Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 123832

Summary: dev-php/PEAR-Auth: Missing parameter validation in PEAR-Auth
Product: Gentoo Security Reporter: Luca Longinotti (RETIRED) <chtekk>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: minor CC: jer, php-bugs
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [glsa] DerCorny
Package list:
Runtime testing required: ---

Description Luca Longinotti (RETIRED) gentoo-dev 2006-02-23 09:31:25 UTC
PEAR-Auth didn't correctly validate data passed to the DB and LDAP backend containers, this was fixed in PEAR-Auth-1.2.4, wich is now in the tree.
Please contact the archs about stabling dev-php/PEAR-Auth-1.2.4.
Best regards, CHTEKK.
Comment 1 Stefan Cornelius (RETIRED) gentoo-dev 2006-02-23 09:44:49 UTC
thx for bumping. Arches, please test and mark stable, thx in advance.
Comment 2 Stefan Cornelius (RETIRED) gentoo-dev 2006-02-23 09:50:33 UTC
forgot to acutally CC arches, thx to CHTEKK for the headsup ..
Comment 3 Markus Rothe (RETIRED) gentoo-dev 2006-02-23 12:38:53 UTC
stable on ppc64
Comment 4 Jason Wever (RETIRED) gentoo-dev 2006-02-23 19:34:38 UTC
Comment 5 Mark Loeser (RETIRED) gentoo-dev 2006-02-24 22:35:52 UTC
While trying to test this, it looks like half of the dependencies for it aren't even in the tree.  The only thing that seems to work is the DB stuff.  The package.xml file says the dependencies are all optional, but we install all of the files, so all of them should work.

   <dep type="pkg" rel="ge" version="0.9.5" optional="yes">File_Passwd</dep>
   <dep type="pkg" rel="ge" version="1.3" optional="yes">Net_POP3</dep>
   <dep type="pkg" rel="has" optional="yes">DB</dep>
   <dep type="pkg" rel="has" optional="yes">MDB</dep>
   <dep type="pkg" rel="has" optional="yes">Auth_RADIUS</dep>
   <dep type="pkg" rel="has" optional="yes">File_SMBPasswd</dep>
Comment 6 Sebastian Bergmann (RETIRED) gentoo-dev 2006-02-24 22:42:50 UTC
I'll add the dependencies to the tree.
Comment 7 Sebastian Bergmann (RETIRED) gentoo-dev 2006-02-24 23:33:51 UTC
dev-php/PEAR-MDB2, dev-php/PEAR-Crypt_CHAP, dev-php/PEAR-File_Passwd, and PEAR-File_SMBPasswd are in the tree now.

I did not add dev-php/PEAR-Auth_RADIUS yet because that PEAR package depends on a PECL extension that is not in the tree yet.
Comment 8 Mark Loeser (RETIRED) gentoo-dev 2006-02-24 23:37:13 UTC
They still aren't dependencies of PEAR-Auth, and if the radius stuff isn't going to work, you shouldn't install those files, in my opinion.
Comment 9 Sebastian Bergmann (RETIRED) gentoo-dev 2006-02-24 23:51:06 UTC
When a PEAR package marks one of its dependencies as optional it has to check whether or not the optionally used package is installed and only expose the functionality that depends on it if it is.

Or did you mean something else?
Comment 10 Jeroen Roovers (RETIRED) gentoo-dev 2006-02-25 07:45:07 UTC
Marked hppa stable.
Comment 11 Mark Loeser (RETIRED) gentoo-dev 2006-02-25 12:54:06 UTC
(In reply to comment #9)
> When a PEAR package marks one of its dependencies as optional it has to check
> whether or not the optionally used package is installed and only expose the
> functionality that depends on it if it is.

If I install the package right now, I can't use all of the features that come with it since dependencies are missing.  I'm complaining about this because I'm not sure how I ever marked it stable in its current state since most of it doesn't seem to work.  I guess it is not a regression, so I'll mark it stable, but I'd like to see this problem addressed in the near future.
Comment 12 Simon Stelling (RETIRED) gentoo-dev 2006-02-27 11:25:13 UTC
amd64 stable
Comment 13 Thierry Carrez (RETIRED) gentoo-dev 2006-03-07 13:28:22 UTC
Alpha, please test and mark stable
Comment 14 Fernando J. Pereda (RETIRED) gentoo-dev 2006-03-09 13:46:41 UTC
Alpha done, sorry for the delay.

Comment 15 Thierry Carrez (RETIRED) gentoo-dev 2006-03-10 10:25:16 UTC
Ready for GLSA vote
Comment 16 Thierry Carrez (RETIRED) gentoo-dev 2006-03-11 03:32:49 UTC
Injection attacks against the underlying storage containers, I vote yes.
Comment 17 Stefan Cornelius (RETIRED) gentoo-dev 2006-03-13 10:40:09 UTC
Comment 18 Thierry Carrez (RETIRED) gentoo-dev 2006-03-14 13:29:10 UTC
Ready for GLSA (one more)
Comment 19 Stefan Cornelius (RETIRED) gentoo-dev 2006-03-17 09:58:12 UTC
GLSA 200603-13

Thanks everybody.