Bug 379081 (CVE-2007-5934) - CVE-2007-5934 MDB2 Data injection and disclosure
Summary: CVE-2007-5934 MDB2 Data injection and disclosure
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2007-5934
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
urgent
urgent
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://pear.php.net/bugs/bug.php?id=1...
Whiteboard:
Depends On: 379091 379101 379111 379121 379131 379141 379151 379161 379171
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-11-13 00:02 UTC by Lubomir Kundrak
Modified: 2008-10-01 14:52 UTC (History)
3 users (show)

Fixed In Version: 1.4.1-3.fc7
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2007-11-15 03:41:07 UTC


Attachments (Terms of Use)

Description Lubomir Kundrak 2007-11-13 00:02:17 UTC
Description of problem:

Seems like we didn't fix the upstream (impact=critical) bug #10024. See URL for
details. We should deal with it as soon as possible.

Version-Release number of selected component (if applicable):

php-pear-MDB2-2.4.1-1.fc7

Additional information:

The usptream fix is here:

http://marc.info/?l=pear-cvs&m=117823082829114&w=2

Comment 1 Lubomir Kundrak 2007-11-13 00:14:34 UTC
CVE identifier was requested.

At the first glance it looks like these three packages have to be updated
simultaneously, am I right? If not, please close appropriate tracking bugs.

php-pear-MDB2
php-pear-MDB2-Driver-mysql
php-pear-MDB2-Driver-mysqli

Comment 3 Fedora Update System 2007-11-15 03:41:02 UTC
php-pear-MDB2-Driver-mysql-1.4.1-3.fc7, php-pear-MDB2-Driver-mysqli-1.4.1-3.fc7, php-pear-MDB2-2.4.1-2.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 4 Fedora Update System 2007-11-15 03:44:11 UTC
php-pear-MDB2-Driver-mysqli-1.4.1-3.fc8, php-pear-MDB2-Driver-mysql-1.4.1-3.fc8.1, php-pear-MDB2-2.4.1-2.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 5 David Hollis 2008-10-01 14:52:28 UTC
Since installing this RPM over my own hand-rolled (basically the same RPM, just without the security patch), all of my MDB2 stuff (all PostgreSQL btw) spews these errors:

PHP Notice:  Undefined property: MDB2_Statement_pgsql::$options in /usr/share/pear/MDB2/Driver/pgsql.php on line 1354

Pulling out that patch (php-pear-MDB2-Driver-pgsql-1.4.1-lob.patch) resolves the issue.  Has upstream provided a newer version of that patch possibly?


Note You need to log in before you can comment on or make changes to this bug.