Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 327973 - <dev-php5/symfony-1.4.8: Directory Traversal vulnerability
Summary: <dev-php5/symfony-1.4.8: Directory Traversal vulnerability
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: C3 [noglsa]
Keywords:
Depends on: 340077
Blocks:
  Show dependency tree
 
Reported: 2010-07-12 18:13 UTC by Matti Bickel (RETIRED)
Modified: 2010-11-18 20:31 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Matti Bickel (RETIRED) gentoo-dev 2010-07-12 18:13:26 UTC 
Hi, i just got alerted to this blog post:
http://www.symfony-project.org/blog/2010/06/29/security-release-symfony-1-3-6-and-1-4-6

I'm not aware of a CVE yet.

I've added upstream's new release, courtesy Jamie, our proxy maintainer.

I am not yet familiar enough with the package, so I'm not sure of the impact. The ability to store files in a directory might or might not result in a Denial of Service. I'm not sure if this is an Information Leak, as with other forms of Directory Traversal.

Rating could be C4. I'd also kindly ask for security to call arches for a direct stable bump after assessing the situation.
Comment 1 Matti Bickel (RETIRED) gentoo-dev 2010-07-12 18:20:57 UTC 
CC:ing proxy maintainer so he's aware of the bug
Comment 2 Jamie Learmonth 2010-10-15 16:01:15 UTC 
This package is now stable in the tree, can sec team close?
Comment 3 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-10-23 14:16:03 UTC 
GLSA vote: NO
Comment 4 Tim Sammut (RETIRED) gentoo-dev 2010-11-18 20:31:49 UTC 
GLSA vote: No too; closing noglsa.