Arch Linux

sorry for another backport request for mantisbt, but its kind of critical :-)

Summary:
It has been reported [0][1] that mantisbt 1.2.17-3 is vulnerable to an unrestricted access and remote arbitrary code execution tracked as CVE-2014-8598 [2] CVE-2014-7146 [3].

Description:
The XML Import/Export "official" plugin comes bundled with MantisBT releases. When importing data with the plugin, user input passed through the "description" field (and the "issuelink" ttribute) of the uploaded XML file isn't properly sanitized before being used in a call to the preg_replace() function which uses the 'e' modifier. This can be exploited to inject and execute arbitrary PHP code.
Additionally it does not perform any access level checks in the plugin, which leads to full information disclosure and in combination with the first issue to unauthenticated remote arbitrary code execution.

Mitigation:
The problem has been fixed upstream [4][5] but no release is available yet.
We recommend to backport the patch until a release is available, the order should be CVE-2014-8598 (80a15487), CVE-2014-7146 (bed19db9).

[0] http://www.openwall.com/lists/oss-security/2014/11/07/27
[1] http://www.openwall.com/lists/oss-security/2014/11/07/28
[2] https://access.redhat.com/security/cve/CVE-2014-8598
[3] https://access.redhat.com/security/cve/CVE-2014-7146
[4] https://github.com/mantisbt/mantisbt/commit/80a15487
[5] https://github.com/mantisbt/mantisbt/commit/bed19db9