Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug
Bug#: 123832
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Luca Longinotti <chtekk@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 123832 depends on: Show dependency tree
Bug 123832 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2006-02-23 09:31 0000 
PEAR-Auth didn't correctly validate data passed to the DB and LDAP backend
containers, this was fixed in PEAR-Auth-1.2.4, wich is now in the tree.
Please contact the archs about stabling dev-php/PEAR-Auth-1.2.4.
Best regards, CHTEKK.

------- Comment #1 From Stefan Cornelius (RETIRED) 2006-02-23 09:44:49 0000 ------- 
thx for bumping. Arches, please test and mark stable, thx in advance.

------- Comment #2 From Stefan Cornelius (RETIRED) 2006-02-23 09:50:33 0000 ------- 
forgot to acutally CC arches, thx to CHTEKK for the headsup ..

------- Comment #3 From Markus Rothe 2006-02-23 12:38:53 0000 ------- 
stable on ppc64

------- Comment #4 From Jason Wever (RETIRED) 2006-02-23 19:34:38 0000 ------- 
SPARC'd

------- Comment #5 From Mark Loeser 2006-02-24 22:35:52 0000 ------- 
While trying to test this, it looks like half of the dependencies for it aren't
even in the tree.  The only thing that seems to work is the DB stuff.  The
package.xml file says the dependencies are all optional, but we install all of
the files, so all of them should work.

   <dep type="pkg" rel="ge" version="0.9.5" optional="yes">File_Passwd</dep>
   <dep type="pkg" rel="ge" version="1.3" optional="yes">Net_POP3</dep>
   <dep type="pkg" rel="has" optional="yes">DB</dep>
   <dep type="pkg" rel="has" optional="yes">MDB</dep>
   <dep type="pkg" rel="has" optional="yes">Auth_RADIUS</dep>
   <dep type="pkg" rel="has" optional="yes">File_SMBPasswd</dep>

------- Comment #6 From Sebastian Bergmann (RETIRED) 2006-02-24 22:42:50 0000 ------- 
I'll add the dependencies to the tree.

------- Comment #7 From Sebastian Bergmann (RETIRED) 2006-02-24 23:33:51 0000 ------- 
dev-php/PEAR-MDB2, dev-php/PEAR-Crypt_CHAP, dev-php/PEAR-File_Passwd, and
PEAR-File_SMBPasswd are in the tree now.

I did not add dev-php/PEAR-Auth_RADIUS yet because that PEAR package depends on
a PECL extension that is not in the tree yet.

------- Comment #8 From Mark Loeser 2006-02-24 23:37:13 0000 ------- 
They still aren't dependencies of PEAR-Auth, and if the radius stuff isn't
going to work, you shouldn't install those files, in my opinion.

------- Comment #9 From Sebastian Bergmann (RETIRED) 2006-02-24 23:51:06 0000 ------- 
When a PEAR package marks one of its dependencies as optional it has to check
whether or not the optionally used package is installed and only expose the
functionality that depends on it if it is.

Or did you mean something else?

------- Comment #10 From Jeroen Roovers 2006-02-25 07:45:07 0000 ------- 
Marked hppa stable.

------- Comment #11 From Mark Loeser 2006-02-25 12:54:06 0000 ------- 
(In reply to comment #9)
> When a PEAR package marks one of its dependencies as optional it has to check
> whether or not the optionally used package is installed and only expose the
> functionality that depends on it if it is.

If I install the package right now, I can't use all of the features that come
with it since dependencies are missing.  I'm complaining about this because I'm
not sure how I ever marked it stable in its current state since most of it
doesn't seem to work.  I guess it is not a regression, so I'll mark it stable,
but I'd like to see this problem addressed in the near future.

------- Comment #12 From Simon Stelling (RETIRED) 2006-02-27 11:25:13 0000 ------- 
amd64 stable

------- Comment #13 From Thierry Carrez (RETIRED) 2006-03-07 13:28:22 0000 ------- 
Alpha, please test and mark stable

------- Comment #14 From Fernando J. Pereda (RETIRED) 2006-03-09 13:46:41 0000 ------- 
Alpha done, sorry for the delay.

Cheers,
Ferdy

------- Comment #15 From Thierry Carrez (RETIRED) 2006-03-10 10:25:16 0000 ------- 
Ready for GLSA vote

------- Comment #16 From Thierry Carrez (RETIRED) 2006-03-11 03:32:49 0000 ------- 
Injection attacks against the underlying storage containers, I vote yes.

------- Comment #17 From Stefan Cornelius (RETIRED) 2006-03-13 10:40:09 0000 ------- 
Yes++

------- Comment #18 From Thierry Carrez (RETIRED) 2006-03-14 13:29:10 0000 ------- 
Ready for GLSA (one more)

------- Comment #19 From Stefan Cornelius (RETIRED) 2006-03-17 09:58:12 0000 ------- 
GLSA 200603-13

Thanks everybody.
Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug