Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 102576

Summary: dev-php/PEAR-XML_RPC round 2 (CAN-2005-2498)
Product: Gentoo Security Reporter: Sune Kloppenborg Jeppesen (RETIRED) <jaervosz>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: php-bugs, yoswink
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B1 [glsa] jaervosz
Package list:
Runtime testing required: ---
Attachments:
Description Flags
pear_xml_rpc_without_eval.tgz
none
xmlrpc_1_branch.zip none

Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-08-14 21:59:03 UTC
Stefan Esser discovered:  
  
a logical error that allows  an attacker to nest XML tags in a way, that a  
single doublequote will be  appended to the eval string. The next string tag  
will add another  doublequote, then the string data and a closing doublequote.  
It should  be obvious that this means the stringdata is not handled as string  
but  as actual code due to this.
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-08-14 22:00:17 UTC
Created attachment 65988 [details]
pear_xml_rpc_without_eval.tgz

Patch by Stefan Esser.
Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-08-14 22:01:10 UTC
Created attachment 65989 [details]
xmlrpc_1_branch.zip

Patch by Stefan Esser.
Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-08-17 09:03:31 UTC
There is an error in the patch: 
 
+ 
+    case 'DATETIME.ISO8601': 
+        $XML_RPC_xh[$parser]['vt'] = $GLOBALS['XML_RPC_DateTime']; 
+       $XML_RPC_xh[$parser]['value'] = base64_decode($XML_RPC_xh[$parser]
['ac']); 
 
the base64_decode() call should not be there.  
Comment 5 Thierry Carrez (RETIRED) gentoo-dev 2005-08-18 09:29:54 UTC
*** Bug 102324 has been marked as a duplicate of this bug. ***
Comment 6 Thierry Carrez (RETIRED) gentoo-dev 2005-08-18 09:44:57 UTC
Keeping this bug for PEAR XML-RPC only.

Fixed version is PEAR XML_RPC 1.4.0
http://pear.php.net/get/XML_RPC-1.4.0.tgz
Comment 7 Sebastian Bergmann (RETIRED) gentoo-dev 2005-08-18 10:17:31 UTC
dev-php/PEAR-XML_RPC-1.4.0 is already in the tree and marked stable.
Comment 8 Thierry Carrez (RETIRED) gentoo-dev 2005-08-24 02:52:34 UTC
Thx everyone.
GLSA 200508-13