"The vulnerability allows reading any file stored on the server if it is readable by the web server." Other than that, only bug fixes. See URL for more details. Reproducible: Always
Thank you for the report, Laurent. Making this bug public since the issue at $URL is public.
*** Bug 444922 has been marked as a duplicate of this bug. ***
Ebuild in the tree
(In reply to comment #3) > Ebuild in the tree Thanks. Arches, please test and mark stable: =dev-php/symfony-1.4.20 Target KEYWORDS: "amd64 x86"
amd64 stable
x86 stable
old removed, please vote.
GLSA vote: no.
Vote: yes.
GLSA Vote: yes. No GLSA request filed.
CVE-2012-5574 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5574): lib/form/sfForm.class.php in Symfony CMS before 1.4.20 allows remote attackers to read arbitrary files via a crafted upload request.
The package is being removed, so this bug should be closed I guess?
(In reply to Laurent Bachelier from comment #12) > The package is being removed, so this bug should be closed I guess? It will be closed when package will be gone from tree
(In reply to Sergey Popov from comment #13) > (In reply to Laurent Bachelier from comment #12) > > The package is being removed, so this bug should be closed I guess? > > It will be closed when package will be gone from tree done
Re-open, glsa still pending.
This issue was resolved and addressed in GLSA 201405-25 at http://security.gentoo.org/glsa/glsa-201405-25.xml by GLSA coordinator Sean Amoss (ackle).