Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 294258 - <dev-php/PEAR-Net_Ping-2.4.5 Argument Injection (CVE-2009-4024)
Summary: <dev-php/PEAR-Net_Ping-2.4.5 Argument Injection (CVE-2009-4024)
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High trivial (vote)
Assignee: Gentoo Security
Whiteboard: ~2 [noglsa]
Depends on:
Reported: 2009-11-23 18:44 UTC by Alex Legler (RETIRED)
Modified: 2009-11-30 18:57 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-11-23 18:44:28 UTC
Remote Arbitrary Command Injection

When input from forms are used directly, the attacker could pass variables that would allow him to execute 
remote arbitrary command injections.

Filter your input to make sure the commands passed are shell escaped or upgrade to the latest version of both packages.

The group recommends users of Net_Ping to upgrade to Net_Ping-2.4.5.

SVN commit:
Comment 1 Steve Dibb (RETIRED) gentoo-dev 2009-11-24 14:24:28 UTC
2.4.5 in CVS
Comment 2 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-11-24 14:25:38 UTC
not stable → noglsa. Thanks.
Comment 3 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-11-30 18:57:48 UTC
CVE-2009-4024 (
  Argument injection in the ping function in Ping.php in the Net_Ping
  package before 2.4.5 for PEAR allows remote attackers to execute
  arbitrary shell commands via the host parameter.