Bug 337194 (CVE-2010-3294)

Summary:	<dev-php5/pecl-apc-3.1.4: XSS (CVE-2010-3294)
Product:	Gentoo Security	Reporter:	Hanno Böck <hanno>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	kissifrot, php-bugs, Sergiy.Borodych, toto, xmw
Priority:	High
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	http://pecl.php.net/package-changelog.php?package=APC&release=3.1.4
Whiteboard:	B4 [noglsa]
Package list:		Runtime testing required:	---
Bug Depends on:	336869
Bug Blocks:

Description Hanno Böck gentoo-dev

2010-09-14 00:32:23 UTC

From upstream changelog:
"Fixed potential XSS in apc.php (Pierre, Matt Chapman)"

I consider this very minor (apc.php is just an additional debugging tool that doesn't get installed anywhere by default), but still we should track it as a security issue. PHP-team, I'd suggest changing the stabilization target in bug #336869 to go with 3.1.4 instead of 3.1.3_p1.

Comment 1 Markus Meier gentoo-dev

2010-09-26 08:50:22 UTC

>>> Compiling source in /var/tmp/portage/dev-php5/pecl-apc-3.1.4/work/APC-3.1.4 ...
 *   Disabling apc-mmap
 *
 * Using dev-lang/php-5.2.14
 *
 *
 * Using dev-lang/php-5.2.14
 *
 *
 * Using dev-lang/php-5.2.14
 *
 * QA Notice: econf called in src_compile instead of src_configure
 * econf: updating APC-3.1.4/config.sub with /usr/share/gnuconfig/config.sub
 * econf: updating APC-3.1.4/config.guess with /usr/share/gnuconfig/config.guess

Comment 2 Christian Faulhammer (RETIRED) gentoo-dev

2010-10-14 15:28:33 UTC

x86 stable

Comment 3 Markos Chandras (RETIRED) gentoo-dev

2010-10-14 15:49:32 UTC

amd64 done

Comment 4 Brent Baude (RETIRED) gentoo-dev

2010-10-15 13:06:58 UTC

ppc done

Comment 5 Sergiy Borodych 2010-10-15 14:32:48 UTC

Can you stable php-5.3.3 for amd64 please

because in combitation

dev-php5/pecl-apc-3.1.4
dev-lang/php-5.2.14

appear bug
http://pecl.php.net/bugs/bug.php?id=16966

Comment 6 toto 2010-10-27 02:51:33 UTC

I get this http://pecl.php.net/bugs/bug.php?id=16966 on 5.3.3-pl1-gentoo
Need find fix in svn...

Comment 7 toto 2010-10-27 03:14:20 UTC

http://svn.php.net/viewvc?view=revision&sortby=log&revision=303274

Comment 8 Philippe Villiers 2010-11-30 10:54:39 UTC

It seems they released a 3.1.6 version, and it's marked as stable: http://pecl.php.net/package/APC/3.1.6

I suggest to bump the version to 3.1.6 and "ditch" 3.1.5 and less

Comment 9 Ole Markus With (RETIRED) gentoo-dev

2010-11-30 15:45:37 UTC

Ebuilds for pecl-apc-3.1.6 has been commited to CVS

Comment 10 Michael Weber (RETIRED) gentoo-dev

2011-01-04 21:02:54 UTC

pecl-apc-3.1.4 stabled on sparc. Should I close this now?

Comment 11 Tim Sammut (RETIRED) gentoo-dev

2011-01-04 21:14:36 UTC

Thanks, Michael.

(In reply to comment #10)
> pecl-apc-3.1.4 stabled on sparc. Should I close this now?
> 

The security team uses [1] and [2] to manage security bugs. And as such, we handle the closure of all security bugs.

That said, closing this [noglsa] since it is a Cross-site Scripting vulnerability.

[1] http://www.gentoo.org/security/en/vulnerability-policy.xml
[2] http://www.gentoo.org/security/en/coordinator_guide.xml