oss-sec mailing list archives
CVE-2008-4796: snoopy triage
From: Steffen Joeris <steffen.joeris () skolelinux de>
Date: Sat, 1 Nov 2008 23:01:15 +1100
Hi I thought I'd share the outcome of my snoopy triage for debian. I had a look at upstream's patch[0] and compared it with packages in debian. We had 6 packages including the file Snoopy.class.php, all were vulnerable. List of packages: ampache: /usr/share/ampache/www/modules/infotools/Snoopy.class.php libphp-snoopy: /usr/share/php/libphp-snoopy/Snoopy.class.php mahara: /usr/share/mahara/lib/snoopy/Snoopy.class.php mediamate: /usr/share/mediamate/Snoopy.class.php opendb: /usr/share/opendb/functions/Snoopy.class.php pixelpost: /usr/share/pixelpost/addons/_defensio/libraries/Snoopy.class.php I haven't checked, how they depend on the Snoopy.class.php file yet. Of course there might be more out there and included in other distributions, so don't assume that this is all. The packages in debian duplicating the source should just depend on the libphp-snoopy package, which in debian is the snoopy upstream package. Steve, do you want to update the CVE description to reflect that the file is included in several other packages? Cheers Steffen [0]: http://klecker.debian.org/~white/libphp-snoopy/CVE-2008-4796.patch
Attachment:
signature.asc
Description: This is a digitally signed message part.
Current thread:
- CVE-2008-4796: snoopy triage Steffen Joeris (Nov 01)
- Re: CVE-2008-4796: snoopy triage Steven M. Christey (Nov 03)