oss-sec mailing list archives
Re: CVE request: Argument injections in multiple PEAR packages
From: Josh Bressers <bressers () redhat com>
Date: Tue, 24 Nov 2009 15:05:59 -0500 (EST)
here are a couple of issues in PEAR packages that do not yet have a CVE afaik: 1. PEAR-Mail Mail::Send() Argument Injection when using Sendmail
Use CVE-2009-4023 for this.
Secunia writes: "The sendmail implementation of the "Mail::Send()" method does not properly sanitise the "from" parameter before invoking sendmail, which can be exploited to pass arbitrary arguments to the sendmail command." Contrary to Secunia, this does not seem to be completely fixed yet (see Raphael Geissert's comment in the upstream bug) http://secunia.com/advisories/37410/ Upstream bug: http://pear.php.net/bugs/bug.php?id=16200 First commit: http://svn.php.net/viewvc/pear/packages/Mail/trunk/Mail/sendmail.php?r1=243717&r2=280134 Gentoo bug: https://bugs.gentoo.org/show_bug.cgi?id=294256 2. PEAR-Net_Ping < 2.4.5 ping() Argument Injection via $host
Use CVE-2009-4024
Upstream writes: "When input from forms are used directly, the attacker could pass variables that would allow him to execute remote arbitrary command injections." Upstream advisory: http://pear.php.net/advisory20091114-01.txt Commit: http://svn.php.net/viewvc/pear/packages/Net_Ping/trunk/Ping.php?r1=274728&r2=290669 Gentoo bug: https://bugs.gentoo.org/show_bug.cgi?id=294258 3. PEAR-Net_Traceroute < 0.21.2 traceroute() Argument Injection via $host
Use CVE-2009-4025
See above, same advisory. Commit: http://svn.php.net/viewvc/pear/packages/Net_Traceroute/trunk/Traceroute.php?r1=232735&r2=290749 Gentoo bug: https://bugs.gentoo.org/show_bug.cgi?id=294264
Thanks -- JB
Current thread:
- CVE request: Argument injections in multiple PEAR packages Alex Legler (Nov 23)
- Re: CVE request: Argument injections in multiple PEAR packages Josh Bressers (Nov 24)
- Re: CVE request: Argument injections in multiple PEAR packages Steven M. Christey (Nov 28)
- Re: CVE request: Argument injections in multiple PEAR packages Raphael Geissert (Dec 11)
- Re: CVE request: Argument injections in multiple PEAR packages Josh Bressers (Nov 24)