Summary: | dev-php/php includes tempfile vulnerable shtool | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Romang <zataz> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED WONTFIX | ||
Severity: | normal | CC: | php-bugs |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | All | ||
Whiteboard: | A3 [ebuild+] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | |||
Bug Blocks: | 93782 |
Description
Romang
2005-05-26 04:36:34 UTC
Eric, as usual, please forward patch to upstream if not already done... PHP herd, please apply patch from bug 93782 to the included shtool in PHP (and maybe also mod_php and php-cgi) and bump... Hello, Bug reported : http://bugs.php.net/bug.php?id=33150 Regards. Hmm we should wait for a more complete patch. Stay tuned... PHP upstream won't patch shtool, they're waiting on upstream.
PHP herd, what's your opinion on this ? Should we patch ourselves using
attachment 60117 [details, diff] ?
security: if a lot of packages are going to be affected by this (I suspect that they will be, as shtool is widely used), how about putting a fix-it function in an eclass, so that can be called globally. I was under the impression that we're on hold because there was a doubt whether the patch we have was the right fix? Please advise whether we have a patch that we can apply or not. Best regards, Stu Stuart: attachment 60117 [details, diff] *is* the new (and complete) patch. This is still a patch of ours rather than the official upstream, but since upstream is dead-silent we probably better patch it ourselves. Robin: so far we identified the following packages : dev-ml/ocaml-mysql (bug 93784) net-nds/openldap (bug 94057) and of course dev-util/shtool (bug 93782) shtool has been patched. The others still have to be patched. I fear the eclass solution might require difficult coordination between maintainers, but if you think there are a lot more to unearth maybe it's the best solution... Thanks for clearing that up. I'll patch PHP4 and PHP5 on Thursday night. This Thursday ? :) <taviso> Koon: afaict, php only uses mkdir and echo commands, neither makes a tmpfile <taviso> and install I updated the PHP bug to tell them they are unaffected for the time being, vulnerability lies in dead code. Stuart: Sorry for the unnecessary (and repeated) pings... |