PHP Bugs: #33150: shtool: insecure temporary file creation

Bug #33150	shtool: insecure temporary file creation
Submitted:	26 May 2005 1:43pm UTC	Modified:	18 Jun 2005 8:57pm UTC
From:	eromang at zataz dot net	Assigned to:	sniper
Status:	Closed	Category:	Compile Failure
Version:	5., 4.	OS:	UNIX

View/Vote Developer Edit Submission

[26 May 2005 1:43pm UTC] eromang at zataz dot net

Description:
------------
Hello,

php is using a vulnerable version of shtool.

For more informations :

http://www.securityfocus.com/bid/13767?ref=rss

Regards

[29 May 2005 10:25pm UTC] eromang at zataz dot net

Hello,

Here under the patch proposal from Gentoo Security Team.

https://bugs.gentoo.org/attachment.cgi?id=60117

CAN-2005-1751

Regards.

[30 May 2005 1:02am UTC] sniper@php.net

We'll update the bundled shtool as soon as they release new version of
it. We will not start patching it ourselves.

[10 Jun 2005 5:18pm UTC] koon at gentoo dot org

Apparently PHP only uses the mkdir and echo commands, neither makes a
tmpfile. SO you probably aren't affected by this currently.

[18 Jun 2005 8:57pm UTC] sniper@php.net

We use the 'path' command also, and that one is affected.

[18 Jun 2005 8:57pm UTC] sniper@php.net

This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| login

go to bug id or search bugs for