Secure testing team - Nov 2008 - mediamate proposed updates for etch and lenny

It was brought to my attention that the Snoopy library shipped in the 
Media Mate packages for etch and lenny has a potential security 
vulnerability[0]

CVE-2008-4796[1]:
| The _httpsrequest function (Snoopy/Snoopy.class.php) in Snoopy 1.2.3
| and earlier allows remote attackers to execute arbitrary commands via
| shell metacharacters in https URLs.  NOTE: some of these details are
| obtained from third party information.

While the exploit appears to only pertain to HTTPS requests, which 
mediamate should not be using, it''s better to be safe than sorry. 
I''ve
prepared an updated package for unstable that has already been uploaded 
to the repository.  I''ve also made an attempt to prepare updated 
packages for both etch and lenny.  These are the first such packages 
I''ve made, but I believe I''ve done so correctly.  The packages
are the
same as the versions currently in etch and lenny with the exception of 
the Snoopy update and changelog entry.  As my key has moved to emeritus 
status I''ve signed the packages and placed them on my personal website:

http://www.asgardsrealm.net/tmp/debs/mediamate/

Please let me know if there is anything else I should do, or if the 
packages need any further changes.

-- 
Jamin W. Collins

[0] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=504172
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4796
     http://security-tracker.debian.net/tracker/CVE-2008-4796

Hi

On Tue, 4 Nov 2008 04:24:57 am Jamin W. Collins wrote:
> It was brought to my attention that the Snoopy library shipped in the
> Media Mate packages for etch and lenny has a potential security
> vulnerability[0]
>
> CVE-2008-4796[1]:
> | The _httpsrequest function (Snoopy/Snoopy.class.php) in Snoopy 1.2.3
> | and earlier allows remote attackers to execute arbitrary commands via
> | shell metacharacters in https URLs.  NOTE: some of these details are
> | obtained from third party information.
>
> While the exploit appears to only pertain to HTTPS requests, which
> mediamate should not be using, it''s better to be safe than sorry. 
I''ve
> prepared an updated package for unstable that has already been uploaded
> to the repository.  I''ve also made an attempt to prepare updated
> packages for both etch and lenny.  These are the first such packages
> I''ve made, but I believe I''ve done so correctly.  The
packages are the
> same as the versions currently in etch and lenny with the exception of
> the Snoopy update and changelog entry.  As my key has moved to emeritus
> status I''ve signed the packages and placed them on my personal
website:
>
> http://www.asgardsrealm.net/tmp/debs/mediamate/
>
> Please let me know if there is anything else I should do, or if the
> packages need any further changes.
FYI:
Release team: This issue does not warrant a DSA/DTSA, so with your permission 
it could go through s-p-u/t-p-u.

Cheers
Steffen
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part.
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20081104/49d45af2/attachment.pgp