diff -Naruw libphp-snoopy-1.2.3/autogen.sh libphp-snoopy-1.2.4/autogen.sh --- libphp-snoopy-1.2.3/autogen.sh 2000-02-03 17:14:12.000000000 +0100 +++ libphp-snoopy-1.2.4/autogen.sh 1970-01-01 01:00:00.000000000 +0100 @@ -1,3 +0,0 @@ -#!/bin/sh - -aclocal ; automake --add-missing ; autoconf ; configure diff -Naruw libphp-snoopy-1.2.3/ChangeLog libphp-snoopy-1.2.4/ChangeLog --- libphp-snoopy-1.2.3/ChangeLog 2005-11-08 08:02:36.000000000 +0100 +++ libphp-snoopy-1.2.4/ChangeLog 2008-10-29 01:33:12.000000000 +0100 @@ -1,3 +1,8 @@ +Version 1.2.4 +------------- + + - fix command line escapement vulnerability with execution of curl binary on https fetches (mohrt) + Version 1.2.3 ----------- - updated the version variable in the code to reflect the new version number diff -Naruw libphp-snoopy-1.2.3/configure.in libphp-snoopy-1.2.4/configure.in --- libphp-snoopy-1.2.3/configure.in 2000-09-15 22:57:37.000000000 +0200 +++ libphp-snoopy-1.2.4/configure.in 1970-01-01 01:00:00.000000000 +0100 @@ -1,5 +0,0 @@ -AC_INIT(Snoopy.class.inc) -AM_INIT_AUTOMAKE(Snoopy, 0.94) -AC_SUBST(VERSION) -AC_SUBST(PACKAGE) -AC_OUTPUT(Makefile) diff -Naruw libphp-snoopy-1.2.3/debian/changelog libphp-snoopy-1.2.4/debian/changelog --- libphp-snoopy-1.2.3/debian/changelog 2009-02-22 02:07:30.000000000 +0100 +++ libphp-snoopy-1.2.4/debian/changelog 2009-02-22 02:07:07.000000000 +0100 @@ -1,3 +1,10 @@ +libphp-snoopy (1.2.4-1) unstable; urgency=high + + * New Upstream Version + - fixes CVE-2008-4796 (Closes: #504168) + + -- Marcelo Jorge Vieira (metal) Tue, 28 Oct 2008 22:33:12 -0200 + libphp-snoopy (1.2.3-2) unstable; urgency=low * Added watch file diff -Naruw libphp-snoopy-1.2.3/debian/control libphp-snoopy-1.2.4/debian/control --- libphp-snoopy-1.2.3/debian/control 2009-02-22 02:07:30.000000000 +0100 +++ libphp-snoopy-1.2.4/debian/control 2009-02-22 02:07:07.000000000 +0100 @@ -3,12 +3,15 @@ Priority: optional Maintainer: Marcelo Jorge Vieira (metal) Build-Depends: cdbs, debhelper (>= 5) -Standards-Version: 3.7.3 +Standards-Version: 3.8.0 Homepage: http://snoopy.sourceforge.net/ +Vcs-Git: git://git.debian.org/git/users/metal-guest/libphp-snoopy.git +Vcs-Browser: http://git.debian.org/?p=users/metal-guest/libphp-snoopy.git;a=summary Package: libphp-snoopy Architecture: all -Depends: ${misc:Depends}, php5 +Depends: ${misc:Depends}, php5 | php5-cli +Suggests: curl Description: Snoopy is a PHP class that simulates a web browser It automates the task of retrieving web page content and posting forms, for example @@ -17,7 +20,7 @@ . * easily fetch the contents of a web page * easily fetch the text from a web page (strip html tags) - * easily fetch the the links from a web page + * easily fetch the links from a web page * supports proxy hosts * supports basic user/pass authentication * supports setting user_agent, referer, cookies and header content diff -Naruw libphp-snoopy-1.2.3/debian/rules libphp-snoopy-1.2.4/debian/rules --- libphp-snoopy-1.2.3/debian/rules 2009-02-22 02:07:30.000000000 +0100 +++ libphp-snoopy-1.2.4/debian/rules 2009-02-22 02:07:07.000000000 +0100 @@ -1,6 +1,3 @@ #!