XSS issue and path disclosure reported.
Ccing PHP/sebastian as maintainers for input Upstream doesn't look very alive. We could reproduce, doublecheck the patch (see URL) and apply it... or get rid of that package.
PHP herd (or sebastian), please comment on comment #1
Sorry for not responding earlier to this. I do not know what to do about this. I have never used phpsysinfo, do not know whether or not UPSTREAM is alive and cannot check the proposed fix for the problem. Putting phpsysinfo into package.mask until such time that UPSTREAM resolves the issue sounds good to me.
sebastian: sorry, I misread the Changelog, thinking you were the recent bumper. Cc-ing cryos and corsair as they look more like it. Bug has been submitted a week ago upstream at: http://sourceforge.net/tracker/index.php?func=detail&aid=1168383&group_id=15&atid=100015 PHP/cryos/corsair: if you agree with sebastian, please mask the package and comment here.
<<< phpsysinfo-2.3-r2.ebuild <<< files/phpsysinfo-2.3-xss-and-path.patch <<< files/digest-phpsysinfo-2.3-r2 Koon: I've marked phpsysinfo-2.3-r2 stable on ppc64. other arches should follow.
TARGET KEYWORDS="x86 ppc ppc64 alpha hppa sparc amd64" Arches, please test and mark stable
The patch doesn't apply. It contains this line (for system_footer.php): // $Id: phpsysinfo-2.3-xss-and-path.patch,v 1.1 2005/04/01 17:09:08 corsair Exp $ but phpsysinfo-dev/includes/system_footer.php contains // $Id: system_footer.php,v 1.38 2004/08/13 23:02:32 webbie Exp $
ok.. I was some kind of clueless, but I found the problem with the patch: My local copy works like a charm, but as soon as I commit the patch it get corruted due to cvs. The patch look like this: [...] --- includes/os/class.Darwin.inc.php.orig 2005-04-02 06:48:39.000000000 +0000 +++ includes/os/class.Darwin.inc.php 2005-03-23 16:40:36.000000000 +0000 @@ -19,8 +19,13 @@ // $Id: class.Darwin.inc.php,v 1.16 2004/06/26 23:46:36 webbie Exp $ +if(!file_exists('./includes/os/class.BSD.common.inc.php')) { + exit; +} + require('./includes/os/class.BSD.common.inc.php'); + echo "<p align=center><b>Note: The Darwin version of phpSysInfo is work in progress, some things currently don't work</b></p>"; class sysinfo extends bsd_common { [...] Now there is that line: $Id: class.Darwin.inc.php,v 1.16 2004/06/26 23:46:36 webbie Exp $ And cvs commit changes the patch to this: [...] --- includes/os/class.Darwin.inc.php.orig 2005-04-02 06:48:39.000000000 +0000 +++ includes/os/class.Darwin.inc.php 2005-03-23 16:40:36.000000000 +0000 @@ -19,8 +19,13 @@ // $Id: phpsysinfo-2.3-xss-and-path.patch,v 1.3 2005/04/02 07:28:50 corsair Exp $ +if(!file_exists('./includes/os/class.BSD.common.inc.php')) { + exit; +} + require('./includes/os/class.BSD.common.inc.php'); + echo "<p align=center><b>Note: The Darwin version of phpSysInfo is work in progress, some things currently don't work</b></p>"; class sysinfo extends bsd_common { [...] The result is that the patch cannot be applied. I'm currently checking how to avoid this..
I
I´ve mirrored the patch on dev.gentoo.org. ebuild should now be correct.
Stable on SPARC.
Stable on ppc.
Alpha stable.
Sorry - been really busy. I have been testing the new version, but am suffering from this bug - http://sourceforge.net/tracker/index.php?func=detail&aid=1094032&group_id=15&atid=100015 as reported upstream. I get a blank page with only <html><body></body></html>. Not sure if this is new as I haven't used it in quite a while. Anyone else on amd64 running this version successfully? This is with PHP 5.0.3-r2.
I vote NO GLSA btw: phpsysinfo shouldn't be available to unknown people, and path disclosure is the least of your worries in this case.
Stable on hppa.
I vote no GLSA as well.
Ok, then we only need stable marking on x86 and amd64 before we can close this bug.
x86 there
amd64 done
Thx everyone. Closing without GLSA.
*** Bug 93099 has been marked as a duplicate of this bug. ***
