Re: CVE request: Argument injections in multiple PEAR packages

[Josh Bressers <bressers () redhat com>]

> here are a couple of issues in PEAR packages that do not yet have a CVE
> afaik:
>
> 1. PEAR-Mail Mail::Send() Argument Injection when using Sendmail

Use CVE-2009-4023 for this.

> Secunia writes:
> "The sendmail implementation of the "Mail::Send()" method does not
> properly sanitise the "from" parameter before invoking sendmail,
> which can be exploited to pass arbitrary arguments to the sendmail
> command."
>
> Contrary to Secunia, this does not seem to be completely fixed yet
> (see
> Raphael Geissert's comment in the upstream bug)
>
> http://secunia.com/advisories/37410/
> Upstream bug:
> http://pear.php.net/bugs/bug.php?id=16200
> First commit:
> http://svn.php.net/viewvc/pear/packages/Mail/trunk/Mail/sendmail.php?r1=243717&r2=280134
> Gentoo bug:
> https://bugs.gentoo.org/show_bug.cgi?id=294256
>
> 2. PEAR-Net_Ping < 2.4.5 ping() Argument Injection via $host

Use CVE-2009-4024

> Upstream writes:
> "When input from forms are used directly, the attacker could pass
> variables that would allow him to execute remote arbitrary command
> injections."
>
> Upstream advisory:
> http://pear.php.net/advisory20091114-01.txt
> Commit:
> http://svn.php.net/viewvc/pear/packages/Net_Ping/trunk/Ping.php?r1=274728&r2=290669
> Gentoo bug:
> https://bugs.gentoo.org/show_bug.cgi?id=294258
>
> 3. PEAR-Net_Traceroute < 0.21.2 traceroute() Argument Injection via
> $host

Use CVE-2009-4025

> See above, same advisory.
>
> Commit:
> http://svn.php.net/viewvc/pear/packages/Net_Traceroute/trunk/Traceroute.php?r1=232735&r2=290749
> Gentoo bug:
> https://bugs.gentoo.org/show_bug.cgi?id=294264

Thanks

-- 
    JB