[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

please unblock libphp-snoopy/1.2.4-1



Dear Release Team,

I'd like to ask you to unblock libphp-snoopy/1.2.4-1 for Lenny.
While being a new upstream release with a quite big diff, the only
relevant code change is the fix for CVE-2008-4796 in Snoopy.class.php:

@@ -1012,8 +1006,7 @@
 		
 		$headerfile = tempnam($temp_dir, "sno");
 
-		$safer_URI = strtr( $URI, "\"", " " ); // strip quotes from the URI to avoid shell access
-		exec($this->curl_path." -D \"$headerfile\"".$cmdline_params." \"".$safer_URI."\"",$results,$return);
+		exec($this->curl_path." -k -D \"$headerfile\"".$cmdline_params." \"".escapeshellcmd($URI)."\"",$results,$return);
 		
 		if($return)
 		{

The rest are documentation changes from upstream plus some minor
packaging cleanup from the maintainer (Standards-Version, Vcs-* headers etc).
These should not hurt anyone.
Having 1.2.4-1 in Lenny would allow wordpress to depend on it fixing a
security bug (#504234 - wordpress includes a copy of the vulnerable snoopy version).

Kind regards
Evgeni Golov

Attachment: pgpkB08LddymP.pgp
Description: PGP signature


Reply to: