Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sat, 1 Nov 2008 23:01:15 +1100
From: Steffen Joeris <steffen.joeris@...lelinux.de>
To: oss-security <oss-security@...ts.openwall.com>
Cc: coley@...re.org
Subject: CVE-2008-4796: snoopy triage

Hi

I thought I'd share the outcome of my snoopy triage for debian.
I had a look at upstream's patch[0] and compared it with packages in debian.

We had 6 packages including the file Snoopy.class.php, all were vulnerable.
List of packages:
ampache: /usr/share/ampache/www/modules/infotools/Snoopy.class.php
libphp-snoopy: /usr/share/php/libphp-snoopy/Snoopy.class.php
mahara: /usr/share/mahara/lib/snoopy/Snoopy.class.php
mediamate: /usr/share/mediamate/Snoopy.class.php
opendb: /usr/share/opendb/functions/Snoopy.class.php
pixelpost: /usr/share/pixelpost/addons/_defensio/libraries/Snoopy.class.php

I haven't checked, how they depend on the Snoopy.class.php file yet.
Of course there might be more out there and included in other distributions, 
so don't assume that this is all. The packages in debian duplicating the 
source should just depend on the libphp-snoopy package, which in debian is 
the snoopy upstream package.

Steve, do you want to update the CVE description to reflect that the file is 
included in several other packages?

Cheers
Steffen

[0]: http://klecker.debian.org/~white/libphp-snoopy/CVE-2008-4796.patch

Download attachment "signature.asc " of type "application/pgp-signature" (198 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.