Your message dated Fri, 1 Apr 2005 16:17:27 +1000 (EST)
with message-id <[EMAIL PROTECTED]>
and subject line Closing this bug...
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 7 Feb 2005 18:03:17 +0000
>From [EMAIL PROTECTED] Mon Feb 07 10:03:16 2005
Return-path: <[EMAIL PROTECTED]>
Received: from kitenet.net [64.62.161.42] (postfix)
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1CyDEC-0007H0-00; Mon, 07 Feb 2005 10:03:16 -0800
Received: from dragon.kitenet.net (unknown [66.168.94.144])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(Client CN "Joey Hess", Issuer "Joey Hess" (verified OK))
by kitenet.net (Postfix) with ESMTP id 7732E17FEF
for <[EMAIL PROTECTED]>; Mon, 7 Feb 2005 18:03:15 +0000 (GMT)
Received: by dragon.kitenet.net (Postfix, from userid 1000)
id 5D0BE6E414; Mon, 7 Feb 2005 13:05:36 -0500 (EST)
Date: Mon, 7 Feb 2005 13:05:36 -0500
From: Joey Hess <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: curl allows curcumvention of open_basedir (CAN-2004-1392)
Message-ID: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="VrqPEDrXMn8OVzN4"
Content-Disposition: inline
X-Reportbug-Version: 3.7.1
User-Agent: Mutt/1.5.6+20040907i
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-3.0 required=4.0 tests=BAYES_00 autolearn=no
version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
--VrqPEDrXMn8OVzN4
Content-Type: multipart/mixed; boundary="AqsLC8rIMeq19msA"
Content-Disposition: inline
--AqsLC8rIMeq19msA
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Package: php4
Version: 4:4.3.10-2
Severity: serious
Tags: security patch
According to CAN-2004-1392:
PHP 4.0 with cURL functions allows remote attackers to bypass the
open_basedir setting and read arbitrary files via a file: URL argument
to the curl_init function.
Details here:
http://marc.theaimsgroup.com/?l=3Dbugtraq&m=3D109898213806099&w=3D2
The attached patch was extracted from ubuntu's php4 4.3.8-3ubuntu7.3.
Our newer version of php4 also seems to be vulnerable, based on code
inspection.
--=20
see shy jo
--AqsLC8rIMeq19msA
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="php4-curl-openbasedir.patch"
Content-Transfer-Encoding: quoted-printable
--- php4-4.3.8.orig/debian/patches/curl_check_open_basedir.patch
+++ php4-4.3.8/debian/patches/curl_check_open_basedir.patch
@@ -0,0 +1,18 @@
+diff -ru php4-4.3.10.old/ext/curl/curl.c php4-4.3.10/ext/curl/curl.c
+--- php4-4.3.10.old/ext/curl/curl.c 2005-01-20 14:20:15.000000000 +0000
++++ php4-4.3.10/ext/curl/curl.c 2005-01-20 15:34:06.000000000 +0000
+@@ -682,6 +682,14 @@
+ WRONG_PARAM_COUNT;
+ }
+=20
++ /* check open_basedir restriction */
++ {
++ char *u =3D Z_STRVAL_PP(url);
++
++ if(!u || (!strncmp(u, "file://",7) &&
php_check_open_basedir((u+7) TSRM=
LS_CC)))=20
++ RETURN_FALSE;
++ }
++
+ alloc_curl_handle(&ch);
+=20
+ ch->cp =3D curl_easy_init();
--AqsLC8rIMeq19msA--
--VrqPEDrXMn8OVzN4
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFCB63vd8HHehbQuO8RApr9AJkBxWWdpZGfb0SdvfGbI3kC0ZyB6gCbB1iR
gsSrJfALH+BRy3T8S0VbtxY=
=2eba
-----END PGP SIGNATURE-----
--VrqPEDrXMn8OVzN4--
---------------------------------------
Received: (at 294065-done) by bugs.debian.org; 1 Apr 2005 06:17:58 +0000
>From [EMAIL PROTECTED] Thu Mar 31 22:17:58 2005
Return-path: <[EMAIL PROTECTED]>
Received: from loki.0c3.net [69.0.240.48]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DHFTi-0005CL-00; Thu, 31 Mar 2005 22:17:58 -0800
Received: from localhost
([127.0.0.1] helo=mail.0c3.net ident=www-data)
by loki.0c3.net with esmtp (Exim 4.34)
id 1DHFTD-0007Qf-Aa
for [EMAIL PROTECTED]; Thu, 31 Mar 2005 23:17:27 -0700
Received: from 130.194.13.103
(SquirrelMail authenticated user adconrad)
by mail.0c3.net with HTTP;
Fri, 1 Apr 2005 16:17:27 +1000 (EST)
Message-ID: <[EMAIL PROTECTED]>
Date: Fri, 1 Apr 2005 16:17:27 +1000 (EST)
Subject: Closing this bug...
From: "Adam Conrad" <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
User-Agent: SquirrelMail/1.5.1 [CVS]
MIME-Version: 1.0
Content-Type: text/plain;charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
X-SA-Exim-Connect-IP: 127.0.0.1
X-SA-Exim-Mail-From: [EMAIL PROTECTED]
X-SA-Exim-Scanned: No (on loki.0c3.net); SAEximRunCond expanded to false
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-1.8 required=4.0 tests=BAYES_00,PRIORITY_NO_NAME
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
As indicated in #285845, our security team and vendor-sec consider
safe_mode to be "fundamentally broken", and as such, we do not issue
security advisories for fixed which only affect safe_mode behaviour.
open_basedir would fall into the same category, for the same reasons,
namely that it requires too much knowlege of how the libraries you link to
are going to mess with your ability to lock them down.
... Adam
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
