Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 444696 (CVE-2012-5574)

Summary: <dev-php/symfony-1.4.20: Allows reading any file stored on the server if it is readable by the web server (CVE-2012-5574)
Product: Gentoo Security Reporter: Laurent Bachelier <laurent>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: jamie-lists, mabi, php-bugs, proxy-maint, tomwij, web-apps
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: All   
URL: http://symfony.com/blog/security-release-symfony-1-4-20-released
Whiteboard: B4 [glsa]
Package list:
Runtime testing required: ---

Description Laurent Bachelier 2012-11-25 14:03:46 UTC
"The vulnerability allows reading any file stored on the server if it is readable by the web server."

Other than that, only bug fixes.

See URL for more details.

Reproducible: Always
Comment 1 Sean Amoss (RETIRED) gentoo-dev Security 2012-11-26 01:04:59 UTC
Thank you for the report, Laurent. 

Making this bug public since the issue at $URL is public.
Comment 2 Sean Amoss (RETIRED) gentoo-dev Security 2012-11-27 12:22:20 UTC
*** Bug 444922 has been marked as a duplicate of this bug. ***
Comment 3 Ole Markus With (RETIRED) gentoo-dev 2012-11-27 12:35:21 UTC
Ebuild in the tree
Comment 4 Sean Amoss (RETIRED) gentoo-dev Security 2012-12-01 14:19:20 UTC
(In reply to comment #3)
> Ebuild in the tree

Thanks.

Arches, please test and mark stable:
=dev-php/symfony-1.4.20
Target KEYWORDS: "amd64 x86"
Comment 5 Agostino Sarubbo gentoo-dev 2012-12-01 21:27:32 UTC
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2012-12-03 20:44:11 UTC
x86 stable
Comment 7 Agostino Sarubbo gentoo-dev 2012-12-03 20:47:30 UTC
old removed, please vote.
Comment 8 Sean Amoss (RETIRED) gentoo-dev Security 2012-12-04 22:57:10 UTC
GLSA vote: no.
Comment 9 Stefan Behte (RETIRED) gentoo-dev Security 2012-12-16 21:48:05 UTC
Vote: yes.
Comment 10 Tim Sammut (RETIRED) gentoo-dev 2012-12-17 03:38:04 UTC
GLSA Vote: yes. No GLSA request filed.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2012-12-23 00:42:52 UTC
CVE-2012-5574 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5574):
  lib/form/sfForm.class.php in Symfony CMS before 1.4.20 allows remote
  attackers to read arbitrary files via a crafted upload request.
Comment 12 Laurent Bachelier 2013-09-28 14:48:47 UTC
The package is being removed, so this bug should be closed I guess?
Comment 13 Sergey Popov (RETIRED) gentoo-dev 2013-09-30 07:34:22 UTC
(In reply to Laurent Bachelier from comment #12)
> The package is being removed, so this bug should be closed I guess?

It will be closed when package will be gone from tree
Comment 14 Pacho Ramos gentoo-dev 2013-10-12 12:22:50 UTC
(In reply to Sergey Popov from comment #13)
> (In reply to Laurent Bachelier from comment #12)
> > The package is being removed, so this bug should be closed I guess?
> 
> It will be closed when package will be gone from tree

done
Comment 15 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2014-05-15 18:17:48 UTC
Re-open, glsa still pending.
Comment 16 GLSAMaker/CVETool Bot gentoo-dev 2014-05-18 17:57:25 UTC
This issue was resolved and addressed in
 GLSA 201405-25 at http://security.gentoo.org/glsa/glsa-201405-25.xml
by GLSA coordinator Sean Amoss (ackle).