Hello, PHP is using a vulnerable version off shtool. Contact the vendor Regards. Reproducible: Always Steps to Reproduce: 1. 2. 3.
Eric, as usual, please forward patch to upstream if not already done... PHP herd, please apply patch from bug 93782 to the included shtool in PHP (and maybe also mod_php and php-cgi) and bump...
Hello, Bug reported : http://bugs.php.net/bug.php?id=33150 Regards.
Hmm we should wait for a more complete patch. Stay tuned...
PHP upstream won't patch shtool, they're waiting on upstream. PHP herd, what's your opinion on this ? Should we patch ourselves using attachment 60117 [details, diff] ?
security: if a lot of packages are going to be affected by this (I suspect that they will be, as shtool is widely used), how about putting a fix-it function in an eclass, so that can be called globally.
I was under the impression that we're on hold because there was a doubt whether the patch we have was the right fix? Please advise whether we have a patch that we can apply or not. Best regards, Stu
Stuart: attachment 60117 [details, diff] *is* the new (and complete) patch. This is still a patch of ours rather than the official upstream, but since upstream is dead-silent we probably better patch it ourselves. Robin: so far we identified the following packages : dev-ml/ocaml-mysql (bug 93784) net-nds/openldap (bug 94057) and of course dev-util/shtool (bug 93782) shtool has been patched. The others still have to be patched. I fear the eclass solution might require difficult coordination between maintainers, but if you think there are a lot more to unearth maybe it's the best solution...
Thanks for clearing that up. I'll patch PHP4 and PHP5 on Thursday night.
This Thursday ? :)
<taviso> Koon: afaict, php only uses mkdir and echo commands, neither makes a tmpfile <taviso> and install I updated the PHP bug to tell them they are unaffected for the time being, vulnerability lies in dead code. Stuart: Sorry for the unnecessary (and repeated) pings...