Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 294258 - <dev-php/PEAR-Net_Ping-2.4.5 Argument Injection (CVE-2009-4024)
Summary: <dev-php/PEAR-Net_Ping-2.4.5 Argument Injection (CVE-2009-4024)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High trivial (vote)
Assignee: Gentoo Security
URL: http://pear.php.net/advisory20091114-...
Whiteboard: ~2 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2009-11-23 18:44 UTC by Alex Legler (RETIRED)
Modified: 2009-11-30 18:57 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alex Legler (RETIRED) archtester gentoo-dev Security 2009-11-23 18:44:28 UTC
Description:
Remote Arbitrary Command Injection

Impact:
When input from forms are used directly, the attacker could pass variables that would allow him to execute 
remote arbitrary command injections.

Workaround:
Filter your input to make sure the commands passed are shell escaped or upgrade to the latest version of both packages.

Resolution:
The group recommends users of Net_Ping to upgrade to Net_Ping-2.4.5.

SVN commit:
http://svn.php.net/viewvc/pear/packages/Net_Ping/trunk/Ping.php?r1=274728&r2=290669
Comment 1 Steve Dibb (RETIRED) gentoo-dev 2009-11-24 14:24:28 UTC
2.4.5 in CVS
Comment 2 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-11-24 14:25:38 UTC
not stable → noglsa. Thanks.
Comment 3 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-11-30 18:57:48 UTC
CVE-2009-4024 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4024):
  Argument injection in the ping function in Ping.php in the Net_Ping
  package before 2.4.5 for PEAR allows remote attackers to execute
  arbitrary shell commands via the host parameter.