Bug 285881 (CVE-2007-4782)
Summary: | CVE-2007-4782 php crash in glob() and fnmatch() functions | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Tomas Hoger <thoger> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | jorton, kreilly, mjc |
Target Milestone: | --- | Keywords: | Reopened, Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-4782 | ||
Whiteboard: | |||
Fixed In Version: | 5.2.6-2.fc8 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2010-03-29 08:28:30 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 445919, 445920, 445921, 445922, 445923, 445924, 445925 | ||
Bug Blocks: |
Description
Tomas Hoger
2007-09-11 13:12:43 UTC
We do not consider these to be security issues. For more details see http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 and http://www.php.net/security-note.php Issues were addressed in PHP 5.2.5, patches: fnmatch: http://cvs.php.net/viewvc.cgi/php-src/ext/standard/file.c?r1=1.409.2.6.2.27&r2=1.409.2.6.2.28 glob: http://cvs.php.net/viewvc.cgi/php-src/ext/standard/dir.c?r1=1.147.2.3.2.10&r2=1.147.2.3.2.11 *** Bug 382451 has been marked as a duplicate of this bug. *** Re-opening this bug. We will be addressing fnmatch() issue in the next PHP update, as the argument passed to it may be untrusted user data. Documentation for the functions suggests usage of fnmatch() as a light-weight alternative to regular expression handling functions for implementing pattern search functionality in the PHP applications. http://www.php.net/manual/en/function.fnmatch.php php-5.2.6-2.fc8 has been pushed to the Fedora 8 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update php'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F8/FEDORA-2008-3864 php-5.2.6-2.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report. (In reply to comment #2) > Issues were addressed in PHP 5.2.5, patches: > > fnmatch: > http://cvs.php.net/viewvc.cgi/php-src/ext/standard/file.c?r1=1.409.2.6.2.27&r2=1.409.2.6.2.28 > > glob: > http://cvs.php.net/viewvc.cgi/php-src/ext/standard/dir.c?r1=1.147.2.3.2.10&r2=1.147.2.3.2.11 These links no longer work, as upstream moved CVS to using SVN. Relevant commit in the upstream SVN: http://svn.php.net/viewvc?view=revision&revision=242146 |