Bug#504172: CVE-2008-4796: missing input sanitising in Snoopy.class.php
Package: mediamate Severity: grave Tags: security, patch Justification: user security hole Hi, the following CVE (Common Vulnerabilities Exposures) id was published for mediamate. CVE-2008-4796[0]: | The _httpsrequest function (Snoopy/Snoopy.class.php) in Snoopy 1.2.3 | and earlier allows remote attackers to execute arbitrary commands via | shell metacharacters in https URLs. NOTE: some of these details are | obtained from third party information. The extracted patch for Snoopy.class.php can be found here[1]. However it would be much appreciated (and it is a release goal anyway), if you could just depend on libphp-snoopy, instead of duplicating the code. (Maybe you need to change some includes, I didn't check that). That would make life much easier for the security team. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. From what I can see there might be one or two patches in your Snoopy.class.php file, which you might want to forward to the libphp-snoopy maintainer. (For example I was looking at the proxy stuff). Also, since the package is in stable (etch), I'd like to know in which way the php library is invoked and how vulnerable to attacks the stable version is. If it is severe enough, we should prepare a DSA, otherwise an update could go through s-p-u. Thanks for your work on mediamate. Cheers Steffen For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4796 http://security-tracker.debian.net/tracker/CVE-2008-4796 [1] http://klecker.debian.org/~white/libphp-snoopy/CVE-2008-4796.patch -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#504172: CVE-2008-4796: missing input sanitising in Snoopy.class.php
Steffen Joeris wrote: the following CVE (Common Vulnerabilities Exposures) id was published for mediamate. CVE-2008-4796[0]: | The _httpsrequest function (Snoopy/Snoopy.class.php) in Snoopy 1.2.3 | and earlier allows remote attackers to execute arbitrary commands via | shell metacharacters in https URLs. NOTE: some of these details are | obtained from third party information. While it is a security hole, mediamate only uses Snoopy for user provided URLs for IMDB entries. AFAIK, IMDB does not provide an HTTPS interface which this vulnerability requires. The extracted patch for Snoopy.class.php can be found here[1]. However it would be much appreciated (and it is a release goal anyway), if you could just depend on libphp-snoopy, instead of duplicating the code. (Maybe you need to change some includes, I didn't check that). That would make life much easier for the security team. I'm currently working on a corrected packae. Also, since the package is in stable (etch), I'd like to know in which way the php library is invoked and how vulnerable to attacks the stable version is. If it is severe enough, we should prepare a DSA, otherwise an update could go through s-p-u. See above. I don't see how this could normally be exploited in mediamate's case, s-p-u should be fine. I'll look into providing a corrected package for it as well. -- Jamin W. Collins -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#504172: CVE-2008-4796: missing input sanitising in Snoopy.class.php
Jamin W. Collins wrote: Steffen Joeris wrote: The extracted patch for Snoopy.class.php can be found here[1]. However it would be much appreciated (and it is a release goal anyway), if you could just depend on libphp-snoopy, instead of duplicating the code. (Maybe you need to change some includes, I didn't check that). That would make life much easier for the security team. I'm currently working on a corrected packae. The updated package is ready, but it looks like my key has made its way into the emeritus keyring. I've put the signed packages up on my personal site: http://www.asgardsrealm.net/tmp/debs/mediamate/ If you or someone else would like to sponsor them, I'd appreciate it. -- Jamin W. Collins -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]