libphp-snoopy: CVE-2008-7313 / CVE-2014-5008

Debian Bug report logs - #778634
libphp-snoopy: CVE-2008-7313 / CVE-2014-5008

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: CVE-2008-7313 / CVE-2014-5008

Date: Tue, 17 Feb 2015 19:08:55 +0100

Package: libphp-snoopy
Severity: grave
Tags: security

That's all fairly messy:

The fix for CVE-2008-4796 was incomplete in several ways:

- First attempt to fix it was this
http://snoopy.cvs.sourceforge.net/viewvc/snoopy/Snoopy/Snoopy.class.php?view=log#rev1.27
The fix was assigned CVE-2008-7313.

- But this one was incomplete as well:
http://mstrokin.com/sec/feed2js-magpierss-0day-vulnerability-not-really-it-is-actually-cve-2005-3330-cve-2008-4796/
The second fix was assigned CVE-2014-5008:
http://snoopy.cvs.sourceforge.net/viewvc/snoopy/Snoopy/Snoopy.class.php?view=log#rev1.29
(it's full of whitespace noise, though).

Cheers,
        Moritz

Message #12 received at 778634@bugs.debian.org (full text, mbox, reply):

From: Raphael Hertzog <hertzog@debian.org>

To: Marcelo Jorge Vieira <metal@debian.org>

Cc: debian-lts@lists.debian.org, 778634@bugs.debian.org

Subject: squeeze update of libphp-snoopy?

Date: Tue, 24 Feb 2015 16:07:56 +0100

Hello dear maintainer(s),

the Debian LTS team would like to fix the security issues which are
currently open in the Squeeze version of libphp-snoopy:
https://security-tracker.debian.org/tracker/CVE-2014-5008
https://security-tracker.debian.org/tracker/CVE-2008-7313

Would you like to take care of this yourself? We are still understaffed so
any help is always highly appreciated.

If yes, please follow the workflow we have defined here:
http://wiki.debian.org/LTS/Development

If that workflow is a burden to you, feel free to just prepare an
updated source package and send it to debian-lts@lists.debian.org
(via a debdiff, or with an URL pointing to the the source package,
or even with a pointer to your packaging repository), and the members
of the LTS team will take care of the rest. Indicate clearly whether you
have tested the updated package or not.

If you don't want to take care of this update, it's not a problem, we
will do our best with your package. Just let us know whether you would
like to review and/or test the updated package before it gets released.

Thank you very much.

Raphaël Hertzog,
  on behalf of the Debian LTS team.

PS: A member of the LTS team might start working on this update at
any point in time. You can verify whether someone is registered
on this update in this file:
https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/

Message #17 received at 778634@bugs.debian.org (full text, mbox, reply):

From: Marcelo Jorge Vieira <metal@debian.org>

To: Raphael Hertzog <hertzog@debian.org>, 778634@bugs.debian.org

Cc: debian-lts@lists.debian.org

Subject: Re: Bug#778634: squeeze update of libphp-snoopy?

Date: Tue, 24 Feb 2015 16:21:26 -0300

[Message part 1 (text/plain, inline)]

Hi,

On Tue, 2015-02-24 at 16:07 +0100, Raphael Hertzog wrote:
> Hello dear maintainer(s),
> 
> the Debian LTS team would like to fix the security issues which are
> currently open in the Squeeze version of libphp-snoopy:
> https://security-tracker.debian.org/tracker/CVE-2014-5008
> https://security-tracker.debian.org/tracker/CVE-2008-7313
> 
> Would you like to take care of this yourself? We are still understaffed so
> any help is always highly appreciated.

No problem for me, I will fix it for all releases (included Squeeze).

Cheers,

-- 
Marcelo Jorge Vieira
xmpp:metal@jabber-br.org
http://metaldot.alucinados.com

[signature.asc (application/pgp-signature, inline)]

Message #22 received at 778634@bugs.debian.org (full text, mbox, reply):

From: Marcelo Jorge Vieira <metal@debian.org>

To: team@security.debian.org

Cc: 778634@bugs.debian.org

Subject: CVE-2008-7313 / CVE-2014-5008

Date: Wed, 25 Feb 2015 17:17:28 -0300

[Message part 1 (text/plain, inline)]

Hello Security team,

I fixed the CVE-2008-7313 and CVE-2014-5008 in the libphp-snoopy
package.

The current libphp-snoopy package is 1.2.4-2 and it is the same for
squeeze, wheezy, jessie and sid.

As the Snoopy upstream made many incomplete fixes and it is full of
whitespace noise (Revision 1.27 until 1.35) [0], I'm packaging the last
stable release (2.0.0) and I intend to upload it to all Debian
releases. 

