Alerts This Week
Warning Icon 1 560
Alerts This Week
Warning Icon 1 560

Fedora 25: php-pear-PHP-CodeSniffer Critical: Arbitrary Code Execution

fedora
Calendar Grey March 10, 2017
Dist Fedora Esm H88
This release addresses a significant vulnerability in PHP_CodeSniffer concerning the management of shell commands in Fedora 25.
**Version 2.8.1** * This release contains a fix for a security advisory related to the improper handling of shell commands * Uses of shell_exec() and exec() were not escaping fil...

Summary

PHP_CodeSniffer provides functionality to verify that code conforms to

certain standards, such as PEAR, or user-defined.

Update Information:

**Version 2.8.1** * This release contains a fix for a security advisory related to the improper handling of shell commands * Uses of shell_exec() and exec() were not escaping filenames and configuration settings in most cases * A properly crafted filename or configuration option would allow for arbitrary code execution when using some features * All users are encouraged to upgrade to this version, especially if you are checking 3rd-party code * e.g., you run PHPCS over libraries that you did not write * e.g., you provide a web service that runs PHPCS over user-uploaded files or 3rd-party repositories * e.g., you allow external tool paths to be set by user-defined values * If you are unable to upgrade but you check 3rd-party code, ensure you are not using the following features: * The diff report * The notify-send report * The Generic.PHP.Syntax sniff * The Generic.Debug.CSSLint sniff * The Generic.Debug.Closure...

Topics%20covered

Topics Covered

security advisory Fedora arbitrary code execution critical security issue PHP_CodeSniffer

Change Log

References

Fedora Update Notification FEDORA-2017-ca3f01bd37 2017-03-10 09:58:41.332121
Name : php-pear-PHP-CodeSniffer Product : Fedora 25 Version : 2.8.1 Release : 1.fc25 URL : https://pear.php.net/package/PHP_CodeSniffer Summary : PHP coding standards enforcement tool Description : PHP_CodeSniffer provides functionality to verify that code conforms to certain standards, such as PEAR, or user-defined.

Update Instructions

This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade php-pear-PHP-CodeSniffer' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html

Severity
critical
Lowest
Low
Medium
High
Critical

Name: php-pear-PHP-CodeSniffer
Product: Fedora 25
Version: 2.8.1
Release: 1.fc25
URL: https://pear.php.net/package/PHP_CodeSniffer
Summary: PHP coding standards enforcement tool

Topics%20covered

Topics Covered

security advisory Fedora arbitrary code execution critical security issue PHP_CodeSniffer

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Related News

Your message here