[Bug 292923] Re: CVE-2008-4796: missing input sanitising
** Changed in: debian Status: Unknown => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/292923 Title: CVE-2008-4796: missing input sanitising To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libphp-snoopy/+bug/292923/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 292923] Re: CVE-2008-4796: missing input sanitising
** Branch linked: lp:~ubuntu-branches/ubuntu/hardy/libphp-snoopy/hardy- security ** Branch linked: lp:~ubuntu-branches/ubuntu/intrepid/libphp-snoopy /intrepid-security -- CVE-2008-4796: missing input sanitising https://bugs.launchpad.net/bugs/292923 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 292923] Re: CVE-2008-4796: missing input sanitising
This bug was fixed in the package libphp-snoopy - 1.2.3-1ubuntu0.1 --- libphp-snoopy (1.2.3-1ubuntu0.1) hardy-security; urgency=low * SECURITY UPDATE: execute arbitrary commands via shell metacharacters in https URLs (LP: #292923) - changed Snoopy.class.php with patch from version 1.2.4 in ubuntu jaunty - CVE-2008-4796 -- Vincenzo AmpoloFri, 06 Mar 2009 20:58:09 +0100 ** Changed in: libphp-snoopy (Ubuntu Hardy) Status: Fix Committed => Fix Released -- CVE-2008-4796: missing input sanitising https://bugs.launchpad.net/bugs/292923 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 292923] Re: CVE-2008-4796: missing input sanitising
Thanks for the hardy debdiff! I updated your changelog to include the "-security" pocket, and it is building now. It should be published shortly in the archive. ** Changed in: libphp-snoopy (Ubuntu Hardy) Assignee: (unassigned) => Kees Cook (kees) Status: In Progress => Fix Committed -- CVE-2008-4796: missing input sanitising https://bugs.launchpad.net/bugs/292923 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 292923] Re: CVE-2008-4796: missing input sanitising
Here is the debdiff for hardy. I did the same work for hardy too and i tried to build it, once built, i installed it in a pbuilder environment and then i checked that the patch got applied. ** Attachment added: "libphp-snoopy_1.2.3-1ubuntu0.1-hardy.debdiff" http://launchpadlibrarian.net/23560550/libphp-snoopy_1.2.3-1ubuntu0.1-hardy.debdiff ** Changed in: libphp-snoopy (Ubuntu Hardy) Status: Confirmed => In Progress -- CVE-2008-4796: missing input sanitising https://bugs.launchpad.net/bugs/292923 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 292923] Re: CVE-2008-4796: missing input sanitising
This bug was fixed in the package libphp-snoopy - 1.2.3-2ubuntu0.1 --- libphp-snoopy (1.2.3-2ubuntu0.1) intrepid-security; urgency=low * SECURITY UPDATE: execute arbitrary commands via shell metacharacters in https URLs (LP: #292923) - changed Snoopy.class.php with patch from version 1.2.4 in ubuntu jaunty - CVE-2008-4796 -- Vincenzo AmpoloSat, 28 Feb 2009 16:48:59 +0100 ** Changed in: libphp-snoopy (Ubuntu Intrepid) Status: Fix Committed => Fix Released -- CVE-2008-4796: missing input sanitising https://bugs.launchpad.net/bugs/292923 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 292923] Re: CVE-2008-4796: missing input sanitising
Thanks for the debdiff Vincenzo, the intrepid package is building now and will be released soon. ** Changed in: libphp-snoopy (Ubuntu Intrepid) Status: In Progress => Fix Committed -- CVE-2008-4796: missing input sanitising https://bugs.launchpad.net/bugs/292923 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 292923] Re: CVE-2008-4796: missing input sanitising
I setup a intrepid pbuilder environment, i make it compile the package and install it, then with an editor i verified that the patch got applied this time... The packages compiles and installs for me in a clean environment. -- CVE-2008-4796: missing input sanitising https://bugs.launchpad.net/bugs/292923 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 292923] Re: CVE-2008-4796: missing input sanitising
(Vicenzo: You should still test that it builds correctly -if possible in a chroot, see http://bloc.eurion.net/archives/2009/test-build-debian- packages/- and installs correctly and the fix is really there; this should always be done. I was only answering to the fragment you quoted, as in that I'll not ask you to write a test program to see that it works or something like that, sorry if that was unclear.) -- CVE-2008-4796: missing input sanitising https://bugs.launchpad.net/bugs/292923 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 292923] Re: CVE-2008-4796: missing input sanitising
Attached is a new debdiff, it should be ok this time As you can see the patch gets applied now: make[1]: Leaving directory `/home/goshawk/Documents/Projects/MOTU/libphp-snoopy/libphp-snoopy-1.2.3' if [ "debian/stamp-patched" = "reverse-patches" ]; then rm -f debian/stamp-patched; fi patches: debian/patches/CVE-2008-4796.patch Trying patch debian/patches/CVE-2008-4796.patch at level 1 ... success. Currently i've not performed any test cuz it's a patch that comes directly from upstream, and this patch is also included in the version 1.2.4 which differs from 1.2.3 for this patch only. And as said in comment 8, RainCT, the MOTU which is mentoring me said that: "I guess you can skip that, considering that the fix comes from upstream, that the new version has been in Jaunty for a while and that it's just an one-liner." Btw, if you want still to perform a test, let me know which kind and i'll do. ** Attachment added: "libphp-snoopy_1.2.3-2ubuntu0.1.debdiff" http://launchpadlibrarian.net/23396855/libphp-snoopy_1.2.3-2ubuntu0.1.debdiff ** Changed in: libphp-snoopy (Ubuntu Intrepid) Status: Incomplete => In Progress -- CVE-2008-4796: missing input sanitising https://bugs.launchpad.net/bugs/292923 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 292923] Re: CVE-2008-4796: missing input sanitising
Thanks for the updated debdiff Vincenzo. Here are my comments: - The patch doesn't actually get applied when the package is build. You need to modify the debian/rules file. See: https://wiki.ubuntu.com/PackagingGuide/PatchSystems - The patch isn't tagged. Please tag it according to: https://wiki.ubuntu.com/UbuntuDevelopment/PatchTaggingGuidelines Once you have submitted debdiffs, please mark the bug as 'In Progress' and comment on the testing performed. ** Changed in: libphp-snoopy (Ubuntu Intrepid) Assignee: (unassigned) => Marc Deslauriers (mdeslaur) Status: In Progress => Incomplete -- CVE-2008-4796: missing input sanitising https://bugs.launchpad.net/bugs/292923 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 292923] Re: CVE-2008-4796: missing input sanitising
** Changed in: libphp-snoopy (Ubuntu Intrepid) Status: Triaged => In Progress -- CVE-2008-4796: missing input sanitising https://bugs.launchpad.net/bugs/292923 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 292923] Re: CVE-2008-4796: missing input sanitising
** Changed in: libphp-snoopy (Ubuntu Intrepid) Assignee: Vincenzo Ampolo (vincenzo-ampolo) => (unassigned) Status: In Progress => Triaged -- CVE-2008-4796: missing input sanitising https://bugs.launchpad.net/bugs/292923 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 292923] Re: CVE-2008-4796: missing input sanitising
Sorry, that debdiff and the diff.gz were wrong due a problem in the control file, here is the right one (i hope) ** Attachment added: "libphp-snoopy_1.2.3-2ubuntu0.1.debdiff" http://launchpadlibrarian.net/23225957/libphp-snoopy_1.2.3-2ubuntu0.1.debdiff -- CVE-2008-4796: missing input sanitising https://bugs.launchpad.net/bugs/292923 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 292923] Re: CVE-2008-4796: missing input sanitising
sorry, as rainct suggested to me here is a debdiff. ** Attachment added: "libphp-snoopy_1.2.3-2ubuntu0.1.debdiff" http://launchpadlibrarian.net/23225849/libphp-snoopy_1.2.3-2ubuntu0.1.debdiff -- CVE-2008-4796: missing input sanitising https://bugs.launchpad.net/bugs/292923 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 292923] Re: CVE-2008-4796: missing input sanitising
sorry, as rainct suggested to me here is a debdiff. ** Attachment added: "libphp-snoopy_1.2.3-2ubuntu0.1.debdiff" http://launchpadlibrarian.net/23225847/libphp-snoopy_1.2.3-2ubuntu0.1.debdiff -- CVE-2008-4796: missing input sanitising https://bugs.launchpad.net/bugs/292923 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 292923] Re: CVE-2008-4796: missing input sanitising
Here is the diff.tar.gz you have requested according with SecurityUpdateProcedures. If there is something wrong please tell me that i'll fix it. About the QA regression testing i spoke with rainct and he said: "I guess you can skip that, considering that the fix comes from upstream, that the new version has been in Jaunty for a while and that it's just an one-liner." Let me know if i should do more :) ** Attachment added: "libphp-snoopy_1.2.3-2ubuntu0.1.diff.gz" http://launchpadlibrarian.net/23225446/libphp-snoopy_1.2.3-2ubuntu0.1.diff.gz ** Changed in: libphp-snoopy (Ubuntu Intrepid) Status: Confirmed => In Progress -- CVE-2008-4796: missing input sanitising https://bugs.launchpad.net/bugs/292923 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 292923] Re: CVE-2008-4796: missing input sanitising
Vincenzo, thank you for your work on this, however I cannot process your patch for Intrepid, because we do not do full version upgrades for security patches in Ubuntu. Instead, we backport fixes to the version in the release version of Ubuntu. Perhaps you could prepare debdiffs to fix this by following https://wiki.ubuntu.com/SecurityUpdateProcedures. Once you have submitted debdiffs, please mark the bug as 'In Progress' and comment on the testing performed. ** Changed in: libphp-snoopy (Ubuntu Intrepid) Status: In Progress => Confirmed -- CVE-2008-4796: missing input sanitising https://bugs.launchpad.net/bugs/292923 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 292923] Re: CVE-2008-4796: missing input sanitising
** Changed in: libphp-snoopy (Ubuntu Hardy) Status: New => Confirmed -- CVE-2008-4796: missing input sanitising https://bugs.launchpad.net/bugs/292923 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 292923] Re: CVE-2008-4796: missing input sanitising
I've updated the bug tasks. The main one is now "Fix released" as Jaunty has the new version with the security fix, and I've added a task for Intrepid and one for Hardy as they both have the same affected version. I guess the revision for Intrepid can also be uploaded to Hardy, as the only difference between both right now is that Intrepid has a new revision adding a debian/watch file. Vincenzo: Please don't modify the latest changelog entry, but add a new one («dch -i -D intrepid-security») with a version number according to point 4. in https://wiki.ubuntu.com/SecurityUpdateProcedures, which in this case would be 1.2.4-1ubuntu0.8.10. However, as Jaunty has version 1.2.4-1, which is lower than 1.2.4-1ubuntu0.8.10 («dpkg --compare- versions 1.2.4-1 gt 1.2.4-1ubuntu0.8.10; echo $?»), I think in this case 1.2.4-0ubuntu0.8.10 should be used. [I have not worked with security updates before, please correct me if I'm wrong]. -- CVE-2008-4796: missing input sanitising https://bugs.launchpad.net/bugs/292923 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 292923] Re: CVE-2008-4796: missing input sanitising
** Changed in: libphp-snoopy (Ubuntu) Assignee: Vincenzo Ampolo (vincenzo-ampolo) => (unassigned) Status: In Progress => Fix Released ** Changed in: libphp-snoopy (Ubuntu Intrepid) Assignee: (unassigned) => Vincenzo Ampolo (vincenzo-ampolo) Status: New => In Progress -- CVE-2008-4796: missing input sanitising https://bugs.launchpad.net/bugs/292923 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 292923] Re: CVE-2008-4796: missing input sanitising
Waiting for ubuntu-security review ** Changed in: libphp-snoopy (Ubuntu) Status: Confirmed => In Progress -- CVE-2008-4796: missing input sanitising https://bugs.launchpad.net/bugs/292923 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 292923] Re: CVE-2008-4796: missing input sanitising
diff for intrepid, in jaunty there is already the 1.2.4 version, which has the fix ** Attachment added: "libphp-snoopy_1.2.4-1.diff.gz" http://launchpadlibrarian.net/22962935/libphp-snoopy_1.2.4-1.diff.gz -- CVE-2008-4796: missing input sanitising https://bugs.launchpad.net/bugs/292923 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 292923] Re: CVE-2008-4796: missing input sanitising
Changes between 1.2.3 and 1.2.4 . 1.2.4 seems to be a major version update ** Attachment added: "version1.2.3-1.2.4.patch" http://launchpadlibrarian.net/22962716/version1.2.3-1.2.4.patch ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2008-4796 -- CVE-2008-4796: missing input sanitising https://bugs.launchpad.net/bugs/292923 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 292923] Re: CVE-2008-4796: missing input sanitising
Trying to setup a Security update to version 1.2.4 ** Changed in: libphp-snoopy (Ubuntu) Assignee: (unassigned) => Vincenzo Ampolo (vincenzo-ampolo) -- CVE-2008-4796: missing input sanitising https://bugs.launchpad.net/bugs/292923 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 292923] Re: CVE-2008-4796: missing input sanitising
** Changed in: libphp-snoopy (Ubuntu) Status: New => Confirmed -- CVE-2008-4796: missing input sanitising https://bugs.launchpad.net/bugs/292923 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 292923] Re: CVE-2008-4796: missing input sanitising
** Visibility changed to: Public -- CVE-2008-4796: missing input sanitising https://bugs.launchpad.net/bugs/292923 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs