[Bug 256014] [NEW] escapeshellcmd() security fix generates problems with mediawiki and other web-apps
Daniel Beyer
daniel at beyernet.de
Fri Aug 8 11:08:17 BST 2008
*** This bug is a security vulnerability ***
Public security bug reported:
Binary package hint: php5
The following patch causes problems in my installation with mediawiki:
* debian/patches/SECURITY_CVE-2008-2051.patch: properly address incomplete
multibyte chars inside escapeshellcmd()
The standard workaround to this is to use something like
setlocale(LC_CTYPE,'en_US.UTF-8'). This appears to break the security of
escapeshellcmd(), back to how it was in PHP 5.2.5.
Also reported here:
https://bugzilla.wikimedia.org/show_bug.cgi?id=14944
http://bugs.php.net/bug.php?id=45132
See also:
http://news.php.net/php.internals/39747
** Affects: php5 (Ubuntu)
Importance: Undecided
Status: New
** Visibility changed to: Public
** Description changed:
Binary package hint: php5
The following patch causes problems in my installation with mediawiki:
* debian/patches/SECURITY_CVE-2008-2051.patch: properly address incomplete
multibyte chars inside escapeshellcmd()
- The standard workaround to this is to use something like setlocale(LC_CTYPE,'en_US.UTF-8'). This appears to break the security of
+ The standard workaround to this is to use something like
+ setlocale(LC_CTYPE,'en_US.UTF-8'). This appears to break the security of
escapeshellcmd(), back to how it was in PHP 5.2.5.
Also reported here:
https://bugzilla.wikimedia.org/show_bug.cgi?id=14944
http://bugs.php.net/bug.php?id=45132
See also:
http://news.php.net/php.internals/39747
--
escapeshellcmd() security fix generates problems with mediawiki and other web-apps
https://bugs.launchpad.net/bugs/256014
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to php5 in ubuntu.
More information about the Ubuntu-server-bugs
mailing list