| Summary: | php-pear-HTML_AJAX new security issue fixed upstream in 0.5.7 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | herman.viaene, lewyssmith, sysadmin-bugs, thomas |
| Version: | 4 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/625505/ | ||
| Whiteboard: | has_procedure advisory mga4-32-ok mga4-64-ok | ||
| Source RPM: | php-pear-HTML_AJAX-0.5.6-7.mga4.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2014-12-05 18:19:53 CET
This bug has been fixed and the upgraded pacakges are in mga4 upgrades testing: php-pear-HTML_AJAX-0.5.7-1.mga5.src.rpm php-pear-HTML_AJAX-0.5.7-1.mga5.noarch.rpm Assigning it to QA Status:
NEW =>
ASSIGNED Thanks Thomas! Actually assigning to QA. Advisory: ======================== Updated php-pear-HTML_AJAX package fixes security vulnerability: The HTML_AJAX pear module before version 0.5.7 is vulnerable to a bug that can allow for remote code execution through unspecified vectors. References: http://pear.php.net/package/HTML_AJAX/download/ ======================== Updated packages in core/updates_testing: ======================== php-pear-HTML_AJAX-0.5.7-1.mga4 from php-pear-HTML_AJAX-0.5.7-1.mga4.src.rpm CC:
(none) =>
thomas Testing MGA4-64 on HP Probook 6555b Installed without problems. Looked at http://bluga.net/projects/HTML_AJAX/examples/ ran the examples there without problems. CC:
(none) =>
herman.viaene I think you tested the bluga.net implementation rather than our own Herman. I'll remove your Ok but please replace it if I'm wrong. Downloaded some of the examples from there to /var/www/html/test/ and no joy with them. eg. http://localhost/test/proxyless_usage.php Looking in /var/log/httpd/error_log it shows they are missing server.php. Not entirely sure how to test this one yet. Any ideas Thomas? Whiteboard:
MGA4-64-OK =>
(none) Testing complete mga4 32 Some info here.. http://blog.joshuaeichorn.com/slides/Introduction-To-HTML_AJAX/ Using server.php, example1.php and example2.php which reference date.php, so created a date.php as below, all saved in /var/www/html/test/ # cat date.php <?php echo date('l jS \of F Y h:i:s A'); ?> And the others from the webpage.. # cat server.php <?php require_once 'HTML/AJAX/Server.php'; $server = new HTML_AJAX_Server(); $server->handleRequest(); ?> # cat example1.php <html> <head> <title>Example 1 - HTML_AJAX.append()</title> <script type="text/javascript" src="server.php?client=all"></script> <script type="text/javascript"> function act() { HTML_AJAX.append('target','date.php'); } </script> </head> <body> <a href="javascript:act()">Append the current time as given by date.php</a> <div id="target">I'm the target</div> </body> </html> # cat example2.php <html> <head> <title>Example 2 - HTML_AJAX Basic Methods</title> <script type="text/javascript" src="server.php?client=all"></script> </head> <body> <a href="#" onclick="HTML_AJAX.append('target','date.php');">Append</a> <a href="#" onclick="HTML_AJAX.replace('target','date.php');">Replace</a> <a href="#" onclick="alert(HTML_AJAX.grab('date.php'));">Grab Sync</a> <a href="#" onclick="HTML_AJAX.grab('date.php',function(result) { alert(result); })">Grab Async</a> <div id="target">I'm the target</div> </body> </html> Then browse to http://localhost/test/example1.php and http://localhost/test/example2.php and click the links to show the date in various places. Whiteboard:
(none) =>
has_procedure mga4-32-ok Many thanks to Claire for the detailed scripts etc above. Testing MGA4 x64 real hardware. Installed from normal repos php-pear-HTML_AJAX-0.5.6-7.mga4. Installed the 4 scripts in /var/www/html/test/ . Browser pointed to http://localhost/test/example1.php appended the day, date, time ad infinitum on each click of the link. http://localhost/test/example2.php Append: as example1. Replace: updated in situ the day, date, time on each click. Grab Sync: popped up a Javascript information dialogue with date & time. Grab Async: same behaviour. Updated from Testing to php-pear-HTML_AJAX-0.5.7-1.mga4. Re-running the tests gave the same results as before. I do not know whether this is what *should* happen, so leave the OK-ing to someone else. BTAIM The time shown was *GMT*, one hour behind my local time (shown correctly on the desktop). Again - is this right? CC:
(none) =>
lewyssmith (In reply to Lewis Smith from comment #6) > BTAIM The time shown was *GMT*, one hour behind my local time (shown > correctly on the desktop). Again - is this right? You need to set the date.timezone setting in php.ini. This used to not be necessary, but unfortunately PHP changed this. David, do you have to be *so* quick? My Comment 6 "The time shown was *GMT*, one hour behind my local time (shown correctly on the desktop)" is *wrong*; I take that back. The tests showed the *correct* local time; the *desktop* time was (is) wrong, 1 hr in advance. [This is a problem that has been bugging me for some time: the need to correct the desktop time by 1hr; might bug it if I can pin it down]. Adding 64bit OK from Lewis's testing Validating. I'll upload the advisory shortly. Please push to updates Thanks Keywords:
(none) =>
validated_update Advisory uploaded. Whiteboard:
has_procedure mga4-32-ok mga4-64-ok =>
has_procedure advisory mga4-32-ok mga4-64-ok An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0519.html Status:
ASSIGNED =>
RESOLVED
David Walser
2014-12-10 19:06:33 CET
URL:
(none) =>
http://lwn.net/Vulnerabilities/625505/ |