Detections
Analytics

Fedora 26 : php-pear-PHP-CodeSniffer (2017-b85d51cc47)

high Nessus Plugin ID 101709

Language:

Synopsis

The remote Fedora host is missing a security update.

Description

**Version 3.0.1**

 - This release contains a fix for a **security advisory** related to the improper handling of a shell command

 - A properly crafted filename would allow for arbitrary code execution when using the --filter=gitmodified command line option

 - All version 3 users are encouraged to upgrade to this version, especially if you are checking 3rd-party code

 - e.g., you run PHPCS over libraries that you did not write

 - e.g., you provide a web service that runs PHPCS over user-uploaded files or 3rd-party repositories

 - e.g., you allow external tool paths to be set by user-defined values

 - If you are unable to upgrade but you check 3rd-party code, ensure you are not using the Git modified filter

 - This advisory does not affect PHP_CodeSniffer version 2.

 - Thanks to Sergei Morozov for the report and patch

 - Arguments on the command line now override or merge with those specified in a ruleset.xml file in all cases

 - PHPCS now stops looking for a phpcs.xml file as soon as one is found, favoring the closest one to the current dir

 - Added missing help text for the --stdin-path CLI option to --help

 - Re-added missing help text for the --file-list and
 --bootstrap CLI options to --help

 - Runner::runPHPCS() and Runner::runPHPCBF() now return an exit code instead of exiting directly (request #1484)

 - The Squiz standard now enforces short array syntax by default

 - The autoloader is now working correctly with classes created with class_alias()

 - The autoloader will now search for files inside all directories in the installed_paths config var

 - This allows autoloading of files inside included custom coding standards without manually requiring them

 - You can now specify a namespace for a custom coding standard, used by the autoloader to load non-sniff helper files

 - Also used by the autoloader to help other standards directly include sniffs for your standard

 - Set the value to the namespace prefix you are using for sniff files (everything up to \Sniffs\)

 - e.g., if your namespace format is MyProject\CS\Standard\Sniffs\Category set the namespace to MyProject\CS\Standard

 - If ommitted, the namespace is assumed to be the same as the directory name containing the ruleset.xml file

 - The namespace is set in the ruleset tag of the ruleset.xml file

 - e.g., ruleset name='My Coding Standard' namespace='MyProject\CS\Standard'

 - Rulesets can now specify custom autoloaders using the new autoload tag

 - Autloaders are included while the ruleset is being processed and before any custom sniffs are included

 - Allows for very custom autoloading of helper classes well before the boostrap files are included

 - The PEAR standard now includes Squiz.Commenting.DocCommentAlignment

 - It previously broke comments onto multiple lines, but didn't align them

 - Fixed a problem where excluding a message from a custom standard's own sniff would exclude the whole sniff

 - This caused some PSR2 errors to be under-reported

 - Fixed bug #1442 : T_NULLABLE detection not working for nullable parameters and return type hints in some cases

 - Fixed bug #1447 : Running the unit tests with a phpunit config file breaks the test suite

 - Unknown arguments were not being handled correctly, but are now stored in $config->unknown

 - Fixed bug #1449 : Generic.Classes.OpeningBraceSameLine doesn't detect comment before opening brace

 - Thanks to Juliette Reinders Folmer for the patch

 - Fixed bug #1450 : Coding standard located under an installed_path with the same directory name throws an error

 - Thanks to Juliette Reinders Folmer for the patch

 - Fixed bug #1451 : Sniff exclusions/restrictions dont work with custom sniffs unless they use the PHP_CodeSniffer NS

 - Fixed bug #1454 : Squiz.WhiteSpace.OperatorSpacing is not checking spacing on either side of a short ternary operator

 - Thanks to Mponos George for the patch

 - Fixed bug #1495 : Setting an invalid installed path breaks all commands

 - Fixed bug #1496 : Squiz.Strings.DoubleQuoteUsage not unescaping dollar sign when fixing

 - Thanks to Micha? Bundyra for the patch

 - Fixed bug #1501 : Interactive mode is broken

 - Fixed bug #1504 : PSR2.Namespaces.UseDeclaration hangs fixing use statement with no trailing code

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Solution

Update the affected php-pear-PHP-CodeSniffer package.

See Also

https://bodhi.fedoraproject.org/updates/FEDORA-2017-b85d51cc47

Plugin Details

Severity: High

ID: 101709

File Name: fedora_2017-b85d51cc47.nasl

Version: 3.5

Type: local

Agent: unix

Published: 7/17/2017

Updated: 1/6/2021

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus

Vulnerability Information

CPE: p-cpe:/a:fedoraproject:fedora:php-pear-php-codesniffer, cpe:/o:fedoraproject:fedora:26

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list

Patch Publication Date: 6/19/2017

Vulnerability Publication Date: 6/19/2017

Reference Information