[php-maint] Bug#323585: marked as done (libapache2-mod-php4 - open_basedir bug - security)

Debian Bug Tracking System owner at bugs.debian.org
Sat Oct 8 17:48:19 UTC 2005


Your message dated Sat, 08 Oct 2005 10:32:07 -0700
with message-id <E1EOIYJ-0006gJ-00 at spohr.debian.org>
and subject line Bug#323585: fixed in php4 4:4.4.0-3
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 17 Aug 2005 12:09:41 +0000
>From thorben at gawab.com Wed Aug 17 05:09:41 2005
Return-path: <thorben at gawab.com>
Received: from (info10.gawab.com) [204.97.230.43] 
	by spohr.debian.org with smtp (Exim 3.36 1 (Debian))
	id 1E5Mjl-0007Ze-00; Wed, 17 Aug 2005 05:09:41 -0700
Received: (qmail 5572 invoked from network); 17 Aug 2005 12:03:50 -0000
Received: from unknown (192.168.0.6)
  by gawab.com with QMQP; 17 Aug 2005 12:03:50 -0000
Received: from unknown (HELO thorben) (thorben at gawab.com@193.170.64.2)
  by gawab.com with SMTP; 17 Aug 2005 12:04:46 -0000
X-Trusted: Whitelisted
Date: Wed, 17 Aug 2005 14:15:09 +0200
From: thorben <thorben at gawab.com>
X-Mailer: The Bat! (v3.5) Home
Reply-To: thorben <thorben at gawab.com>
X-Priority: 3 (Normal)
Message-ID: <1123638061.20050817141509 at gawab.com>
To: submit at bugs.debian.org
Subject: libapache2-mod-php4 - open_basedir bug - security
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Delivered-To: submit at bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level: 
X-Spam-Status: No, hits=-6.5 required=4.0 tests=BAYES_10,HAS_PACKAGE 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02

Package: libapache2-mod-php4
Version:  4.3.10-15

same bug like described in version 5.0.4
http://bugs.php.net/bug.php?id=32937

if somebody has a directory structure like this:
/srv/user1
/srv/user2
.
.
.
/srv/user10
/srv/user11

user1   can  access  the  files  of  user10 and user12 vi PHP although
open_basedir is set


I talked to a PHP developer, for him it is fixed.

I am using debian sarge with no other patches / backports etc.

this  bug is possibly in all php versions, I also found it in 4.4.0 on
gentoo linux

greetings
thorben



---------------------------------------
Received: (at 323585-close) by bugs.debian.org; 8 Oct 2005 17:41:17 +0000
>From katie at spohr.debian.org Sat Oct 08 10:41:17 2005
Return-path: <katie at spohr.debian.org>
Received: from katie by spohr.debian.org with local (Exim 3.36 1 (Debian))
	id 1EOIYJ-0006gJ-00; Sat, 08 Oct 2005 10:32:07 -0700
From: Adam Conrad <adconrad at 0c3.net>
To: 323585-close at bugs.debian.org
X-Katie: $Revision: 1.56 $
Subject: Bug#323585: fixed in php4 4:4.4.0-3
Message-Id: <E1EOIYJ-0006gJ-00 at spohr.debian.org>
Sender: Archive Administrator <katie at spohr.debian.org>
Date: Sat, 08 Oct 2005 10:32:07 -0700
Delivered-To: 323585-close at bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level: 
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02

Source: php4
Source-Version: 4:4.4.0-3

We believe that the bug you reported is fixed in the latest version of
php4, which is due to be installed in the Debian FTP archive:

