Your message dated Tue, 8 Feb 2005 07:58:40 +1000 (EST)
with message-id <[EMAIL PROTECTED]>
and subject line Fixed
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 7 Feb 2005 18:03:17 +0000
>From [EMAIL PROTECTED] Mon Feb 07 10:03:16 2005
Return-path: <[EMAIL PROTECTED]>
Received: from kitenet.net [64.62.161.42] (postfix)
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1CyDEC-0007H0-00; Mon, 07 Feb 2005 10:03:16 -0800
Received: from dragon.kitenet.net (unknown [66.168.94.144])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(Client CN "Joey Hess", Issuer "Joey Hess" (verified OK))
by kitenet.net (Postfix) with ESMTP id 7732E17FEF
for <[EMAIL PROTECTED]>; Mon, 7 Feb 2005 18:03:15 +0000 (GMT)
Received: by dragon.kitenet.net (Postfix, from userid 1000)
id 5D0BE6E414; Mon, 7 Feb 2005 13:05:36 -0500 (EST)
Date: Mon, 7 Feb 2005 13:05:36 -0500
From: Joey Hess <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: curl allows curcumvention of open_basedir (CAN-2004-1392)
Message-ID: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="VrqPEDrXMn8OVzN4"
Content-Disposition: inline
X-Reportbug-Version: 3.7.1
User-Agent: Mutt/1.5.6+20040907i
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-3.0 required=4.0 tests=BAYES_00 autolearn=no
version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
--VrqPEDrXMn8OVzN4
Content-Type: multipart/mixed; boundary="AqsLC8rIMeq19msA"
Content-Disposition: inline
--AqsLC8rIMeq19msA
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Package: php4
Version: 4:4.3.10-2
Severity: serious
Tags: security patch
According to CAN-2004-1392:
PHP 4.0 with cURL functions allows remote attackers to bypass the
open_basedir setting and read arbitrary files via a file: URL argument
to the curl_init function.
Details here:
http://marc.theaimsgroup.com/?l=3Dbugtraq&m=3D109898213806099&w=3D2
The attached patch was extracted from ubuntu's php4 4.3.8-3ubuntu7.3.
Our newer version of php4 also seems to be vulnerable, based on code
inspection.
--=20
see shy jo
--AqsLC8rIMeq19msA
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="php4-curl-openbasedir.patch"
Content-Transfer-Encoding: quoted-printable
--- php4-4.3.8.orig/debian/patches/curl_check_open_basedir.patch
+++ php4-4.3.8/debian/patches/curl_check_open_basedir.patch
@@ -0,0 +1,18 @@
+diff -ru php4-4.3.10.old/ext/curl/curl.c php4-4.3.10/ext/curl/curl.c
+--- php4-4.3.10.old/ext/curl/curl.c 2005-01-20 14:20:15.000000000 +0000
++++ php4-4.3.10/ext/curl/curl.c 2005-01-20 15:34:06.000000000 +0000
+@@ -682,6 +682,14 @@
+ WRONG_PARAM_COUNT;
+ }
+=20
++ /* check open_basedir restriction */
++ {
++ char *u =3D Z_STRVAL_PP(url);
++
++ if(!u || (!strncmp(u, "file://",7) &&
php_check_open_basedir((u+7) TSRM=
LS_CC)))=20
++ RETURN_FALSE;
++ }
++
+ alloc_curl_handle(&ch);
+=20
+ ch->cp =3D curl_easy_init();
--AqsLC8rIMeq19msA--
--VrqPEDrXMn8OVzN4
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFCB63vd8HHehbQuO8RApr9AJkBxWWdpZGfb0SdvfGbI3kC0ZyB6gCbB1iR
gsSrJfALH+BRy3T8S0VbtxY=
=2eba
-----END PGP SIGNATURE-----
--VrqPEDrXMn8OVzN4--
---------------------------------------
Received: (at 294065-done) by bugs.debian.org; 7 Feb 2005 21:59:11 +0000
>From [EMAIL PROTECTED] Mon Feb 07 13:59:11 2005
Return-path: <[EMAIL PROTECTED]>
Received: from loki.0c3.net [69.0.240.48]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1CyGuV-00012y-00; Mon, 07 Feb 2005 13:59:11 -0800
Received: from localhost
([127.0.0.1] helo=mail.0c3.net ident=www-data)
by loki.0c3.net with esmtp (Exim 4.34)
id 1CyGu0-0001c4-Fl
for [EMAIL PROTECTED]; Mon, 07 Feb 2005 14:58:40 -0700
Received: from 210.11.154.230
(SquirrelMail authenticated user adconrad)
by mail.0c3.net with HTTP;
Tue, 8 Feb 2005 07:58:40 +1000 (EST)
Message-ID: <[EMAIL PROTECTED]>
Date: Tue, 8 Feb 2005 07:58:40 +1000 (EST)
Subject: Fixed
From: "Adam Conrad" <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
User-Agent: SquirrelMail/1.5.1 [CVS]
MIME-Version: 1.0
Content-Type: text/plain;charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
X-SA-Exim-Connect-IP: 127.0.0.1
X-SA-Exim-Mail-From: [EMAIL PROTECTED]
X-SA-Exim-Scanned: No (on loki.0c3.net); SAEximRunCond expanded to false
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-0.8 required=4.0 tests=BAYES_00,ONEWORD,
PRIORITY_NO_NAME autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
This was fixed an hour or so before it was reported. How's that for
response times?
... Adam
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
