Red Hat Bugzilla – Bug 379081
CVE-2007-5934 MDB2 Data injection and disclosure
Last modified: 2008-10-01 10:52:28 EDT
Description of problem:
Seems like we didn't fix the upstream (impact=critical) bug #10024. See URL for
details. We should deal with it as soon as possible.
Version-Release number of selected component (if applicable):
The usptream fix is here:
CVE identifier was requested.
At the first glance it looks like these three packages have to be updated
simultaneously, am I right? If not, please close appropriate tracking bugs.
php-pear-MDB2-Driver-mysql-1.4.1-3.fc7, php-pear-MDB2-Driver-mysqli-1.4.1-3.fc7, php-pear-MDB2-2.4.1-2.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.
php-pear-MDB2-Driver-mysqli-1.4.1-3.fc8, php-pear-MDB2-Driver-mysql-1.4.1-3.fc8.1, php-pear-MDB2-2.4.1-2.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
Since installing this RPM over my own hand-rolled (basically the same RPM, just without the security patch), all of my MDB2 stuff (all PostgreSQL btw) spews these errors:
PHP Notice: Undefined property: MDB2_Statement_pgsql::$options in /usr/share/pear/MDB2/Driver/pgsql.php on line 1354
Pulling out that patch (php-pear-MDB2-Driver-pgsql-1.4.1-lob.patch) resolves the issue. Has upstream provided a newer version of that patch possibly?