← Back to branch summary

~ubuntu-branches/ubuntu/natty/mantis/natty-security

« back to all changes in this revision

Viewing changes to debian/patches/CVE-2012-1122.diff

  • Committer: Package Import Robot
  • Author(s): Jamie Strandboge
  • Date: 2012-06-29 07:28:16 UTC
  • mfrom: (7.1.11 squeeze)
  • Revision ID: package-import@ubuntu.com-20120629072816-1rwdgapquo4k5uyg
Tags: 1.1.8+dfsg-10squeeze2build0.11.04.1
fake sync from Debian

Show diffs side-by-side

added added

removed removed

Lines of Context:
debian/patches/CVE-2012-1122.diff
 
1
Description: Fix for CVE-2012-1122: Incorrect access checks performed when moving bugs between projects 
 
2
Bug-Mantis: http://www.mantisbt.org/bugs/view.php?id=13748 
 
3
Bug-Debian: http://bugs.debian.org/669927
 
4
Origin: https://github.com/mantisbt/mantisbt/commit/64af3ef8c0b43bd007664d84e0177716daac4a84
 
5
Last-Update: 2012-04-21
 
6
Index: mantis/bug_actiongroup.php
 
7
===================================================================
 
8
--- mantis.orig/bug_actiongroup.php     2012-04-21 22:16:58.760666308 +0200
 
9
+++ mantis/bug_actiongroup.php  2012-04-21 22:20:42.921354198 +0200
 
10
@@ -96,7 +96,8 @@
 
11
                        break;
 
12
 
 
13
                case 'MOVE':
 
14
-                       if ( access_has_bug_level( config_get( 'move_bug_threshold' ), $t_bug_id ) ) {
 
15
+                       if( access_has_bug_level( config_get( 'move_bug_threshold' ), $t_bug_id ) &&
 
16
+                               access_has_project_level( config_get( 'report_bug_threshold', null, null, $f_project_id ), $f_project_id ) ) {
 
17
                                # @@@ we need to issue a helper_call_custom_function( 'issue_update_validate', array( $t_bug_id, $t_bug_data, $f_bugnote_text ) );
 
18
                                $f_project_id = gpc_get_int( 'project_id' );
 
19
                                bug_set_field( $t_bug_id, 'project_id', $f_project_id );