Your message dated Tue, 8 Feb 2005 07:58:40 +1000 (EST) with message-id <[EMAIL PROTECTED]> and subject line Fixed has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database) -------------------------------------- Received: (at submit) by bugs.debian.org; 7 Feb 2005 18:03:17 +0000 >From [EMAIL PROTECTED] Mon Feb 07 10:03:16 2005 Return-path: <[EMAIL PROTECTED]> Received: from kitenet.net [64.62.161.42] (postfix) by spohr.debian.org with esmtp (Exim 3.35 1 (Debian)) id 1CyDEC-0007H0-00; Mon, 07 Feb 2005 10:03:16 -0800 Received: from dragon.kitenet.net (unknown [66.168.94.144]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "Joey Hess", Issuer "Joey Hess" (verified OK)) by kitenet.net (Postfix) with ESMTP id 7732E17FEF for <[EMAIL PROTECTED]>; Mon, 7 Feb 2005 18:03:15 +0000 (GMT) Received: by dragon.kitenet.net (Postfix, from userid 1000) id 5D0BE6E414; Mon, 7 Feb 2005 13:05:36 -0500 (EST) Date: Mon, 7 Feb 2005 13:05:36 -0500 From: Joey Hess <[EMAIL PROTECTED]> To: Debian Bug Tracking System <[EMAIL PROTECTED]> Subject: curl allows curcumvention of open_basedir (CAN-2004-1392) Message-ID: <[EMAIL PROTECTED]> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="VrqPEDrXMn8OVzN4" Content-Disposition: inline X-Reportbug-Version: 3.7.1 User-Agent: Mutt/1.5.6+20040907i Delivered-To: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Status: No, hits=-3.0 required=4.0 tests=BAYES_00 autolearn=no version=2.60-bugs.debian.org_2005_01_02 X-Spam-Level: --VrqPEDrXMn8OVzN4 Content-Type: multipart/mixed; boundary="AqsLC8rIMeq19msA" Content-Disposition: inline --AqsLC8rIMeq19msA Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Package: php4 Version: 4:4.3.10-2 Severity: serious Tags: security patch According to CAN-2004-1392: PHP 4.0 with cURL functions allows remote attackers to bypass the open_basedir setting and read arbitrary files via a file: URL argument to the curl_init function. Details here: http://marc.theaimsgroup.com/?l=3Dbugtraq&m=3D109898213806099&w=3D2 The attached patch was extracted from ubuntu's php4 4.3.8-3ubuntu7.3. Our newer version of php4 also seems to be vulnerable, based on code inspection. --=20 see shy jo --AqsLC8rIMeq19msA Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="php4-curl-openbasedir.patch" Content-Transfer-Encoding: quoted-printable --- php4-4.3.8.orig/debian/patches/curl_check_open_basedir.patch +++ php4-4.3.8/debian/patches/curl_check_open_basedir.patch @@ -0,0 +1,18 @@ +diff -ru php4-4.3.10.old/ext/curl/curl.c php4-4.3.10/ext/curl/curl.c +--- php4-4.3.10.old/ext/curl/curl.c 2005-01-20 14:20:15.000000000 +0000 ++++ php4-4.3.10/ext/curl/curl.c 2005-01-20 15:34:06.000000000 +0000 +@@ -682,6 +682,14 @@ + WRONG_PARAM_COUNT; + } +=20 ++ /* check open_basedir restriction */ ++ { ++ char *u =3D Z_STRVAL_PP(url); ++ ++ if(!u || (!strncmp(u, "file://",7) && php_check_open_basedir((u+7) TSRM= LS_CC)))=20 ++ RETURN_FALSE; ++ } ++ + alloc_curl_handle(&ch); +=20 + ch->cp =3D curl_easy_init(); --AqsLC8rIMeq19msA-- --VrqPEDrXMn8OVzN4 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFCB63vd8HHehbQuO8RApr9AJkBxWWdpZGfb0SdvfGbI3kC0ZyB6gCbB1iR gsSrJfALH+BRy3T8S0VbtxY= =2eba -----END PGP SIGNATURE----- --VrqPEDrXMn8OVzN4-- --------------------------------------- Received: (at 294065-done) by bugs.debian.org; 7 Feb 2005 21:59:11 +0000 >From [EMAIL PROTECTED] Mon Feb 07 13:59:11 2005 Return-path: <[EMAIL PROTECTED]> Received: from loki.0c3.net [69.0.240.48] by spohr.debian.org with esmtp (Exim 3.35 1 (Debian)) id 1CyGuV-00012y-00; Mon, 07 Feb 2005 13:59:11 -0800 Received: from localhost ([127.0.0.1] helo=mail.0c3.net ident=www-data) by loki.0c3.net with esmtp (Exim 4.34) id 1CyGu0-0001c4-Fl for [EMAIL PROTECTED]; Mon, 07 Feb 2005 14:58:40 -0700 Received: from 210.11.154.230 (SquirrelMail authenticated user adconrad) by mail.0c3.net with HTTP; Tue, 8 Feb 2005 07:58:40 +1000 (EST) Message-ID: <[EMAIL PROTECTED]> Date: Tue, 8 Feb 2005 07:58:40 +1000 (EST) Subject: Fixed From: "Adam Conrad" <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] User-Agent: SquirrelMail/1.5.1 [CVS] MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal X-SA-Exim-Connect-IP: 127.0.0.1 X-SA-Exim-Mail-From: [EMAIL PROTECTED] X-SA-Exim-Scanned: No (on loki.0c3.net); SAEximRunCond expanded to false Delivered-To: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Status: No, hits=-0.8 required=4.0 tests=BAYES_00,ONEWORD, PRIORITY_NO_NAME autolearn=no version=2.60-bugs.debian.org_2005_01_02 X-Spam-Level: This was fixed an hour or so before it was reported. How's that for response times? ... Adam -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]