Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 102576 - dev-php/PEAR-XML_RPC round 2 (CAN-2005-2498)
Summary: dev-php/PEAR-XML_RPC round 2 (CAN-2005-2498)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B1 [glsa] jaervosz
Keywords:
: 102324 (view as bug list)
Depends on:
Blocks:
 
Reported: 2005-08-14 21:59 UTC by Sune Kloppenborg Jeppesen
Modified: 2005-08-24 02:52 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
pear_xml_rpc_without_eval.tgz (pear_xml_rpc_without_eval.tgz,20.29 KB, application/x-tgz)
2005-08-14 22:00 UTC, Sune Kloppenborg Jeppesen
no flags Details
xmlrpc_1_branch.zip (xmlrpc_1_branch.zip,126.53 KB, application/x-zip)
2005-08-14 22:01 UTC, Sune Kloppenborg Jeppesen
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen gentoo-dev 2005-08-14 21:59:03 UTC
Stefan Esser discovered:  
  
a logical error that allows  an attacker to nest XML tags in a way, that a  
single doublequote will be  appended to the eval string. The next string tag  
will add another  doublequote, then the string data and a closing doublequote.  
It should  be obvious that this means the stringdata is not handled as string  
but  as actual code due to this.
Comment 1 Sune Kloppenborg Jeppesen gentoo-dev 2005-08-14 22:00:17 UTC
Created attachment 65988 [details]
pear_xml_rpc_without_eval.tgz

Patch by Stefan Esser.
Comment 2 Sune Kloppenborg Jeppesen gentoo-dev 2005-08-14 22:01:10 UTC
Created attachment 65989 [details]
xmlrpc_1_branch.zip

Patch by Stefan Esser.
Comment 4 Sune Kloppenborg Jeppesen gentoo-dev 2005-08-17 09:03:31 UTC
There is an error in the patch: 
 
+ 
+    case 'DATETIME.ISO8601': 
+        $XML_RPC_xh[$parser]['vt'] = $GLOBALS['XML_RPC_DateTime']; 
+       $XML_RPC_xh[$parser]['value'] = base64_decode($XML_RPC_xh[$parser]
['ac']); 
 
the base64_decode() call should not be there.  
Comment 5 Thierry Carrez (RETIRED) gentoo-dev 2005-08-18 09:29:54 UTC
*** Bug 102324 has been marked as a duplicate of this bug. ***
Comment 6 Thierry Carrez (RETIRED) gentoo-dev 2005-08-18 09:44:57 UTC
Keeping this bug for PEAR XML-RPC only.

Fixed version is PEAR XML_RPC 1.4.0
http://pear.php.net/get/XML_RPC-1.4.0.tgz
Comment 7 Sebastian Bergmann (RETIRED) gentoo-dev 2005-08-18 10:17:31 UTC
dev-php/PEAR-XML_RPC-1.4.0 is already in the tree and marked stable.
Comment 8 Thierry Carrez (RETIRED) gentoo-dev 2005-08-24 02:52:34 UTC
Thx everyone.
GLSA 200508-13