Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 198446 (CVE-2007-5934) - dev-php/PEAR-MDB2 < 2.5.0_alpha1 - dangerous coding in blob url handling (CVE-2007-5934)
Summary: dev-php/PEAR-MDB2 < 2.5.0_alpha1 - dangerous coding in blob url handling (CVE...
Status: RESOLVED FIXED
Alias: CVE-2007-5934
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://pear.php.net/bugs/bug.php?id=1...
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2007-11-08 11:36 UTC by Jakub Moc (RETIRED)
Modified: 2008-03-06 09:47 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Jakub Moc (RETIRED) gentoo-dev 2007-11-08 11:36:17 UTC
From the upstream bug:

<snip>
Description:
------------

When inserting a blob and the value turns out to be a URL, MDB2 will replace the value with a handle to the URL and the driver will fetch the URL and put its contents into the blob field instead of the URL itself literally.

A programmer using MDB2 could easily make a textarea as an input to a blob field. but if he was unaware of the situation (and LOB handling is currently not very well documented), a visitor could input a URL and the application will fetch the URL instead of storing the literal URL itself. and the URL here could be something not normally accessible to the public (when the web server 
is on DMZ, it could have access to a resource behind the firewall).

or worse, it looks like it also accepts file:/ URLs. he could input something like file:///etc/passwd or file:///etc/my.cnf and the server will happily get it for him.
<snip>

This is fixed in 2.5.0_alpha1 (added an option to turn lob_allow_url_include off by default)
Comment 1 Jakub Moc (RETIRED) gentoo-dev 2007-11-08 16:43:25 UTC
InCVS now; and since the current stable deps won't work w/ the new dev-php/PEAR-MDB2...

Target keywords: alpha amd64 hppa ia64 ppc ppc64 sparc x86
dev-php/PEAR-MDB2-2.5.0_alpha1
dev-php/PEAR-MDB2_Driver_mssql-1.3.0_alpha1
dev-php/PEAR-MDB2_Driver_mysql-1.5.0_alpha1
dev-php/PEAR-MDB2_Driver_mysqli-1.5.0_alpha1
dev-php/PEAR-MDB2_Driver_pgsql-1.5.0_alpha1
dev-php/PEAR-MDB2_Driver_sqlite-1.5.0_alpha1

Target keywords: amd64 x86
dev-php/PEAR-MDB2_Driver_oci8-1.5.0_alpha1

Enjoy! ;)
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2007-11-08 17:01:44 UTC
Thanks, Jakub.
Comment 3 Markus Rothe (RETIRED) gentoo-dev 2007-11-08 20:29:45 UTC
ppc64 stable
Comment 4 Raúl Porcel (RETIRED) gentoo-dev 2007-11-09 17:20:37 UTC
alpha/ia64/sparc/x86 stable
Comment 5 Jeroen Roovers gentoo-dev 2007-11-10 16:14:36 UTC
Stable for HPPA.
Comment 6 Steve Dibb (RETIRED) gentoo-dev 2007-11-14 19:06:06 UTC
amd64 stable
Comment 7 Tobias Scherbaum (RETIRED) gentoo-dev 2007-11-18 18:01:34 UTC
ppc stable
Comment 8 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-11-19 22:06:17 UTC
It's information leak, but leaking the whole /etc/passwd is not nice, so voting yes.
Comment 9 Robert Buchholz (RETIRED) gentoo-dev 2007-12-02 12:32:32 UTC
voting YES too, request filed.
Comment 10 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-12-09 21:14:17 UTC
GLSA 200712-05
Comment 11 Peter Volkov (RETIRED) gentoo-dev 2008-03-06 09:47:47 UTC
Does not affect current (2008.0) release. Removing release.