Bug 379081 (CVE-2007-5934)

Summary: CVE-2007-5934 MDB2 Data injection and disclosure
Product: [Other] Security Response Reporter: Lubomir Kundrak <lkundrak>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: urgent Docs Contact:
Priority: urgent    
Version: unspecifiedCC: chris.stone, dhollis, fedora
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://pear.php.net/bugs/bug.php?id=10024
Whiteboard:
Fixed In Version: 1.4.1-3.fc7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-11-15 03:41:07 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 379091, 379101, 379111, 379121, 379131, 379141, 379151, 379161, 379171    
Bug Blocks:    

Description Lubomir Kundrak 2007-11-13 00:02:17 UTC 
Description of problem:

Seems like we didn't fix the upstream (impact=critical) bug #10024. See URL for
details. We should deal with it as soon as possible.

Version-Release number of selected component (if applicable):

php-pear-MDB2-2.4.1-1.fc7

Additional information:

The usptream fix is here:

http://marc.info/?l=pear-cvs&m=117823082829114&w=2
Comment 1 Lubomir Kundrak 2007-11-13 00:14:34 UTC 
CVE identifier was requested.

At the first glance it looks like these three packages have to be updated
simultaneously, am I right? If not, please close appropriate tracking bugs.

php-pear-MDB2
php-pear-MDB2-Driver-mysql
php-pear-MDB2-Driver-mysqli
Comment 3 Fedora Update System 2007-11-15 03:41:02 UTC 
php-pear-MDB2-Driver-mysql-1.4.1-3.fc7, php-pear-MDB2-Driver-mysqli-1.4.1-3.fc7, php-pear-MDB2-2.4.1-2.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 4 Fedora Update System 2007-11-15 03:44:11 UTC 
php-pear-MDB2-Driver-mysqli-1.4.1-3.fc8, php-pear-MDB2-Driver-mysql-1.4.1-3.fc8.1, php-pear-MDB2-2.4.1-2.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 5 David Hollis 2008-10-01 14:52:28 UTC 
Since installing this RPM over my own hand-rolled (basically the same RPM, just without the security patch), all of my MDB2 stuff (all PostgreSQL btw) spews these errors:

PHP Notice:  Undefined property: MDB2_Statement_pgsql::$options in /usr/share/pear/MDB2/Driver/pgsql.php on line 1354

Pulling out that patch (php-pear-MDB2-Driver-pgsql-1.4.1-lob.patch) resolves the issue.  Has upstream provided a newer version of that patch possibly?