oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE request: Mail PEAR module code injection vulnerability

From: Raphael Geissert <geissert () debian org>
Date: Mon, 23 Nov 2009 12:04:18 -0600
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

A code injection vulnerability has been found in the sendmail
(Mail/sendmail.php) method of the Mail PEAR module.
The bug was originally reported at [1] and fixed upstream in 1.2.0b2.
Proper sanitation is also missing for $recipients, but it wasn't addressed
by the fix applied by upstream.

References:
[1] http://pear.php.net/bugs/bug.php?id=16200
http://bugs.debian.org/557121
http://secunia.com/advisories/37410/
http://www.debian.org/security/2009/dsa-1938

Could a CVE be assigned? thanks in advance

Regards,
- -- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAksKzqYACgkQYy49rUbZzlpOCwCfXRy7+ZgiGHwMSAoGueOMhTgA
dnEAn10GpLXSMiNwmY0kXRNUjW7ZGy3F
=MZV8
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: