Bug 379081 - (CVE-2007-5934) CVE-2007-5934 MDB2 Data injection and disclosure
CVE-2007-5934 MDB2 Data injection and disclosure
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
urgent Severity urgent
: ---
: ---
Assigned To: Red Hat Product Security
http://pear.php.net/bugs/bug.php?id=1...
: Security
Depends On: 379091 379101 379111 379121 379131 379141 379151 379161 379171
Blocks:
  Show dependency treegraph
 
Reported: 2007-11-12 19:02 EST by Lubomir Kundrak
Modified: 2008-10-01 10:52 EDT (History)
3 users (show)

See Also:
Fixed In Version: 1.4.1-3.fc7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-11-14 22:41:07 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Lubomir Kundrak 2007-11-12 19:02:17 EST
Description of problem:

Seems like we didn't fix the upstream (impact=critical) bug #10024. See URL for
details. We should deal with it as soon as possible.

Version-Release number of selected component (if applicable):

php-pear-MDB2-2.4.1-1.fc7

Additional information:

The usptream fix is here:

http://marc.info/?l=pear-cvs&m=117823082829114&w=2
Comment 1 Lubomir Kundrak 2007-11-12 19:14:34 EST
CVE identifier was requested.

At the first glance it looks like these three packages have to be updated
simultaneously, am I right? If not, please close appropriate tracking bugs.

php-pear-MDB2
php-pear-MDB2-Driver-mysql
php-pear-MDB2-Driver-mysqli
Comment 3 Fedora Update System 2007-11-14 22:41:02 EST
php-pear-MDB2-Driver-mysql-1.4.1-3.fc7, php-pear-MDB2-Driver-mysqli-1.4.1-3.fc7, php-pear-MDB2-2.4.1-2.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 4 Fedora Update System 2007-11-14 22:44:11 EST
php-pear-MDB2-Driver-mysqli-1.4.1-3.fc8, php-pear-MDB2-Driver-mysql-1.4.1-3.fc8.1, php-pear-MDB2-2.4.1-2.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 5 David Hollis 2008-10-01 10:52:28 EDT
Since installing this RPM over my own hand-rolled (basically the same RPM, just without the security patch), all of my MDB2 stuff (all PostgreSQL btw) spews these errors:

PHP Notice:  Undefined property: MDB2_Statement_pgsql::$options in /usr/share/pear/MDB2/Driver/pgsql.php on line 1354

Pulling out that patch (php-pear-MDB2-Driver-pgsql-1.4.1-lob.patch) resolves the issue.  Has upstream provided a newer version of that patch possibly?

Note You need to log in before you can comment on or make changes to this bug.