Bug 830735 (CVE-2012-2691)

Summary: CVE-2012-2691 mantis: Reporters able to edit arbitrary bugnotes via SOAP API
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: bazanluis20, extras-orphan, giallu, guillaume, sven
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-03-15 04:19:22 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 800667, 830741    
Bug Blocks:    

Description Jan Lieskovsky 2012-06-11 10:18:08 UTC 
From the CVE request [2]:

Roland Becker and Damien Regad (MantisBT developers) found that any user able to report issues via the SOAP interface could also modify any bugnotes (comments) created by other users. In a default/typical MantisBT installation, SOAP API is enabled and any user can sign up to report new issues. This vulnerability therefore impacts upon many public facing MantisBT installations.

References:
[1] http://www.mantisbt.org/bugs/view.php?id=14340
[2] http://www.openwall.com/lists/oss-security/2012/06/09/1
[3] https://bugs.gentoo.org/show_bug.cgi?id=420375

Upstream patches (against the v1.2.x branch) seems to be the
following two:
[4] https://github.com/mantisbt/mantisbt/commit/edc8142bb8ac0ac0df1a3824d78c15f4015d959e
[5] https://github.com/mantisbt/mantisbt/commit/175d973105fe9f03a37ced537b742611631067e0
Comment 1 Jan Lieskovsky 2012-06-11 10:19:33 UTC 
This issue affects the versions of the mantis package, as shipped with Fedora release of 15, 16, and 17. Please schedule an update.
Comment 2 Jan Lieskovsky 2012-06-11 10:24:42 UTC 
Gianluca,

  I am not completely sure, the version of mantis package, as shipped with Fedora EPEL 5 is affected by this issue. From the upstream patches, relevant changes are touching mc_issue_note_update() routine, while that one doesn't seem to be available yet in mantis-1.1.8 version, as shipped with Fedora EPEL 5 (there are only mc_issue_note_add(), mc_issue_note_delete(), and mc_issue_update() ones [but 'note' is missing in the last one]).

  But to be sure, could you please have a double-checking look at the proposed patch and situation in EPEL 5 version, and schedule a fix if necessary for EPEL 5 too (I am going to create a bug for this version too, since it's affected by the second bug 830737), so we would not miss something?

Thank you, Jan.
Comment 3 Jan Lieskovsky 2012-06-11 10:27:55 UTC 
Created mantis tracking bugs for this issue

Affects: fedora-all [bug 830741]
Affects: epel-5 [bug 830742]
Comment 4 Jan Lieskovsky 2012-06-12 07:59:14 UTC 
The CVE identifier of CVE-2012-2691 has been assigned to this issue:
http://www.openwall.com/lists/oss-security/2012/06/11/6
Comment 5 Fedora Update System 2012-11-23 07:55:50 UTC 
mantis-1.2.12-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2012-11-24 03:24:08 UTC 
mantis-1.2.12-1.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2012-11-24 03:25:12 UTC 
mantis-1.2.12-1.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Vincent Danen 2013-03-15 04:19:22 UTC 
EPEL5 hasn't been touched since Dec 2010, and the package is technically orphaned.  As a result I'm closing this bug as this issue is fixed in Fedora.  The EPEL5 tracking bug #800667 will remain open until either mantis is dropped from EPEL or it is fixed.