On Mon, 2005-10-31 at 17:22 +0100, Moritz Muehlenhoff wrote: > It's hard to tell, whether it's the same issue as #5959 is non-public, but at > least there are two different CVE mappings. (CVE-2005-2557 and CVE-2005-3337). > But it might very well be that the CVE description is wrong, as all these > mantis > issues are really confusing.
> So #5959 probably refers to this hunk from the interdiff from the latest
> mantis
> DSA. (I'm not 100% sure as #6002 is non-public as well and I don't know the
> mantis code in detail):
>
> --- mantis-0.19.2.orig/bug_actiongroup_page.php
> +++ mantis-0.19.2/bug_actiongroup_page.php
> @@ -114,7 +114,7 @@
> foreach( $f_bug_arr as $t_bug_id ) {
> $t_class = sprintf( "row-%d", ($t_i++ % 2) + 1 );
> $t_bug_rows .= sprintf( "<tr bgcolor=\"%s\"> <td>%s</td> <td>%s</td>
> </tr>\n"
> - , get_status_color( bug_get_field( $t_bug_id, 'status' ) ),
> string_get_bug_view_link( $t_bug_id ), bug_get_field( $t_bug_id, 'summary' )
> + , get_status_color( bug_get_field( $t_bug_id, 'status' ) ),
> string_get_bug_view_link( $t_bug_id ), htmlentities(bug_get_field( $t_bug_id,
> 'summary' ))
> );
> echo '<input type="hidden" name="bug_arr[]" value="' . $t_bug_id . '"
> />' . "\n";
> }
>
> This would mean that they didn't pull over this security fix into 0.19.3 and
> in fact it
> is unfixed in sid's 0.19.3 package as well.
This actually _is_ fixed in sid, but upstream fixed it differently from
the previous Debian fix: instead of htmlentities() they used
string_attribute() there which essentially does a htmlspecialchars().
> The other XSS issues from the DSA are fixed in the sid version.
> This hunk from the mantis DSA (#5956 and again non-public, CVE-2005-2556) is
> also unfixed
> in sid (or has an alternate fix been applied?)
>
> diff -u mantis-0.19.2/core/database_api.php
> mantis-0.19.2/core/database_api.php
> --- mantis-0.19.2/core/database_api.php
> +++ mantis-0.19.2/core/database_api.php
> @@ -6,9 +6,16 @@
>
> + #
> + # Patch for #0005956: Database system scanner via variable poisoning
> + #
> +
> + if (isset($_REQUEST["g_db_type"]))
> + die("");
> +
> ### Database ###
I don't know why you think this patch is not applied in sid, since this
code is exactly in the sid version, including that comment with the bug
number.
Concluding, I think current sid covers all of the previous DSA.
regards,
Thijs
signature.asc
Description: This is a digitally signed message part