[0] http://snoopy.cvs.sourceforge.net/viewvc/snoopy/Snoopy/Snoopy.class.php?view=log#rev1.27


What do you think about it?

Attached you will find the debdiff.

Cheers,

-- 
Marcelo Jorge Vieira
xmpp:metal@jabber-br.org
http://metaldot.alucinados.com

[CVE-2008-7313_CVE-2014-5008.debdiff (text/x-patch, attachment)]

[signature.asc (application/pgp-signature, inline)]

Message #27 received at 778634@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>

To: Marcelo Jorge Vieira <metal@debian.org>

Cc: team@security.debian.org, 778634@bugs.debian.org

Subject: Re: CVE-2008-7313 / CVE-2014-5008

Date: Thu, 5 Mar 2015 19:13:06 +0100

On Wed, Feb 25, 2015 at 05:17:28PM -0300, Marcelo Jorge Vieira wrote:
> Hello Security team,
> 
> I fixed the CVE-2008-7313 and CVE-2014-5008 in the libphp-snoopy
> package.
> 
> The current libphp-snoopy package is 1.2.4-2 and it is the same for
> squeeze, wheezy, jessie and sid.
> 
> As the Snoopy upstream made many incomplete fixes and it is full of
> whitespace noise (Revision 1.27 until 1.35) [0], I'm packaging the last
> stable release (2.0.0) and I intend to upload it to all Debian
> releases. 

Hi Marcelo,

Given the mess in upstream development I agree that updating to 2.0.0
(in wheezy-security and jessie) would be the sanest option.

Did you test the reverse deps in wheezy and jessie to check whether
they are compatible?

wordpress (wheezy)
libphp-magpierss (jessie/wheezy)
ampache (jessie)

Cheers,
        Moritz

Message #32 received at 778634@bugs.debian.org (full text, mbox, reply):

From: Marcelo Jorge Vieira <metal@debian.org>

To: Moritz Mühlenhoff <jmm@inutil.org>

Cc: team@security.debian.org, 778634@bugs.debian.org

Subject: Re: CVE-2008-7313 / CVE-2014-5008

Date: Sat, 14 Mar 2015 13:50:10 -0300

[Message part 1 (text/plain, inline)]

Hi Moritz,

On Thu, 2015-03-05 at 19:13 +0100, Moritz Mühlenhoff wrote:
> Did you test the reverse deps in wheezy and jessie to check whether
> they are compatible?
> 
> wordpress (wheezy)
> libphp-magpierss (jessie/wheezy)
> ampache (jessie)

No, I didn't. But I will do it today and I will upload the new
libphp-snoopy package to unstable now.


Cheers,

-- 
Marcelo Jorge Vieira
xmpp:metal@jabber-br.org
http://metaldot.alucinados.com

[signature.asc (application/pgp-signature, inline)]

Message #37 received at 778634-close@bugs.debian.org (full text, mbox, reply):

