oss-sec mailing list archives
CVE request: Argument injections in multiple PEAR packages
From: Alex Legler <a3li () gentoo org>
Date: Mon, 23 Nov 2009 19:59:41 +0100
Hi, here are a couple of issues in PEAR packages that do not yet have a CVE afaik: 1. PEAR-Mail Mail::Send() Argument Injection when using Sendmail Secunia writes: "The sendmail implementation of the "Mail::Send()" method does not properly sanitise the "from" parameter before invoking sendmail, which can be exploited to pass arbitrary arguments to the sendmail command." Contrary to Secunia, this does not seem to be completely fixed yet (see Raphael Geissert's comment in the upstream bug) http://secunia.com/advisories/37410/ Upstream bug: http://pear.php.net/bugs/bug.php?id=16200 First commit: http://svn.php.net/viewvc/pear/packages/Mail/trunk/Mail/sendmail.php?r1=243717&r2=280134 Gentoo bug: https://bugs.gentoo.org/show_bug.cgi?id=294256 2. PEAR-Net_Ping < 2.4.5 ping() Argument Injection via $host Upstream writes: "When input from forms are used directly, the attacker could pass variables that would allow him to execute remote arbitrary command injections." Upstream advisory: http://pear.php.net/advisory20091114-01.txt Commit: http://svn.php.net/viewvc/pear/packages/Net_Ping/trunk/Ping.php?r1=274728&r2=290669 Gentoo bug: https://bugs.gentoo.org/show_bug.cgi?id=294258 3. PEAR-Net_Traceroute < 0.21.2 traceroute() Argument Injection via $host See above, same advisory. Commit: http://svn.php.net/viewvc/pear/packages/Net_Traceroute/trunk/Traceroute.php?r1=232735&r2=290749 Gentoo bug: https://bugs.gentoo.org/show_bug.cgi?id=294264 Thanks, Alex
Attachment:
signature.asc
Description:
Current thread:
- CVE request: Argument injections in multiple PEAR packages Alex Legler (Nov 23)
- Re: CVE request: Argument injections in multiple PEAR packages Josh Bressers (Nov 24)
- Re: CVE request: Argument injections in multiple PEAR packages Steven M. Christey (Nov 28)
- Re: CVE request: Argument injections in multiple PEAR packages Raphael Geissert (Dec 11)
- Re: CVE request: Argument injections in multiple PEAR packages Josh Bressers (Nov 24)