libapache-mod-php4_4.4.0-3_i386.deb
  to pool/main/p/php4/libapache-mod-php4_4.4.0-3_i386.deb
libapache2-mod-php4_4.4.0-3_i386.deb
  to pool/main/p/php4/libapache2-mod-php4_4.4.0-3_i386.deb
php4-cgi_4.4.0-3_i386.deb
  to pool/main/p/php4/php4-cgi_4.4.0-3_i386.deb
php4-cli_4.4.0-3_i386.deb
  to pool/main/p/php4/php4-cli_4.4.0-3_i386.deb
php4-common_4.4.0-3_i386.deb
  to pool/main/p/php4/php4-common_4.4.0-3_i386.deb
php4-curl_4.4.0-3_i386.deb
  to pool/main/p/php4/php4-curl_4.4.0-3_i386.deb
php4-dev_4.4.0-3_i386.deb
  to pool/main/p/php4/php4-dev_4.4.0-3_i386.deb
php4-domxml_4.4.0-3_i386.deb
  to pool/main/p/php4/php4-domxml_4.4.0-3_i386.deb
php4-gd_4.4.0-3_i386.deb
  to pool/main/p/php4/php4-gd_4.4.0-3_i386.deb
php4-ldap_4.4.0-3_i386.deb
  to pool/main/p/php4/php4-ldap_4.4.0-3_i386.deb
php4-mcal_4.4.0-3_i386.deb
  to pool/main/p/php4/php4-mcal_4.4.0-3_i386.deb
php4-mhash_4.4.0-3_i386.deb
  to pool/main/p/php4/php4-mhash_4.4.0-3_i386.deb
php4-mysql_4.4.0-3_i386.deb
  to pool/main/p/php4/php4-mysql_4.4.0-3_i386.deb
php4-odbc_4.4.0-3_i386.deb
  to pool/main/p/php4/php4-odbc_4.4.0-3_i386.deb
php4-pear_4.4.0-3_all.deb
  to pool/main/p/php4/php4-pear_4.4.0-3_all.deb
php4-pgsql_4.4.0-3_i386.deb
  to pool/main/p/php4/php4-pgsql_4.4.0-3_i386.deb
php4-recode_4.4.0-3_i386.deb
  to pool/main/p/php4/php4-recode_4.4.0-3_i386.deb
php4-snmp_4.4.0-3_i386.deb
  to pool/main/p/php4/php4-snmp_4.4.0-3_i386.deb
php4-sybase_4.4.0-3_i386.deb
  to pool/main/p/php4/php4-sybase_4.4.0-3_i386.deb
php4-xslt_4.4.0-3_i386.deb
  to pool/main/p/php4/php4-xslt_4.4.0-3_i386.deb
php4_4.4.0-3.diff.gz
  to pool/main/p/php4/php4_4.4.0-3.diff.gz
php4_4.4.0-3.dsc
  to pool/main/p/php4/php4_4.4.0-3.dsc
php4_4.4.0-3_all.deb
  to pool/main/p/php4/php4_4.4.0-3_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 323585 at bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Adam Conrad <adconrad at 0c3.net> (supplier of updated php4 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster at debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 27 Sep 2005 16:12:05 +1000
Source: php4
Binary: php4-sybase php4-recode php4-cgi libapache-mod-php4 php4-cli php4-dev php4-snmp libapache2-mod-php4 php4-odbc php4-xslt php4-mysql php4-domxml php4-gd php4-ldap php4-common php4 php4-curl php4-pear php4-mcal php4-mhash php4-pgsql
Architecture: source i386 all
Version: 4:4.4.0-3
Distribution: unstable
Urgency: low
Maintainer: Debian PHP Maintainers <pkg-php-maint at lists.alioth.debian.org>
Changed-By: Adam Conrad <adconrad at 0c3.net>
Description: 
 libapache-mod-php4 - server-side, HTML-embedded scripting language (apache 1.3 module)
 libapache2-mod-php4 - server-side, HTML-embedded scripting language (apache 2.0 module)
 php4       - server-side, HTML-embedded scripting language (meta-package)
 php4-cgi   - server-side, HTML-embedded scripting language (CGI binary)
 php4-cli   - command-line interpreter for the php4 scripting language
 php4-common - Common files for packages built from the php4 source
 php4-curl  - CURL module for php4
 php4-dev   - Files for PHP4 module development
 php4-domxml - XMLv2 module for php4
 php4-gd    - GD module for php4
