Re: CVE request: MantisBT text search query can crash site

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 03/21/2013 04:29 AM, Damien Regad wrote:
> Dear all,
>
> MantisBT user 'jjtest' discovered an issue [1] affecting MantisBT
> versions 1.2.12 to 1.2.14 included.
>
> Anybody having access to a MantisBT instance (including anonymous
> users on web-facing applications) may issue a search query on the
> View Issues page; if a filter combining some criteria and a text
> search with 'any condition' is applied, the generated SQL will
> results in a potentially huge cartesian product which, depending on
> the size of the underlying database, has the potential to bring
> down the site/db server as it runs out of resources.
>
> The root cause of this behavior is joining a table with a from
> clause and setting the join's criteria in the query's where clause,
> without taking consideration the operator's precedence (AND/OR).
>
> Full details about this issue can be found in our bugtracker [1].
>
> A patch for this issue is available [2] in the project's repository
> on Github, and will be included in MantisBT version 1.2.15, which
> we expect to release in a couple of weeks once testing is
> completed.
>
> References: [1] http://www.mantisbt.org/bugs/view.php?id=15573 [2]
> https://github.com/mantisbt/mantisbt/commit/d16988c3ca232a7
>
> Kindly assign a CVE ID for this issue.
>
> Damien Regad MantisBT developer 
> mailto:mantisbt-dev () lists sourceforge net 
> http://www.mantisbt.org/bugs/

Please use CVE-2013-1883 for this issue.


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRS/q6AAoJEBYNRVNeJnmTRsEQAMByzsXbSsbpHPMfIdVK8SXS
sfINVKfjOkin5BEr+jn13GXRIXQdJ1IzuzMkrIhXR+DBf3UrC0tRnWENcg5rNPVQ
uxT6DZEcfJYFheTzrenF6XkCQmEKrGA3BOw3l/5ov3HGY++Doizoghw3B1+IoPsv
yEWrwhvdH2lajBZa61pqtPDZGGOVrpi46um1py8zQt+HBaIdGcSWzkgzNubEsNPG
68Qn8Zycrzxaj04qtfTVI1iQ89he7Xq0TfsDRDiLbcte2sg9DhtMtqodBp9i/ZvM
tKxjyjFDyoA0w5/jwwCTZfW2hfYIZYhVEOS/wKU1BAV89J7GDS+gRmq55ASVsioY
FMtD3F8ZrD9SaIhCpHkBAEzltJYE0JIn7b074BTm0FXiwPF7I4u3C78aDv2L4NMJ
ttNyVrBJtwIyhG4i29un1f6CZljF/QYKJEKrKpYnZNCvdf05XOTv33ms7cTTjEdV
fkD7SGS8xXk19Z7/KZTqhWHHKZvoyxx55XUXUgt8oEaZfNfQ+FAyn1bqwL4XjfU9
chuu6x8O51fH2cinJyZkSE6GLSOTv5f4GxEexxXt8QcbQiv0USGICfLwqbTjIiF6
j4vFZdhXacE5wh+DVS3/xSCsy7T8KOdBLuAekhjnRfw5Khjq9XK5JKu+JPMyBlnR
V0HVrnr/J0J9jEKs8qPN
=jAJs
-----END PGP SIGNATURE-----