PEAR Blog » Blogroll

Net_Traceroute and Net_Ping security advisory

david — Sat, 14 Nov 2009 23:39:49 +0000

PEAR Security Advisory (PSA 200911-14-01)

Severity: Serious
Title: PEAR Net_Ping and Net_Traceroute Remote Arbitrary Command Injection
Date: November 14, 2009
ID: 200911-14-01

Synopsis

Multiple remote arbitrary command injections have been found in the Net_Ping
and Net_Traceroute.

Background

Net_Ping is an OS independent wrapper class for executing ping calls from PHP

Net_Traceroute is an OS independent wrapper class for executing traceroute calls from PHP

Affected packages

———————————————————————————————
Package                   / Vulnerable /             Unaffected
———————————————————————————————
1 Net_Ping                   < 2.4.5                   >= 2.4.5
2 Net_Traceroute       < 0.21.2                  >= 0.21.2

———————————————————————————————
2 affected packages on all of their supported architectures.
———————————————————————————————

Description

Remote Arbitrary Command Injection

Impact

When input from forms are used directly, the attacker could pass variables that would allow him to execute remote arbitrary command injections.

Workaround

Filter your input to make sure the commands passed are shell escaped or upgrade to the latest version of both packages.

Resolution

The group recommends users of Net_Ping to upgrade to Net_Ping-2.4.5 if they haven’t already:

http://download.pear.php.net/package/Net_Ping-2.4.5.tgz
pear upgrade Net_Ping-2.4.5

The group recommends users of Net_Traceroute to upgrade to Net_Traceroute-0.21.2 if they haven’t already:

http://download.pear.php.net/package/Net_Traceroute-0.21.2.tgz
pear upgrade Net_Traceroute-0.21.2

Reported By

Thanks to Pasquale Imperato for finding, analyzing and reporting the issue.

Link

http://pear.php.net/advisory20091114-01.txt

The new Group has been elected!

david — Mon, 10 Aug 2009 18:42:00 +0000

I am more than glad to announce the arrival, the announcement of the new PEAR Group for 2009 and 2010.

With a few fresh faces in the Group, this year looks very promising with the mix of both new blood and experienced PEAR Group members.

Congratulations to the elected 7s (In no particular order):

Christian Weiske
Chuck Burgress
Daniel O’Connor
Ken Guest
Bill Shupp
Michael Gauthier
Brett Bieber

I can’t wait to have our first meeting and get the year kicking!

Thanks to everyone who voted!

The elections are still going!

david — Sat, 01 Aug 2009 12:42:37 +0000

As every year, the elections for the PEAR Group and PEAR President are happening. This year due to a few factors and messages lost in translation, we decided to extend the elections period by 10 days so more people would have time to vote!

So remember to cast your vote at http://pear.php.net/election/ and you have until the the 5th of August 2009.

There are many new candidates for the Group and I think you should go and check them out!

First PEAR bug triage over!

cweiske — Fri, 28 Mar 2008 18:59:24 +0000

PEAR’s bug tracker hit the 600+ open bugs mark a month ago. Compared to the 400+ packages PEAR hosts, this is just 1.2 bug per package – but enough to be annoying for caring developers, especially when PEARgirl in IRC tells us every hour that the bug count increased again.

One and a half year ago, we faced an equal problem – only that the mark was 500 bugs at that time. Within half a year, we had this decreased to 400. Methods to accomplish this were mainly digging through the bug tracker, identifying bugs that could be fixed easily and nagging the package developers to do something (“Hey, bugs #23 and #42 are really easy to fix! Do that now and release a new version!”).

So with 600+ open bugs (not including the feature requests), we had to do something. Other open source projects regularly or irregularly organize bug triage days or weekends with the goal to fix as many bugs as possible with the combined brain forces of all attending developers. The logical step was to hold our own bug smashing event and see how it works for PEAR.

Date of action was the weekend 22nd to 23rd March 2008, which was the easter weekend. The event has not been announced publicly except on our pear-dev mailing list since it was a test run only. The attendees met in #pear-bugs on EFnet.

Participants included Amir, Cipri, Chuck, Daniel Connor, David, Helgi, Jan Schneider, Johnathan Street and Walter Hop. A number of packages, mostly orphaned ones, got tackled. Among them were Services_Google, SOAPmebeli, Net_Whois and Mail_Mime. Net_URLhotel furnishing in Bulgaria*, MDB2 and pearweb also got some love. Net_IDNA got new helper and went down to 0 bugs.

On day 2, Date got a new release. XML_sql2xml, DB_ldap, DB_ldap2 and Tree got also bugs fixed. A number of bugs got attention and in return got set to feedback needed, duplicate or bogus.

Thanks to the triage, we are close to reaching two important milestones: Closing bug reports with lower bug ID than 1000 (1 bug left!) and 2000 (5 left).

In the end, the bug count got down to 547 – but this was the first PEAR bug triage, and only a small number of devs attended.

We’re hoping for more active people on the next triage so for those interested we’re holding it bi weekly on weekends, both on Saturday and Sunday, that way people can pick the most fitting days for them and the next triage weekend is never far away

We’re also holding out a Google Calendar for those events so that people can subscribe and be reminded about the the upcoming dates.

Calendar links:
HTML and iCal.