[php-maint] Bug#562782: Bug#562782: php5-mysql: load data local bypasses basedir due to the way libmysqlclient15off is compiled

Ondřej Surý ondrej at debian.org
Wed Jan 6 16:28:37 UTC 2010


Hi anonymous admin,

we do not consider open_basedir bugs as critical, so this will
probably not be fixed in stable.  Are you able to test if this also
applies to version in unstable (in chroot, or kvm)?

Ondrej

On Sun, Dec 27, 2009 at 22:12, The Mighty System Admin <wejn at box.cz> wrote:
> Package: php5-mysql
> Version: 5.2.6.dfsg.1-1+lenny3
> Severity: normal
>
> mysql extension for php5 package bypasses open_basedir restrictions
> due to the way libmysqlclient package is compiled.
>
> Forcing the "--enable-local-infile" flag during compilation of
> libmysqlclient package causes the built-in protection in php5's
> mysql extension to malfunction allowing anyone to read files outside
> open_basedir.
>
> >From the limited research I did, there's no way to make this
> protection work properly unless the aforementioned compile flag
> is turned off.
>
> -- System Information:
> Debian Release: 5.0.3
>  APT prefers stable
>  APT policy: (500, 'stable')
> Architecture: amd64 (x86_64)
>
> Kernel: Linux 2.6.26-2-amd64 (SMP w/2 CPU cores)
> Locale: LANG=en_US, LC_CTYPE=cs_CZ (charmap=ISO-8859-2)
> Shell: /bin/sh linked to /bin/bash
>
>
>
> _______________________________________________
> pkg-php-maint mailing list
> pkg-php-maint at lists.alioth.debian.org
> http://lists.alioth.debian.org/mailman/listinfo/pkg-php-maint
>



-- 
Ondřej Surý <ondrej at sury.org>
http://blog.rfc1925.org/





More information about the pkg-php-maint mailing list