|Summary:||dev-php/PEAR-Auth: Missing parameter validation in PEAR-Auth|
|Product:||Gentoo Security||Reporter:||Luca Longinotti (RETIRED) <chtekk>|
|Component:||Vulnerabilities||Assignee:||Gentoo Security <security>|
|Whiteboard:||B3 [glsa] DerCorny|
|Package list:||Runtime testing required:||---|
Description Luca Longinotti (RETIRED) 2006-02-23 09:31:25 UTC
PEAR-Auth didn't correctly validate data passed to the DB and LDAP backend containers, this was fixed in PEAR-Auth-1.2.4, wich is now in the tree. Please contact the archs about stabling dev-php/PEAR-Auth-1.2.4. Best regards, CHTEKK.
Comment 1 Stefan Cornelius (RETIRED) 2006-02-23 09:44:49 UTC
thx for bumping. Arches, please test and mark stable, thx in advance.
Comment 2 Stefan Cornelius (RETIRED) 2006-02-23 09:50:33 UTC
forgot to acutally CC arches, thx to CHTEKK for the headsup ..
Comment 3 Markus Rothe (RETIRED) 2006-02-23 12:38:53 UTC
stable on ppc64
Comment 4 Jason Wever (RETIRED) 2006-02-23 19:34:38 UTC
Comment 5 Mark Loeser (RETIRED) 2006-02-24 22:35:52 UTC
While trying to test this, it looks like half of the dependencies for it aren't even in the tree. The only thing that seems to work is the DB stuff. The package.xml file says the dependencies are all optional, but we install all of the files, so all of them should work. <dep type="pkg" rel="ge" version="0.9.5" optional="yes">File_Passwd</dep> <dep type="pkg" rel="ge" version="1.3" optional="yes">Net_POP3</dep> <dep type="pkg" rel="has" optional="yes">DB</dep> <dep type="pkg" rel="has" optional="yes">MDB</dep> <dep type="pkg" rel="has" optional="yes">Auth_RADIUS</dep> <dep type="pkg" rel="has" optional="yes">File_SMBPasswd</dep>
Comment 6 Sebastian Bergmann (RETIRED) 2006-02-24 22:42:50 UTC
I'll add the dependencies to the tree.
Comment 7 Sebastian Bergmann (RETIRED) 2006-02-24 23:33:51 UTC
dev-php/PEAR-MDB2, dev-php/PEAR-Crypt_CHAP, dev-php/PEAR-File_Passwd, and PEAR-File_SMBPasswd are in the tree now. I did not add dev-php/PEAR-Auth_RADIUS yet because that PEAR package depends on a PECL extension that is not in the tree yet.
Comment 8 Mark Loeser (RETIRED) 2006-02-24 23:37:13 UTC
They still aren't dependencies of PEAR-Auth, and if the radius stuff isn't going to work, you shouldn't install those files, in my opinion.
Comment 9 Sebastian Bergmann (RETIRED) 2006-02-24 23:51:06 UTC
When a PEAR package marks one of its dependencies as optional it has to check whether or not the optionally used package is installed and only expose the functionality that depends on it if it is. Or did you mean something else?
Comment 10 Jeroen Roovers (RETIRED) 2006-02-25 07:45:07 UTC
Marked hppa stable.
Comment 11 Mark Loeser (RETIRED) 2006-02-25 12:54:06 UTC
(In reply to comment #9) > When a PEAR package marks one of its dependencies as optional it has to check > whether or not the optionally used package is installed and only expose the > functionality that depends on it if it is. If I install the package right now, I can't use all of the features that come with it since dependencies are missing. I'm complaining about this because I'm not sure how I ever marked it stable in its current state since most of it doesn't seem to work. I guess it is not a regression, so I'll mark it stable, but I'd like to see this problem addressed in the near future.
Comment 12 Simon Stelling (RETIRED) 2006-02-27 11:25:13 UTC
Comment 13 Thierry Carrez (RETIRED) 2006-03-07 13:28:22 UTC
Alpha, please test and mark stable
Comment 14 Fernando J. Pereda (RETIRED) 2006-03-09 13:46:41 UTC
Alpha done, sorry for the delay. Cheers, Ferdy
Comment 15 Thierry Carrez (RETIRED) 2006-03-10 10:25:16 UTC
Ready for GLSA vote
Comment 16 Thierry Carrez (RETIRED) 2006-03-11 03:32:49 UTC
Injection attacks against the underlying storage containers, I vote yes.
Comment 17 Stefan Cornelius (RETIRED) 2006-03-13 10:40:09 UTC
Comment 18 Thierry Carrez (RETIRED) 2006-03-14 13:29:10 UTC
Ready for GLSA (one more)
Comment 19 Stefan Cornelius (RETIRED) 2006-03-17 09:58:12 UTC
GLSA 200603-13 Thanks everybody.