[pkg-php-pear] Fixes for CVE-2015-6723

David Prévot taffit at debian.org
Tue Sep 1 03:50:46 UTC 2015


Hi,

After uploading the fixed packages in unstable and experimental 
for CVE-2015-6723, I just prepared and built (but not yet tested) fixed
packages for Jessie. Since applications need to run with a umask of 0 in
order to exploit this “local arbitrary code execution with privileges of
other users (privilege escalation)” issue, upstream “consider
exploitabilty to be low to medium.” [0]

	0: http://www.doctrine-project.org/2015/08/31/security_misconfiguration_vulnerability_in_various_doctrine_projects.html

If you agree with upstream point of view, maybe this issue won’t
deserve a DSA, and I’ll ask the release team to include the proposed
fixes in time for 8.3. If not, I’ll update the changelog adequately (and
build with “-sa”) and give the package a proper testing ASAP. Please let
me know.

As upstream didn’t provide fix for older branch, I haven’t yet looked if
the doctrine 1. branch (as available in Wheezy) is affected, nor how to
patch it (I only recently took over the doctrine package, and upgraded
it to the 2. branch, so I’m not familiar at all with the 1. branch
codebase).

Regards

David
-------------- next part --------------
A non-text attachment was scrubbed...
Name: annotations.diff
Type: text/x-diff
Size: 3145 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-php-pear/attachments/20150831/cfc99667/attachment-0004.diff>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: cache.diff
Type: text/x-diff
Size: 5175 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-php-pear/attachments/20150831/cfc99667/attachment-0005.diff>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: common.diff
Type: text/x-diff
Size: 2180 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-php-pear/attachments/20150831/cfc99667/attachment-0006.diff>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: orm.diff
Type: text/x-diff
Size: 5812 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-php-pear/attachments/20150831/cfc99667/attachment-0007.diff>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-php-pear/attachments/20150831/cfc99667/attachment-0001.sig>


More information about the pkg-php-pear mailing list