Openwall Project   /home  Owl  JtR  Pro  crypt  pam_passwdqc  tcb  phpass  scanlogd  popa3d  msulogin  /  Linux  BIND  /  advisories  presentations  /  services  donations  /  wordlists  passwords  /  news  community  lists  wiki  CVSweb  mirrors  signatures
bringing security into open environments
 
Password Recovery Resources on the Net
[<prev] [next>] [thread-next>] [month] [year] [list] 
Date: Sat, 1 Nov 2008 23:01:15 +1100
From: Steffen Joeris <steffen.joeris@...lelinux.de>
To: oss-security <oss-security@...ts.openwall.com>
Cc: coley@...re.org
Subject: CVE-2008-4796: snoopy triage

Hi

I thought I'd share the outcome of my snoopy triage for debian.
I had a look at upstream's patch[0] and compared it with packages in debian.

We had 6 packages including the file Snoopy.class.php, all were vulnerable.
List of packages:
ampache: /usr/share/ampache/www/modules/infotools/Snoopy.class.php
libphp-snoopy: /usr/share/php/libphp-snoopy/Snoopy.class.php
mahara: /usr/share/mahara/lib/snoopy/Snoopy.class.php
mediamate: /usr/share/mediamate/Snoopy.class.php
opendb: /usr/share/opendb/functions/Snoopy.class.php
pixelpost: /usr/share/pixelpost/addons/_defensio/libraries/Snoopy.class.php

I haven't checked, how they depend on the Snoopy.class.php file yet.
Of course there might be more out there and included in other distributions, 
so don't assume that this is all. The packages in debian duplicating the 
source should just depend on the libphp-snoopy package, which in debian is 
the snoopy upstream package.

Steve, do you want to update the CVE description to reflect that the file is 
included in several other packages?

Cheers
Steffen

[0]: http://klecker.debian.org/~white/libphp-snoopy/CVE-2008-4796.patch

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Hosted by DataForce ISP - Powered by Openwall GNU/*/Linux