tags 669924 patch thanks Hi,
Attached you'll find a possible patch for CVE-2012-1118. Description: Fix for CVE-2012-1118: Array value for $g_private_bug_threshold configuration option allows bypass of access Bug-Mantis: http://www.mantisbt.org/bugs/view.php?id=10124 Bug-Debian: http://bugs.debian.org/669924 Origin: http://github.com/mantisbt/mantisbt/commit/eb803ed02105fc919cf5f789e939f2b824162927 http://github.com/mantisbt/mantisbt/commit/ae8be028a5c948e54c99a8db0a0cc4cedd9078a9 Last-Update: 2012-04-21 Note: Needs some testing! Regards, -- Dario Minnucci <[email protected]> Phone: +34 902884117 | Fax: +34 902024417 | Support: +34 807450000 Key fingerprint = BAA1 7AAF B21D 6567 D457 D67D A82F BB83 F3D5 7033
Description: Fix for CVE-2012-1118: Array value for $g_private_bug_threshold configuration
option allows bypass of access
Bug-Mantis: http://www.mantisbt.org/bugs/view.php?id=10124
Bug-Debian: http://bugs.debian.org/669924
Origin: http://github.com/mantisbt/mantisbt/commit/eb803ed02105fc919cf5f789e939f2b824162927
http://github.com/mantisbt/mantisbt/commit/ae8be028a5c948e54c99a8db0a0cc4cedd9078a9
Last-Update: 2012-04-21
Index: mantis/core/access_api.php
===================================================================
--- mantis.orig/core/access_api.php 2012-04-22 00:27:18.272564983 +0200
+++ mantis/core/access_api.php 2012-04-22 00:29:52.498261469 +0200
@@ -330,32 +330,32 @@
# This function looks up the bug's project and performs an access check
# against that project
function access_has_bug_level( $p_access_level, $p_bug_id, $p_user_id = null ) {
+ if( $p_user_id === null ) {
+ $p_user_id = auth_get_current_user_id();
+ }
+
# Deal with not logged in silently in this case
# @@@ we may be able to remove this and just error
# and once we default to anon login, we can remove it for sure
- if ( !auth_is_user_authenticated() ) {
+ if( empty( $p_user_id ) && !auth_is_user_authenticated() ) {
return false;
}
- if ( $p_user_id === null ) {
- $p_user_id = auth_get_current_user_id();
- }
-
$t_project_id = bug_get_field( $p_bug_id, 'project_id' );
+
# check limit_Reporter (Issue #4769)
# reporters can view just issues they reported
$t_limit_reporters = config_get( 'limit_reporters' );
- if ( ( ON === $t_limit_reporters ) &&
- ( !bug_is_user_reporter( $p_bug_id, $p_user_id ) ) &&
- ( !access_has_project_level( REPORTER + 1, $t_project_id, $p_user_id ) ) ) {
- return false;
+ if(( ON === $t_limit_reporters ) && ( !bug_is_user_reporter( $p_bug_id, $p_user_id ) ) && ( !access_has_project_level( REPORTER + 1, $t_project_id, $p_user_id ) ) ) {
+ return false;
}
- # If the bug is private and the user is not the reporter, then the
- # the user must also have higher access than private_bug_threshold
- if ( VS_PRIVATE == bug_get_field( $p_bug_id, 'view_state' ) &&
- !bug_is_user_reporter( $p_bug_id, $p_user_id ) ) {
- $p_access_level = max( $p_access_level, config_get( 'private_bug_threshold' ) );
+ # If the bug is private and the user is not the reporter, then
+ # they must also have higher access than private_bug_threshold
+ if( VS_PRIVATE == bug_get_field( $p_bug_id, 'view_state' ) && !bug_is_user_reporter( $p_bug_id, $p_user_id ) ) {
+ $t_access_level = access_get_project_level( $t_project_id, $p_user_id );
+ return access_compare_level( $t_access_level, config_get( 'private_bug_threshold' ) )
+ && access_compare_level( $t_access_level, $p_access_level );
}
return access_has_project_level( $p_access_level, $t_project_id, $p_user_id );
signature.asc
Description: OpenPGP digital signature

