Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 294264 (CVE-2009-4025)

Summary: <dev-php/PEAR-Net_Traceroute-0.21.2 Argument Injection (CVE-2009-4025)
Product: Gentoo Security Reporter: Alex Legler (RETIRED) <a3li>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: php-bugs
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://pear.php.net/advisory20091114-01.txt
Whiteboard: B1 [glsa]
Package list:
Runtime testing required: ---

Description Alex Legler (RETIRED) archtester gentoo-dev Security 2009-11-23 18:56:34 UTC 
+++ This bug was initially created as a clone of Bug #294258 +++

Description:
Remote Arbitrary Command Injection

Impact:
When input from forms are used directly, the attacker could pass variables that would allow him to execute 
remote arbitrary command injections.

Workaround:
Filter your input to make sure the commands passed are shell escaped or upgrade to the latest version of both packages.

Resolution:
The group recommends users of Net_Traceroute to upgrade to Net_Traceroute-0.21.2.

SVN commit:
http://svn.php.net/viewvc/pear/packages/Net_Traceroute/trunk/Traceroute.php?r1=232735&r2=290749
Comment 1 Steve Dibb (RETIRED) gentoo-dev 2009-11-24 14:26:49 UTC 
in CVS
Comment 2 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-11-24 14:28:24 UTC 
Arches, please test and mark stable:
=dev-php/PEAR-Net_Traceroute-0.21.2
Target keywords : "amd64 x86"
Comment 3 Christian Faulhammer (RETIRED) gentoo-dev 2009-11-24 20:45:41 UTC 
x86 stable
Comment 4 Markus Meier gentoo-dev 2009-11-25 22:44:02 UTC 
amd64 stable, all arches done.
Comment 5 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-11-26 07:52:31 UTC 
Rerating, GLSA filed.

PHP, please remove the vulnerable ebuild.
Comment 6 Steve Dibb (RETIRED) gentoo-dev 2009-11-26 15:39:37 UTC 
(In reply to comment #5)
> Rerating, GLSA filed.
> 
> PHP, please remove the vulnerable ebuild.
> 

done
Comment 7 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-11-26 19:17:36 UTC 
GLSA 200911-06
Comment 8 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-11-30 18:57:55 UTC 
CVE-2009-4025 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4025):
  Argument injection vulnerability in the traceroute function in
  Traceroute.php in the Net_Traceroute package before 0.21.2 for PEAR
  allows remote attackers to execute arbitrary shell commands via the
  host parameter.  NOTE: some of these details are obtained from third
  party information.