CVE-2008-4796: missing input sanitising

Trying to setup a Security update to version 1.2.4

Changes between 1.2.3 and 1.2.4 . 1.2.4 seems to be a major version update

diff for intrepid, in jaunty there is already the 1.2.4 version, which has the fix

Waiting for ubuntu-security review

I've updated the bug tasks. The main one is now "Fix released" as Jaunty has the new version with the security fix, and I've added a task for Intrepid and one for Hardy as they both have the same affected version. I guess the revision for Intrepid can also be uploaded to Hardy, as the only difference between both right now is that Intrepid has a new revision adding a debian/watch file.

Vincenzo: Please don't modify the latest changelog entry, but add a new one («dch -i -D intrepid-security») with a version number according to point 4. in https://wiki.ubuntu.com/SecurityUpdateProcedures, which in this case would be 1.2.4-1ubuntu0.8.10. However, as Jaunty has version 1.2.4-1, which is lower than 1.2.4-1ubuntu0.8.10 («dpkg --compare-versions 1.2.4-1 gt 1.2.4-1ubuntu0.8.10; echo $?»), I think in this case 1.2.4-0ubuntu0.8.10 should be used.

[I have not worked with security updates before, please correct me if I'm wrong].

Vincenzo, thank you for your work on this, however I cannot process your patch for Intrepid, because we do not do full version upgrades for security patches in Ubuntu. Instead, we backport fixes to the version in the release version of Ubuntu. Perhaps you could prepare debdiffs to fix this by following https://wiki.ubuntu.com/SecurityUpdateProcedures.

Once you have submitted debdiffs, please mark the bug as 'In Progress' and comment on the testing performed.

Here is the diff.tar.gz you have requested according with SecurityUpdateProcedures.

If there is something wrong please tell me that i'll fix it.

About the QA regression testing i spoke with rainct and he said:

"I guess you can skip that, considering that the fix comes from upstream, that the new version has been in Jaunty for a while and that it's just an one-liner."

Let me know if i should do more :)

sorry, as rainct suggested to me here is a debdiff.

sorry, as rainct suggested to me here is a debdiff.

Sorry, that debdiff and the diff.gz were wrong due a problem in the control file, here is the right one (i hope)

Thanks for the updated debdiff Vincenzo. Here are my comments:

- The patch doesn't actually get applied when the package is build. You need to modify the debian/rules file. See: https://wiki.ubuntu.com/PackagingGuide/PatchSystems
- The patch isn't tagged. Please tag it according to: https://wiki.ubuntu.com/UbuntuDevelopment/PatchTaggingGuidelines

Once you have submitted debdiffs, please mark the bug as 'In Progress' and comment on the testing performed.

Attached is a new debdiff, it should be ok this time....

As you can see the patch gets applied now:

make[1]: Leaving directory `/home/goshawk/Documents/Projects/MOTU/libphp-snoopy/libphp-snoopy-1.2.3'
if [ "debian/stamp-patched" = "reverse-patches" ]; then rm -f debian/stamp-patched; fi
patches: debian/patches/CVE-2008-4796.patch
Trying patch debian/patches/CVE-2008-4796.patch at level 1 ... success.

Currently i've not performed any test cuz it's a patch that comes directly from upstream, and this patch is also included in the version 1.2.4 which differs from 1.2.3 for this patch only.

And as said in comment 8, RainCT, the MOTU which is mentoring me said that:
"I guess you can skip that, considering that the fix comes from upstream, that the new version has been in Jaunty for a while and that it's just an one-liner."

Btw, if you want still to perform a test, let me know which kind and i'll do.

(Vicenzo: You should still test that it builds correctly -if possible in a chroot, see http://bloc.eurion.net/archives/2009/test-build-debian-packages/- and installs correctly and the fix is really there; this should always be done. I was only answering to the fragment you quoted, as in that I'll not ask you to write a test program to see that it works or something like that, sorry if that was unclear.)

I setup a intrepid pbuilder environment, i make it compile the package and install it, then with an editor i verified that the patch got applied this time...

The packages compiles and installs for me in a clean environment.

Thanks for the debdiff Vincenzo, the intrepid package is building now and will be released soon.

This bug was fixed in the package libphp-snoopy - 1.2.3-2ubuntu0.1

---------------
libphp-snoopy (1.2.3-2ubuntu0.1) intrepid-security; urgency=low

  * SECURITY UPDATE: execute arbitrary commands via shell metacharacters in https URLs (LP: #292923)
    - changed Snoopy.class.php with patch from version 1.2.4 in ubuntu jaunty
    - CVE-2008-4796

 -- Vincenzo Ampolo <email address hidden> Sat, 28 Feb 2009 16:48:59 +0100

Here is the debdiff for hardy.

I did the same work for hardy too and i tried to build it, once built, i installed it in a pbuilder environment and then i checked that the patch got applied.

Thanks for the hardy debdiff! I updated your changelog to include the "-security" pocket, and it is building now. It should be published shortly in the archive.

This bug was fixed in the package libphp-snoopy - 1.2.3-1ubuntu0.1

---------------
libphp-snoopy (1.2.3-1ubuntu0.1) hardy-security; urgency=low

  * SECURITY UPDATE: execute arbitrary commands via shell metacharacters in
    https URLs (LP: #292923)
    - changed Snoopy.class.php with patch from version 1.2.4 in ubuntu jaunty
    - CVE-2008-4796

 -- Vincenzo Ampolo <email address hidden> Fri, 06 Mar 2009 20:58:09 +0100