Bug 830737 (CVE-2012-2692)

Summary: CVE-2012-2692 mantis: delete_attachments_threshold permission not checked when a user attempted to delete an attachment from an issue
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: extras-orphan, giallu, guillaume, sven
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=low,public=20120609,reported=20120609,source=oss-security,cvss2=4.0/AV:N/AC:L/Au:S/C:N/I:P/A:N,fedora-all/mantis=affected,epel-5/mantis=affected
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-03-15 00:18:36 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Bug Depends On: 800667, 830741    
Bug Blocks:    

Description Jan Lieskovsky 2012-06-11 06:19:07 EDT
From the CVE request [2]:

Roland Becker (MantisBT developer) found that the delete_attachments_threshold permission was not being checked when a user attempted to delete an attachment from an issue. The more generic update_bug_threshold permission was being checked instead. MantisBT administrators may have been under the false impression that their configuration of the delete_attachments_threshold was successfully preventing unwanted users from deleting attachments.

References:
[1] http://www.mantisbt.org/bugs/view.php?id=14016
[2] http://www.openwall.com/lists/oss-security/2012/06/09/1
[3] https://bugs.gentoo.org/show_bug.cgi?id=420375

Upstream patches (against the v1.2.x branch) seems to be the
following three:
[4] https://github.com/mantisbt/mantisbt/commit/ceafe6f0c679411b81368052633a63dd3ca06d9c
[5] https://github.com/mantisbt/mantisbt/commit/628e93708fa7e35e751fd23863d207423a25c408
[6] https://github.com/mantisbt/mantisbt/commit/c9314184f541f0e3e3b91b3533104e50292c3e68
Comment 1 Jan Lieskovsky 2012-06-11 06:25:50 EDT
This issue affects the versions of the mantis package, as shipped with Fedora release of 15, 16, and 17. Please schedule an update.

--

This issue affects the version of the mantis package, as shipped with Fedora EPEL 5. Please schedule an update.
Comment 2 Jan Lieskovsky 2012-06-11 06:28:39 EDT
Created mantis tracking bugs for this issue

Affects: fedora-all [bug 830741]
Affects: epel-5 [bug 830742]
Comment 3 Jan Lieskovsky 2012-06-12 04:00:03 EDT
The CVE identifier of CVE-2012-2692 has been assigned to this issue:
http://www.openwall.com/lists/oss-security/2012/06/11/6
Comment 4 Fedora Update System 2012-11-23 02:55:58 EST
mantis-1.2.12-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 5 Fedora Update System 2012-11-23 22:24:17 EST
mantis-1.2.12-1.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2012-11-23 22:25:19 EST
mantis-1.2.12-1.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Vincent Danen 2013-03-15 00:18:36 EDT
EPEL5 hasn't been touched since Dec 2010, and the package is technically orphaned.  As a result I'm closing this bug as this issue is fixed in Fedora.  The EPEL5 tracking bug #800667 will remain open until either mantis is dropped from EPEL or it is fixed.