A vulnerability has been reported in XML-RPC for PHP, which can be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused due to an unspecified error, which can be exploited to execute arbitrary PHP code via an application using the vulnerable library.
The postNuke advisory has a little more information in it: http://news.postnuke.com/modules.php?op=modload&name=News&file=article&sid=2699 This doesn't look like a bug in PHP - but a bug in code written in PHP. As the code is bundled with the app, we'll have to audit all the apps in the tree to find out which ones are affected. Best regards, Stu
phpwebsite has some XML RPC from PEAR. Not sure if that is the same as ths SF package or not.
obviously: dev-php/phpxmlrpc
www-apps/phpgroupware uses xmlrpc of some kind.
www-apps/phpwiki uses xmlrpc of some kind.
I have made a quick run through the packages from `emerge search php`. I have reported anything suspicious here. I could not look at phpcollab as tar would not open the tar file.
*** Bug 97412 has been marked as a duplicate of this bug. ***
Adding web-apps to Cc
dev-php/PEAR-XML_RPC-1.3.1 (which has the needed security fix) is in the tree now.
This bug is for the libraries, any application making use of them is affected. dev-php/PEAR-XML_RPC-1.3.1 is in the tree (thx to Sebastian) We still need a new dev-php/phpxmlrpc that would include the patch : http://cvs.sourceforge.net/viewcvs.py/phpxmlrpc/xmlrpc/xmlrpc.inc?r1=1.48&r2=1.49 (note, maybe the patch from the other lib is better ?)
dev-php/php-4.4.0_rc2, dev-php/mod_php-4.4.0_rc2, and dev-php/php-cgi-4.4.0_rc2 are in the tree now and ship with PEAR's XML_RPC-1.3.1 (which has the needed security fix).
Sebastian are these ready for arch testing?
PHP 4.4.0 will be a bugfix-only release, which is why I added the RCs directly to ~ARCH instead of package.masking them.
Arches: please test and mark stable: dev-php/php-4.4.0_rc2 Current KEYWORDS="~alpha ~amd64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sparc ~x86" Target KEYWORDS="alpha amd64 hppa ia64 mips ppc ppc64 s390 sparc x86" dev-php/mod_php-4.4.0_rc2 Current KEYWORDS="~alpha ~amd64 ~hppa ~ia64 ~ppc ~ppc64 ~s390 ~sparc ~x86" Target KEYWORDS="alpha amd64 hppa ia64 mips ppc ppc64 s390 sparc x86" dev-php/php-cgi-4.4.0_rc2 Current KEYWORDS="~x86 ~sparc ~alpha ~hppa ~ppc ~ia64 ~amd64 ~mips" Target KEYWORDS="x86 sparc alpha hppa ppc ia64 amd64 ~mips" dev-php/PEAR-XML_RPC-1.3.1 Current KEYWORDS="~alpha amd64 ~hppa ~ia64 ~ppc ~ppc64 ~s390 ~sparc x86" Target KEYWORDS="alpha amd64 hppa ia64 ppc ppc64 s390 sparc x86" Creating a separate bug for phpxmlrpc.
It is one thing to add a Release Candidate into ~ARCH, which I did, but another to put it into ARCH. While it is very likely that PHP 4.4.0 RC2 will be released without (major) changes in the next 1-2 weeks, I am not sure if we should really mark it stable. It would probably be better to revision-bump PHP 4.3.11 and exchange the bundled XML_RPC version with the new version.
Sebastian: fair enough. I'll create another bug for PHP patched release. Arches, that leaves us only with : dev-php/PEAR-XML_RPC-1.3.1 Current KEYWORDS="~alpha amd64 ~hppa ~ia64 ~ppc ~ppc64 ~s390 ~sparc x86" Target KEYWORDS="alpha amd64 hppa ia64 ppc ppc64 s390 sparc x86"
Sebastian, please follow-up on the php ebuild on bug 97655
Stable marking done by Sebastian. Removing hppa from cc.
www-apps/xoops also vulnerable, fixed upstream. Version bumped, old versions removed.
Note: no GLSA for xoops, was always ~.
GLSA 200507-01
