PHP is using a vulnerable version off shtool.
Contact the vendor
Steps to Reproduce:
Eric, as usual, please forward patch to upstream if not already done...
PHP herd, please apply patch from bug 93782 to the included shtool in PHP (and
maybe also mod_php and php-cgi) and bump...
Bug reported :
Hmm we should wait for a more complete patch. Stay tuned...
PHP upstream won't patch shtool, they're waiting on upstream.
PHP herd, what's your opinion on this ? Should we patch ourselves using
attachment 60117 [details, diff] ?
security: if a lot of packages are going to be affected by this (I suspect that
they will be, as shtool is widely used), how about putting a fix-it function in
an eclass, so that can be called globally.
I was under the impression that we're on hold because there was a doubt whether
the patch we have was the right fix? Please advise whether we have a patch that
we can apply or not.
Stuart: attachment 60117 [details, diff] *is* the new (and complete) patch. This is still a
patch of ours rather than the official upstream, but since upstream is
dead-silent we probably better patch it ourselves.
Robin: so far we identified the following packages :
dev-ml/ocaml-mysql (bug 93784)
net-nds/openldap (bug 94057)
and of course dev-util/shtool (bug 93782)
shtool has been patched. The others still have to be patched. I fear the eclass
solution might require difficult coordination between maintainers, but if you
think there are a lot more to unearth maybe it's the best solution...
Thanks for clearing that up. I'll patch PHP4 and PHP5 on Thursday night.
This Thursday ? :)
<taviso> Koon: afaict, php only uses mkdir and echo commands, neither makes a
<taviso> and install
I updated the PHP bug to tell them they are unaffected for the time being,
vulnerability lies in dead code.
Stuart: Sorry for the unnecessary (and repeated) pings...