oss-sec mailing list archives

CVE request - Snoopy incomplete fix for CVE-2008-4796

From: Garth Mollett <gmollett () redhat com>
Date: Wed, 09 Jul 2014 18:36:52 +1000

Please see: http://seclists.org/fulldisclosure/2014/Jul/16

Note, the new fix [1] referenced in the above FD posts does not look to
be a complete fix either and may still allow command injection.

Snoopy upstream has been notified and a more complete fix that removes
curl and instead uses native php code should be available shortly [2].

Thanks.

[1].
https://raw.githubusercontent.com/cogdog/feed2js/master/magpie/extlib/Snoopy.class.inc
[2].
http://snoopy.cvs.sourceforge.net/viewvc/snoopy/Snoopy/Snoopy.class.php?view=log

-- 
Garth Mollett / Red Hat Product Security

Attachment: signature.asc
Description: OpenPGP digital signature

Current thread:

CVE request - Snoopy incomplete fix for CVE-2008-4796 Garth Mollett (Jul 09)
- Re: CVE request - Snoopy incomplete fix for CVE-2008-4796 cve-assign (Jul 15)
  - Re: CVE request - Snoopy incomplete fix for CVE-2008-4796 Garth Mollett (Jul 16)
  - Re: Re: CVE request - Snoopy incomplete fix for CVE-2008-4796 Tomas Hoger (Jul 16)
    - Re: CVE request - Snoopy incomplete fix for CVE-2008-4796 cve-assign (Jul 18)
- <Possible follow-ups>
- Re: CVE request - Snoopy incomplete fix for CVE-2008-4796 Kurt Seifried (Jul 15)