 php4-ldap  - LDAP module for php4
 php4-mcal  - MCAL calendar module for php4
 php4-mhash - MHASH module for php4
 php4-mysql - MySQL module for php4
 php4-odbc  - ODBC module for php4
 php4-pear  - PHP Extension and Application Repository (transitional package)
 php4-pgsql - PostgreSQL module for php4
 php4-recode - Character recoding module for php4
 php4-snmp  - SNMP module for php4
 php4-sybase - Sybase / MS SQL Server module for php4
 php4-xslt  - XSLT module for php4
Closes: 323585
Changes: 
 php4 (4:4.4.0-3) unstable; urgency=low
 .
   * Remove Andres Salomon from the Uploaders field, at his request.  Thanks
     for all your work on the PHP packages, Andres, now fix our kernel bugs.
   * Add 054-open_basedir_slash.patch, which fixes a bug where if open_basedir
     is set to "/foo/", users can access files in "/foobar/", which is not the
     documented behaviour; this addresses CAN-2005-3054 (closes: #323585)
   * Add 055-gd_safe_mode_checks.patch from PHP CVS, adding missing safe_mode
     checks to the _php_image_output and _php_image_output_ctx GD functions.
Files: 
 6f672479c214346c12be8c5f1120f3be 1745 web optional php4_4.4.0-3.dsc
 f041e37cd7774f437d37b2a38da1745d 96760 web optional php4_4.4.0-3.diff.gz
 9ac2982a9f5ccd11562e0bf9103d49e2 171174 web optional php4-common_4.4.0-3_i386.deb
 e8315e8e3ac07e6a84563191153b693b 1572214 web optional libapache-mod-php4_4.4.0-3_i386.deb
 a1d7ea7a077f04c7e3ebbd7706dd7449 1569358 web optional libapache2-mod-php4_4.4.0-3_i386.deb
 946cdd00b6b8f489ca9590f66fb89475 3123294 web optional php4-cgi_4.4.0-3_i386.deb
 48032a551e94de828eefc94b65fe3a50 1568544 web optional php4-cli_4.4.0-3_i386.deb
 0db34827d320d81e00581a56851636b3 199558 devel optional php4-dev_4.4.0-3_i386.deb
 bd12e02ee239da36bfad1966b0c3e2c0 17974 web optional php4-curl_4.4.0-3_i386.deb
 6933bd1485487cd9066d571457e99afd 37576 web optional php4-domxml_4.4.0-3_i386.deb
 015938c520e1cf1843229dcf3e70291b 33166 web optional php4-gd_4.4.0-3_i386.deb
 9e403dbc933f078257cfead27ced949d 19626 web optional php4-ldap_4.4.0-3_i386.deb
 564da962653d1f21a65c30b949e99cf4 18234 web optional php4-mcal_4.4.0-3_i386.deb
 9240c4310ebcfa02d43ad3c486845329 8638 web optional php4-mhash_4.4.0-3_i386.deb
 20b79ffc553a4453819749e856270a03 21604 web optional php4-mysql_4.4.0-3_i386.deb
 958afe7121f12c56c49b0abadc8cf7fa 27948 web optional php4-odbc_4.4.0-3_i386.deb
 d01d881b101faceed7fc34b815ca22bd 36286 web optional php4-pgsql_4.4.0-3_i386.deb
 553fe5028a0b35b624d5b6e83c6510a4 8386 web optional php4-recode_4.4.0-3_i386.deb
 740cd97f94563a59a4a6788433231381 13942 web optional php4-snmp_4.4.0-3_i386.deb
 fa2a6ef974a73e4b4cb5837948127586 21208 web optional php4-sybase_4.4.0-3_i386.deb
 da9f5a8824d2ca99e6096e225a74f436 16618 web optional php4-xslt_4.4.0-3_i386.deb
 ab1b2fd06afebdfa8bf7bf8279b0309c 1156 web optional php4_4.4.0-3_all.deb
 86e73eac08a7725a3e7c5398bacd23b9 1170 web optional php4-pear_4.4.0-3_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDR/uZvjztR8bOoMkRAlOMAKDWWk5EAgR+y+9ICgkwQBRkIaP++QCfQs37
3siLeXd5jm9bXszUiAwNjaE=
=E/T0
-----END PGP SIGNATURE-----




More information about the pkg-php-maint mailing list