Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 294264 (CVE-2009-4025) - <dev-php/PEAR-Net_Traceroute-0.21.2 Argument Injection (CVE-2009-4025)
Summary: <dev-php/PEAR-Net_Traceroute-0.21.2 Argument Injection (CVE-2009-4025)
Status: RESOLVED FIXED
Alias: CVE-2009-4025
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL: http://pear.php.net/advisory20091114-...
Whiteboard: B1 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2009-11-23 18:56 UTC by Alex Legler (RETIRED)
Modified: 2009-11-30 18:57 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-11-23 18:56:34 UTC
+++ This bug was initially created as a clone of Bug #294258 +++

Description:
Remote Arbitrary Command Injection

Impact:
When input from forms are used directly, the attacker could pass variables that would allow him to execute 
remote arbitrary command injections.

Workaround:
Filter your input to make sure the commands passed are shell escaped or upgrade to the latest version of both packages.

Resolution:
The group recommends users of Net_Traceroute to upgrade to Net_Traceroute-0.21.2.

SVN commit:
http://svn.php.net/viewvc/pear/packages/Net_Traceroute/trunk/Traceroute.php?r1=232735&r2=290749
Comment 1 Steve Dibb (RETIRED) gentoo-dev 2009-11-24 14:26:49 UTC
in CVS
Comment 2 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-11-24 14:28:24 UTC
Arches, please test and mark stable:
=dev-php/PEAR-Net_Traceroute-0.21.2
Target keywords : "amd64 x86"
Comment 3 Christian Faulhammer (RETIRED) gentoo-dev 2009-11-24 20:45:41 UTC
x86 stable
Comment 4 Markus Meier gentoo-dev 2009-11-25 22:44:02 UTC
amd64 stable, all arches done.
Comment 5 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-11-26 07:52:31 UTC
Rerating, GLSA filed.

PHP, please remove the vulnerable ebuild.
Comment 6 Steve Dibb (RETIRED) gentoo-dev 2009-11-26 15:39:37 UTC
(In reply to comment #5)
> Rerating, GLSA filed.
> 
> PHP, please remove the vulnerable ebuild.
> 

done
Comment 7 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-11-26 19:17:36 UTC
GLSA 200911-06
Comment 8 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-11-30 18:57:55 UTC
CVE-2009-4025 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4025):
  Argument injection vulnerability in the traceroute function in
  Traceroute.php in the Net_Traceroute package before 0.21.2 for PEAR
  allows remote attackers to execute arbitrary shell commands via the
  host parameter.  NOTE: some of these details are obtained from third
  party information.