[php-maint] remaining security issues (was: Re: Bug#511493 closed by sean finney <seanius at debian.org> (Re: Bug#511493: CVE-2008-5557: buffer overflow))

sean finney seanius at debian.org
Thu Jan 15 06:34:31 UTC 2009


hiya,

On Wed, Jan 14, 2009 at 05:58:15PM -0600, Raphael Geissert wrote:
> > CVE-2008-5814: XSS vuln if display_errors = On
> >
> > i'll see if i can find a fix for this, which means a scavenger hunt through
> > upstream cvs :/.  seems a bit of a corner case but probably worth fixing.
> 
> If it was recently fixed, which I guess, I should be able to find
> something on the daily cvs reports. I haven't read any of them since I
> went on VAC, but should be able to read them all in a couple of hours.

the CVE (and the report on which the CVE is based) is very vague about
whether there is even a problem:

	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5814

which says it might just be a duplicate for CVE-2006-0208:

	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0208

in which case only < 5.1.2 is affected.  just fyi so you don't waste
too much time chasing ghosts if nothing seems obvious.

> I do not have a strong opinion on this, but maybe it should not be
> considered as a security issue, just a normal bug; as it is up to the
> server settings whether it is possible to overwrite or write anything
> outside the path were the file was meant to be unpacked. If it can

i view is as an input santisization problem which should be handled by
the application.  my assumption was that the command line tools behaved
the same, though now looking at the behaviour of zip/untar, they strip
out any leading '..', so perhaps it's appropriate after all to have the
fix.

> BUT, if a patch is available and isn't very obtrusive then I see no
> reason not to fix it.

agreed, even more so after the above.

> Already said I'm going to read all the remaining cvs commit notifs to
> try to hunt down the bug fixes.

okay, happy hunting :)

Also, as you might have seen, the dba inifile issue has the patch that you
found committed in sid now too.  Steffen: will there be a CVE for it?


	sean
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-php-maint/attachments/20090115/70dc6e71/attachment-0001.pgp 


More information about the pkg-php-maint mailing list