CIVI-SA-2016-11: Potential backtrace leak

Published
2016-08-31 16:20
Written by

An automated security audit (based on static code analysis of the CiviCRM codebase) indicated that a dependency (PEAR CLI from the "packages" folder) could potentially reveal semi-sensitive backtrace data if an attacker could run it and provoke an error.

An exploit of this has not been identified.

As a precautionary measure, CiviCRM v4.7.11 removes PEAR CLI.

Security Risk
Not Critical
Vulnerability
Information Disclosure
Affected Versions

Up through v4.6.20 and v4.7.10

 

Fixed Versions

v4.6.21+ and v4.7.11+

 

Solutions

Any ONE of the following:

  • Upgrade to CiviCRM v4.7.11+ or v4.6.21+
  • Delete the file "packages/PEAR/Frontend/CLI.php"
Credits
  • Chris Burgess (Fuzion)
  • Tim Otten (CiviCRM)
  • Seamus Lee (Australian Greens)
References
  • https://github.com/civicrm/civicrm-packages/pull/152 (minimalist patch; not used)
  • https://github.com/civicrm/civicrm-packages/pull/160 (4.7)
  • https://github.com/civicrm/civicrm-packages/pull/164 (4.6)