oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CVE Request - PHP PECL Radius (php-pecl-radius) v1.2.7 fixing a security flaw in radius_get_vendor_attr()

From: Kurt Seifried <kseifried () redhat com>
Date: Fri, 28 Jun 2013 12:08:15 -0600
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 06/28/2013 06:59 AM, Jan Lieskovsky wrote:

Hello Kurt, Steve, vendors,

PHP PECL upstream has released 1.2.7 version of the Radius client
library, correcting one security flaw (from [1]):

"- Fix a security issue in radius_get_vendor_attr() by enforcing
checks of the VSA length field against the buffer size. (Adam)"

References: [1]
http://pecl.php.net/package-changelog.php?package=radius [2]
http://pecl.php.net/news/

Relevant upstream patch: [3]
https://github.com/LawnGnome/php-radius/commit/13c149b051f82b709e8d7cc32111e84b49d57234

 Can you allocate a CVE identifier for this?

Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat
Security Response Team



Please use CVE-2013-2220  for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRzdEPAAoJEBYNRVNeJnmT4LAP/3btWxRNzklWtej77KtbxsUW
2nPKZyH8DGv7NqZ484uH026FY0HnECSU2YVxH0qyEdQqfR5n75eg9pIuMkwl/uBP
8QNpn7kepoCsyW3KgKg6LR3sU8o6cyOpvAENsVoBCamVbtOUaLAq9zqgLKfPCnGN
wvaOslhMZF/j3nqGo/JFPPCu/8ZdFVVYD40eQO5K4lwJdY98wmAuO8McYMerfFCL
WXj5XthGiPXMcIXVtJgB+UmtkKB391ROQ3jqxoTzttP3Lw0+jHXwx3USrRQjErAP
9p9WXPoqU5XmaFCD6Q2f9ROdGP/ofggIxvL6XEhC9i3bIH+D/TJ0AHBnspcMV0Ul
/p9MtBlZodzrWmkrKqAScv+mkcYc0/IWrSy4OOtaEIoh5DCEsyFoKvbl7bnw5Joa
SSLkdPbKoWBvGymrWjj7DznjK2rWcuL7IJvUeV4VbSrxqW8OuthffKxzqhy+wIEw
RB0IRtlucyC7mqYS9ZaIoABRgz8r9K1t9q5Tj5rKgDmiAszSUROo6rJBQ2fgUsye
4sbCeQnTg+gTORhcU2QHpJwZaVuonaS9pq9viPukl93nf3UnHuJvQ1UViCPa7t5c
7TB+Qn/iHSzGIyjaZw2a9INnjT+hUqfaHf4GD+oE3BSLO49eByD/fx5mbPMyIO06
HaUNBfjEitHxMciu97F4
=69tY
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: