Ubuntu
php5 package

escapeshellcmd() security fix generates problems with mediawiki and other web-apps

Bug #256014 reported by Daniel Beyer
254
Affects Status Importance Assigned to Milestone
php
Unknown
Unknown
php5 (Ubuntu)
Won't Fix
Low
Unassigned

Bug Description

Binary package hint: php5

The following patch causes problems in my installation with mediawiki:

  * debian/patches/SECURITY_CVE-2008-2051.patch: properly address incomplete
    multibyte chars inside escapeshellcmd()

The standard workaround to this is to use something like setlocale(LC_CTYPE,'en_US.UTF-8'). This appears to break the security of escapeshellcmd(), back to how it was in PHP 5.2.5.

Also reported here:
https://bugzilla.wikimedia.org/show_bug.cgi?id=14944
http://bugs.php.net/bug.php?id=45132

See also:
http://news.php.net/php.internals/39747

See original description
Daniel Beyer (daniel.beyer)
description: updated
Revision history for this message
Kees Cook (kees) wrote :

Once there is an upstream fix for this problem, the fixes will be backported to the stable releases. Sorry for the glitch!

Changed in php5:
assignee: nobody → kees
importance: Undecided → Low
status: New → Triaged
Kees Cook (kees)
Changed in php5 (Ubuntu):
assignee: Kees Cook (kees) → nobody
Chuck Short (zulcss)
tags: added: bitesize server-easy-sru
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

This is fixed in later version of mediawiki. We don't plan on issuing an update for Ubuntu at this time.

Changed in php5 (Ubuntu):
status: Triaged → Won't Fix
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.