Date: Mon, 23 Nov 2009 19:59:41 +0100 From: Alex Legler <a3li@...too.org> To: oss-security@...ts.openwall.com Subject: CVE request: Argument injections in multiple PEAR packages Hi, here are a couple of issues in PEAR packages that do not yet have a CVE afaik: 1. PEAR-Mail Mail::Send() Argument Injection when using Sendmail Secunia writes: "The sendmail implementation of the "Mail::Send()" method does not properly sanitise the "from" parameter before invoking sendmail, which can be exploited to pass arbitrary arguments to the sendmail command." Contrary to Secunia, this does not seem to be completely fixed yet (see Raphael Geissert's comment in the upstream bug) http://secunia.com/advisories/37410/ Upstream bug: http://pear.php.net/bugs/bug.php?id=16200 First commit: http://svn.php.net/viewvc/pear/packages/Mail/trunk/Mail/sendmail.php?r1=243717&r2=280134 Gentoo bug: https://bugs.gentoo.org/show_bug.cgi?id=294256 2. PEAR-Net_Ping < 2.4.5 ping() Argument Injection via $host Upstream writes: "When input from forms are used directly, the attacker could pass variables that would allow him to execute remote arbitrary command injections." Upstream advisory: http://pear.php.net/advisory20091114-01.txt Commit: http://svn.php.net/viewvc/pear/packages/Net_Ping/trunk/Ping.php?r1=274728&r2=290669 Gentoo bug: https://bugs.gentoo.org/show_bug.cgi?id=294258 3. PEAR-Net_Traceroute < 0.21.2 traceroute() Argument Injection via $host See above, same advisory. Commit: http://svn.php.net/viewvc/pear/packages/Net_Traceroute/trunk/Traceroute.php?r1=232735&r2=290749 Gentoo bug: https://bugs.gentoo.org/show_bug.cgi?id=294264 Thanks, Alex [ CONTENT OF TYPE application/pgp-signature SKIPPED ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