Bug 198446 - dev-php/PEAR-MDB2 < 2.5.0_alpha1 - dangerous coding in blob url handling (CVE-2007-5934)
Bug#: 198446 (CVE-2007-5934) Product:  Gentoo Security Version: unspecified Platform: All
OS/Version: Linux Status: RESOLVED Severity: minor Priority: P2
Resolution: FIXED Assigned To: security@gentoo.org Reported By: jakub@gentoo.org
Component: Vulnerabilities
URL:  http://pear.php.net/bugs/bug.php?id=10024
Summary: dev-php/PEAR-MDB2 < 2.5.0_alpha1 - dangerous coding in blob url handling (CVE-2007-5934)
Keywords:  
Status Whiteboard: B3 [glsa]
Opened: 2007-11-08 11:36 0000
Description:   Opened: 2007-11-08 11:36 0000 
From the upstream bug:

<snip>
Description:
------------

When inserting a blob and the value turns out to be a URL, MDB2 will replace
the value with a handle to the URL and the driver will fetch the URL and put
its contents into the blob field instead of the URL itself literally.

A programmer using MDB2 could easily make a textarea as an input to a blob
field. but if he was unaware of the situation (and LOB handling is currently
not very well documented), a visitor could input a URL and the application will
fetch the URL instead of storing the literal URL itself. and the URL here could
be something not normally accessible to the public (when the web server 
is on DMZ, it could have access to a resource behind the firewall).

or worse, it looks like it also accepts file:/ URLs. he could input something
like file:///etc/passwd or file:///etc/my.cnf and the server will happily get
it for him.
<snip>

This is fixed in 2.5.0_alpha1 (added an option to turn lob_allow_url_include
off by default)

------- Comment #1 From Jakub Moc (RETIRED) 2007-11-08 16:43:25 0000 ------- 
InCVS now; and since the current stable deps won't work w/ the new
dev-php/PEAR-MDB2...

Target keywords: alpha amd64 hppa ia64 ppc ppc64 sparc x86
dev-php/PEAR-MDB2-2.5.0_alpha1
dev-php/PEAR-MDB2_Driver_mssql-1.3.0_alpha1
dev-php/PEAR-MDB2_Driver_mysql-1.5.0_alpha1
dev-php/PEAR-MDB2_Driver_mysqli-1.5.0_alpha1
dev-php/PEAR-MDB2_Driver_pgsql-1.5.0_alpha1
dev-php/PEAR-MDB2_Driver_sqlite-1.5.0_alpha1

Target keywords: amd64 x86
dev-php/PEAR-MDB2_Driver_oci8-1.5.0_alpha1

Enjoy! ;)

------- Comment #2 From Robert Buchholz 2007-11-08 17:01:44 0000 ------- 
Thanks, Jakub.

------- Comment #3 From Markus Rothe 2007-11-08 20:29:45 0000 ------- 
ppc64 stable

------- Comment #4 From Raúl Porcel 2007-11-09 17:20:37 0000 ------- 
alpha/ia64/sparc/x86 stable

------- Comment #5 From Jeroen Roovers 2007-11-10 16:14:36 0000 ------- 
Stable for HPPA.

------- Comment #6 From Steve Dibb 2007-11-14 19:06:06 0000 ------- 
amd64 stable

------- Comment #7 From Tobias Scherbaum 2007-11-18 18:01:34 0000 ------- 
ppc stable

------- Comment #8 From Pierre-Yves Rofes 2007-11-19 22:06:17 0000 ------- 
It's information leak, but leaking the whole /etc/passwd is not nice, so voting
yes.

------- Comment #9 From Robert Buchholz 2007-12-02 12:32:32 0000 ------- 
voting YES too, request filed.

------- Comment #10 From Pierre-Yves Rofes 2007-12-09 21:14:17 0000 ------- 
GLSA 200712-05

------- Comment #11 From Peter Volkov 2008-03-06 09:47:47 0000 ------- 
Does not affect current (2008.0) release. Removing release.