t_user_table ut ON ut.id = " . db_param() . " + WHERE pft.project_id in (" . implode( ',', $t_projects ) . ") AND +- ( ( ( pt.view_state = $t_pub OR pt.view_state is null ) AND pult.user_id is null AND ut.access_level $t_access_clause ) OR +- ( ( pult.user_id = $t_user_id ) AND ( pult.access_level $t_access_clause ) ) OR +- ( ut.access_level = $t_admin ) ) ++ ( ( ( pt.view_state = " . db_param() . " OR pt.view_state is null ) AND pult.user_id is null AND ut.access_level $t_access_clause ) OR ++ ( ( pult.user_id = " . db_param() . " ) AND ( pult.access_level $t_access_clause ) ) OR ++ ( ut.access_level = " . db_param() . " ) ) + ORDER BY pt.name ASC, pft.title ASC"; +- $result = db_query( $query ); ++ $result = db_query_bound( $query, array( $t_user_id, $t_user_id, $t_pub, $t_user_id, $t_admin ) ); + $num_files = db_num_rows( $result ); + + $t_result = array(); diff --git a/source/network-extra/mantis/FrugalBuild b/source/network-extra/mantis/FrugalBuild index f8abb3c..13459cf 100644 --- a/source/network-extra/mantis/FrugalBuild +++ b/source/network-extra/mantis/FrugalBuild @@ -3,7 +3,7 @@ pkgname=mantis pkgver=1.2.8 -pkgrel=1 +pkgrel=2arcturus1 pkgdesc="a free popular web-based bugtracking system" rodepends=('php>=4.0.6' 'mysql>=3.23.2') groups=('network-extra') @@ -16,6 +16,17 @@ up2date="lynx -dump http://www.mantisbt.org/ | grep 'latest stable' | sed 's/.*] source=($source strings_hungarian.txt email_padding.patch README.Frugalware) options=('stick') backup=('var/www/mantis/config_inc.php') +sha1sums=('6cff6fd7d709e25c620c9717d6bf079ce52b73c5' \ + 'e316589c6f369eeeb8a937f4b849aed3c9c73fee' \ + 'c8a65e327a828a702623ea917277ef55c92cdaa8' \ + 'd62d9493d254e33f8ec793a50ed3d3742e7b8110') + +# FSA fix *** +source=(${source[@]} CVE-2014-1608.patch CVE-2014-1609.patch) +sha1sums=(${sha1sums[@]} 'f89a1245b0883e0cd8a35f3d50f7e5f6442bd263' \ + '1e6ab8ddc7072be1e897ab5893be6af5ac96a334') +# *********** + build() { @@ -35,7 +46,4 @@ build() chown nobody:nobody $Fdestdir/var/www/$pkgname -R } -sha1sums=('6cff6fd7d709e25c620c9717d6bf079ce52b73c5' \ - 'e316589c6f369eeeb8a937f4b849aed3c9c73fee' \ - 'c8a65e327a828a702623ea917277ef55c92cdaa8' \ - 'd62d9493d254e33f8ec793a50ed3d3742e7b8110') + _______________________________________________ Frugalware-git mailing list Frugalware-git@frugalware.org http://frugalware.org/mailman/listinfo/frugalware-git