On Wed, 2008-07-23 at 11:00 +0200, Nico Golde wrote: > Hi Neil, > * Neil Williams <[EMAIL PROTECTED]> [2008-07-23 00:20]: > > On Tue, 2008-07-22 at 20:54 +0200, Nico Golde wrote: > > > * Moritz Naumann <[EMAIL PROTECTED]> [2008-07-22 20:46]: > > > > I'm not providing additional technical information or ways to reproduce > > > > this issue since - while a patch is available - I cannot verify whether > > > > or not there are other vulnerable installations out there. > > > > > > > > Please feel free to get in touch with me directly in 4 weeks from now > > > > and ask me to provide further information on this bug tracker - I'll > > > > happily do it then.
The problem was that the script included a local log file without correctly checking for '../' in the file path, resulting in system files being loaded and displayed. The patch fixing this issue is: http://buildd.emdebian.org/svn/changeset/4529/current/host Index: current/host/trunk/emdebian-tools/trunk/debian/changelog =================================================================== --- current/host/trunk/emdebian-tools/trunk/debian/changelog (revision 4526) +++ current/host/trunk/emdebian-tools/trunk/debian/changelog (revision 4529) @@ -1,2 +1,8 @@ +emdebian-tools (1.4.1) unstable; urgency=low + + * PHP local file inclusion (Closes: #491917) + + -- Neil Williams <[EMAIL PROTECTED]> Tue, 22 Jul 2008 19:48:34 +0100 + emdebian-tools (1.4.0) unstable; urgency=low Index: current/host/trunk/emdebian-tools/trunk/buildd/buildd.php =================================================================== --- current/host/trunk/emdebian-tools/trunk/buildd/buildd.php (revision 4517) +++ current/host/trunk/emdebian-tools/trunk/buildd/buildd.php (revision 4529) @@ -29,4 +29,5 @@ $pkg = htmlspecialchars ($_GET['pkg']); $log = htmlspecialchars ($_GET['log']); + $log = preg_replace ('/\.\.\//', "", $log); $logfile = $pkg[0]."/".$pkg."/trunk/".$log; print "<h2>Package: $pkg</h2>"; > > > > The one publicly visible implementation that I maintain has been fixed. > > The point is it doesn't makes sense to request a CVE id for > this without any details that allows us to track the issue. > And I fail to see the reason to omit this information here > as it doesn't seem to be that ubercritical. If there is other information you need, let me know. -- Neil Williams ============= http://www.data-freedom.org/ http://www.nosoftwarepatents.com/ http://www.linux.codehelp.co.uk/
signature.asc
Description: This is a digitally signed message part
