198446 CVE-2007-5934 2007-11-08 11:36 0000 dev-php/PEAR-MDB2 < 2.5.0_alpha1 - dangerous coding in blob url handling (CVE-2007-5934) 2008-03-06 09:47:47 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED http://pear.php.net/bugs/bug.php?id=10024 B3 [glsa] P2 minor --- 1 jakub@gentoo.org security@gentoo.org php-bugs@gentoo.org jakub@gentoo.org 2007-11-08 11:36:17 0000 From the upstream bug: <snip> Description: ------------ When inserting a blob and the value turns out to be a URL, MDB2 will replace the value with a handle to the URL and the driver will fetch the URL and put its contents into the blob field instead of the URL itself literally. A programmer using MDB2 could easily make a textarea as an input to a blob field. but if he was unaware of the situation (and LOB handling is currently not very well documented), a visitor could input a URL and the application will fetch the URL instead of storing the literal URL itself. and the URL here could be something not normally accessible to the public (when the web server is on DMZ, it could have access to a resource behind the firewall). or worse, it looks like it also accepts file:/ URLs. he could input something like file:///etc/passwd or file:///etc/my.cnf and the server will happily get it for him. <snip> This is fixed in 2.5.0_alpha1 (added an option to turn lob_allow_url_include off by default) jakub@gentoo.org 2007-11-08 16:43:25 0000 InCVS now; and since the current stable deps won't work w/ the new dev-php/PEAR-MDB2... Target keywords: alpha amd64 hppa ia64 ppc ppc64 sparc x86 dev-php/PEAR-MDB2-2.5.0_alpha1 dev-php/PEAR-MDB2_Driver_mssql-1.3.0_alpha1 dev-php/PEAR-MDB2_Driver_mysql-1.5.0_alpha1 dev-php/PEAR-MDB2_Driver_mysqli-1.5.0_alpha1 dev-php/PEAR-MDB2_Driver_pgsql-1.5.0_alpha1 dev-php/PEAR-MDB2_Driver_sqlite-1.5.0_alpha1 Target keywords: amd64 x86 dev-php/PEAR-MDB2_Driver_oci8-1.5.0_alpha1 Enjoy! ;) rbu@gentoo.org 2007-11-08 17:01:44 0000 Thanks, Jakub. corsair@gentoo.org 2007-11-08 20:29:45 0000 ppc64 stable armin76@gentoo.org 2007-11-09 17:20:37 0000 alpha/ia64/sparc/x86 stable jer@gentoo.org 2007-11-10 16:14:36 0000 Stable for HPPA. beandog@gentoo.org 2007-11-14 19:06:06 0000 amd64 stable dertobi123@gentoo.org 2007-11-18 18:01:34 0000 ppc stable py@gentoo.org 2007-11-19 22:06:17 0000 It's information leak, but leaking the whole /etc/passwd is not nice, so voting yes. rbu@gentoo.org 2007-12-02 12:32:32 0000 voting YES too, request filed. py@gentoo.org 2007-12-09 21:14:17 0000 GLSA 200712-05 pva@gentoo.org 2008-03-06 09:47:47 0000 Does not affect current (2008.0) release. Removing release.