/usr/bin/make -f include /usr/share/cdbs/1/rules/debhelper.mk -#include /usr/share/cdbs/1/class/makefile.mk - -# Add here any variable or target overrides you need. diff -Naruw libphp-snoopy-1.2.3/Makefile.am libphp-snoopy-1.2.4/Makefile.am --- libphp-snoopy-1.2.3/Makefile.am 2000-02-03 17:28:59.000000000 +0100 +++ libphp-snoopy-1.2.4/Makefile.am 1970-01-01 01:00:00.000000000 +0100 @@ -1,5 +0,0 @@ -EXTRA_DIST = Snoopy.class.inc FAQ TODO -DIST_COMMON = AUTHORS COPYING ChangeLog INSTALL NEWS README -dist-hook: - rm $(distdir)/Makefile.in -MAINTAINERCLEANFILES = config.status Makefile.in configure diff -Naruw libphp-snoopy-1.2.3/NEWS libphp-snoopy-1.2.4/NEWS --- libphp-snoopy-1.2.3/NEWS 2005-11-08 07:59:45.000000000 +0100 +++ libphp-snoopy-1.2.4/NEWS 2008-10-29 01:33:12.000000000 +0100 @@ -1,3 +1,8 @@ +RELEASE NOTE: v1.2.4 +October 22, 2008 + +https fetches were not properly escaping shell args for curl binary execution. This is fixed. + RELEASE NOTE: v1.2.3 November 7, 2005 diff -Naruw libphp-snoopy-1.2.3/README libphp-snoopy-1.2.4/README --- libphp-snoopy-1.2.3/README 2005-10-30 19:52:16.000000000 +0100 +++ libphp-snoopy-1.2.4/README 2008-10-29 01:33:12.000000000 +0100 @@ -1,6 +1,6 @@ NAME: - Snoopy - the PHP net client v1.2.2 + Snoopy - the PHP net client v1.2.4 SYNOPSIS: diff -Naruw libphp-snoopy-1.2.3/Snoopy.class.php libphp-snoopy-1.2.4/Snoopy.class.php --- libphp-snoopy-1.2.3/Snoopy.class.php 2005-11-08 07:55:33.000000000 +0100 +++ libphp-snoopy-1.2.4/Snoopy.class.php 2008-10-29 01:33:12.000000000 +0100 @@ -4,8 +4,8 @@ Snoopy - the PHP net client Author: Monte Ohrt -Copyright (c): 1999-2000 ispi, all rights reserved -Version: 1.01 +Copyright (c): 1999-2008 New Digital Group, all rights reserved +Version: 1.2.4 * This library is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public @@ -22,13 +22,7 @@ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA You may contact the author of Snoopy by e-mail at: -monte@ispi.net - -Or, write to: -Monte Ohrt -CTO, ispi -237 S. 70th suite 220 -Lincoln, NE 68510 +monte@ohrt.com The latest version of Snoopy can be obtained from: http://snoopy.sourceforge.net/ @@ -48,7 +42,7 @@ var $proxy_user = ""; // proxy user to use var $proxy_pass = ""; // proxy password to use - var $agent = "Snoopy v1.2.3"; // agent we masquerade as + var $agent = "Snoopy v1.2.4"; // agent we masquerade as var $referer = ""; // referer info to pass var $cookies = array(); // array of cookies to pass // $cookies["username"]="joe"; @@ -1012,8 +1006,7 @@ $headerfile = tempnam($temp_dir, "sno"); - $safer_URI = strtr( $URI, "\"", " " ); // strip quotes from the URI to avoid shell access - exec($this->curl_path." -D \"$headerfile\"".$cmdline_params." \"".$safer_URI."\"",$results,$return); + exec($this->curl_path." -k -D \"$headerfile\"".$cmdline_params." \"".escapeshellcmd($URI)."\"",$results,$return); if($return) {