From: Marcelo Jorge Vieira <metal@debian.org>

To: 778634-close@bugs.debian.org

Subject: Bug#778634: fixed in libphp-snoopy 2.0.0-1

Date: Sat, 14 Mar 2015 17:48:46 +0000

Source: libphp-snoopy
Source-Version: 2.0.0-1

We believe that the bug you reported is fixed in the latest version of
libphp-snoopy, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 778634@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Marcelo Jorge Vieira <metal@debian.org> (supplier of updated libphp-snoopy package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 24 Feb 2015 20:52:54 -0300
Source: libphp-snoopy
Binary: libphp-snoopy
Architecture: source all
Version: 2.0.0-1
Distribution: unstable
Urgency: high
Maintainer: Marcelo Jorge Vieira <metal@debian.org>
Changed-By: Marcelo Jorge Vieira <metal@debian.org>
Description:
 libphp-snoopy - Snoopy is a PHP class that simulates a web browser
Closes: 778634
Changes:
 libphp-snoopy (2.0.0-1) unstable; urgency=high
 .
   * New upstream release:
     + Fixes: CVE-2008-7313 and CVE-2014-5008 (Closes: #778634)
     + Remove curl dependency
   * Control:
     + Remove trailing spaces
     + Use canonical Vcs-fields
     + Updated Standards-Version to 3.9.6 (no changes)
   * Switch to dpkg-source 3.0 (quilt) format
Checksums-Sha1:
 8053409e93f65df88d7c06f8b64ab100f191a469 1874 libphp-snoopy_2.0.0-1.dsc
 45e2632ba20b1cc960293daa0f81e763752a46d5 22090 libphp-snoopy_2.0.0.orig.tar.gz
 38b0760ae47962603aec7159bac9171c6c92025a 2256 libphp-snoopy_2.0.0-1.debian.tar.xz
 0ccd86d3bd5e02ca5886f965fdf3829b8e1677e4 16188 libphp-snoopy_2.0.0-1_all.deb
Checksums-Sha256:
 679164eaf79016e3e0265ee0ebf81f8eba4f9cd8e673d60f860439d7f29c8f0e 1874 libphp-snoopy_2.0.0-1.dsc
 3477fdf3db8c877dc0a389b18595c98d39e0e77a12cd5d2587c882d6f564a533 22090 libphp-snoopy_2.0.0.orig.tar.gz
 aca452f6ca8d4512a11487d5adba3ae3f69c17063679900dab34890feaa5f523 2256 libphp-snoopy_2.0.0-1.debian.tar.xz
 0610c167fb26d2c2376a6f40dbb9c4c795f90269e8df6f52da4efc99bb04a8b6 16188 libphp-snoopy_2.0.0-1_all.deb
Files:
 0900155b90ce9e3ce35388ff64bfaf4d 1874 php optional libphp-snoopy_2.0.0-1.dsc
 268585d4a2612ed70d16608134cd24a4 22090 php optional libphp-snoopy_2.0.0.orig.tar.gz
 9c3661ce9196c31b935b31fbb5c8e4a8 2256 php optional libphp-snoopy_2.0.0-1.debian.tar.xz
 16aefda39f817ca0954a7052cdaf8a61 16188 php optional libphp-snoopy_2.0.0-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJVBG7kAAoJEFuSTuMQBVzT7w8P/2n8Y6P1Trscx9K2jVv8C1hN
zexPinF1CaoU8vJrarOoSkovmm3X9fGFcv36zdHV2OmDwXa9UYHUY84b4ORFbHOz
Y0Vo4HGAMbxnGLlQ8NUUQBjBr5Yoco1Xx6TjUSf4Zrq+faltzza1Img6oxCAibWX
bNLe4hVvWyD7lhNuczmcIp6wxKOVAbwkCRQy5PsD6WbVHTOd3GsJQ1GWLzp2uwzW
A+yyziV87KhRc2K4mx1ZI14YzsKcWRMIWyb9qtHn9SrSOqbYTtoPbIq8hA+sJkcC
fAhlc0y+0mvKQ0bgUzMUaOlRPYsRKHvSQrtPoMOMtqdLFMVKTFFyaevSPFLTGb9u
PjbocWBHPDK4wO5PoAEBIEBLN7Ae1+64hrteS84Z7R8fl4nYMr9l3tmIg5qkMz3E
cIsTBLDxJchslllxGFRsteDjOTbNTABHNgtYSNgQC5NrFEMd5o7FDCZ13q/OqEqz
jvNtt9qQ4K8Ib2Z0rlCG4x/MAAkK3iP9lyjNDwB+23xNCLs9z5+Qk1QljpDBJUQC
vOIZB6ynT169+3g4VKh7yvHQiW6kb3H+WvMx+JdwOe23A0I2nrE0T/CKQwk021TO
Y3UgfC7MqJALF8qCrQvfSw21Onj6JXjYvYKM4hoD4vgrZ7aug2PNPtekasiLpBoz
TW5Y3Z4WHVJXywiKxr0x
=w1T/
-----END PGP SIGNATURE-----

Message #42 received at 778634@bugs.debian.org (full text, mbox, reply):

From: Marcelo Jorge Vieira <metal@debian.org>

To: 778634@bugs.debian.org

Cc: Moritz Mühlenhoff <jmm@inutil.org>, team@security.debian.org

Subject: Re: Bug#778634: CVE-2008-7313 / CVE-2014-5008

Date: Sat, 14 Mar 2015 21:57:19 -0300

[Message part 1 (text/plain, inline)]

Hi Moritz,

On Sat, 2015-03-14 at 13:50 -0300, Marcelo Jorge Vieira wrote:
> Hi Moritz,
> 
> On Thu, 2015-03-05 at 19:13 +0100, Moritz Mühlenhoff wrote:
> > Did you test the reverse deps in wheezy and jessie to check whether
> > they are compatible?
> > 
> > wordpress (wheezy)
> > libphp-magpierss (jessie/wheezy)
> > ampache (jessie)
> 
> No, I didn't. But I will do it today and I will upload the new
> libphp-snoopy package to unstable now.


I made some tests and for me they are compatible. But, it would be
better if somebody else can confirm this.

Cheers,

-- 
Marcelo Jorge Vieira
xmpp:metal@jabber-br.org
http://metaldot.alucinados.com

[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.