[php-maint] Bug#656442: Bug#656442: php-pear: Spurious (and possibly dangerous) file system accesses

Ondřej Surý ondrej at debian.org
Mon Apr 9 10:02:24 UTC 2012 

reassign 656442 php-mdb2
thank you

Matthias,

I don't think that PEAR is here at fault, the isError routine is fairly simple:

    function isError($data, $code = null)
    {
        if (!is_a($data, 'PEAR_Error')) {
            return false;
        }

        if (is_null($code)) {
            return true;
        } elseif (is_string($code)) {
            return $data->getMessage() == $code;
        }

        return $data->getCode() == $code;
    }


Thus is looks like the error is in the returned datatype from escape()
function on calls to ->getMessage() and getCode().

I am reassigning the bug to php-mdb2 package since it's probably closer there.

Ondrej

On Thu, Jan 19, 2012 at 13:30, Matthias Urlichs <matthias at urlichs.de> wrote:
> Package: php-pear
> Version: 5.3.8.0-1
> Severity: important
>
> These lines seem fairly inconspicuous.
> /usr/share/php/MDB2/Driver/Datatype/Common.php, line 1227 ff.:
>
>        $value = $db->escape($value, $escape_wildcards);
>        if (PEAR::isError($value)) {
>            return $value;
>        }
>        return "'".$value."'";
>
> Interestingly, however, the call to PEAR::isError() causes this to happen:
>
> 15663 lstat64("/usr/share/roundcube/program/include/dGVtcHxiOjE7bGFuZ3VhZ2V8czo1OiJlbl9VUyI7dGFza3xzOjU6ImxvZ2luIjs=.php", 0xbff58558) = -1 ENOENT (No such file or directory)
> 15663 getcwd("/var/lib/roundcube", 4096) = 19
> 15663 time(NULL)                        = 1326973864
> 15663 lstat64("/var/lib/roundcube/dGVtcHxiOjE7bGFuZ3VhZ2V8czo1OiJlbl9VUyI7dGFza3xzOjU6ImxvZ2luIjs=.php", 0xbff5a608) = -1 ENOENT (No such file or directory)
> 15663 open("/var/lib/roundcube/dGVtcHxiOjE7bGFuZ3VhZ2V8czo1OiJlbl9VUyI7dGFza3xzOjU6ImxvZ2luIjs=.php", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory)
> 15663 time(NULL)                        = 1326973864
> 15663 lstat64("/var/lib/roundcube/program/lib/'dGVtcHxiOjE7bGFuZ3VhZ2V8czo1OiJlbl9VUyI7dGFza3xzOjU6ImxvZ2luIjs='.php", 0xbff589f8) = -1 ENOENT (No such file or directory)
> 15663 getcwd("/var/lib/roundcube", 4096) = 19
> 15663 time(NULL)                        = 1326973864
> 15663 lstat64("/var/lib/roundcube/./'dGVtcHxiOjE7bGFuZ3VhZ2V8czo1OiJlbl9VUyI7dGFza3xzOjU6ImxvZ2luIjs='.php", 0xbff589f8) = -1 ENOENT (No such file or directory)
> 15663 time(NULL)                        = 1326973864
> 15663 lstat64("/usr/share/php/'dGVtcHxiOjE7bGFuZ3VhZ2V8czo1OiJlbl9VUyI7dGFza3xzOjU6ImxvZ2luIjs='.php", 0xbff589f8) = -1 ENOENT (No such file or directory)
> 15663 time(NULL)                        = 1326973864
> 15663 lstat64("/usr/share/pear/'dGVtcHxiOjE7bGFuZ3VhZ2V8czo1OiJlbl9VUyI7dGFza3xzOjU6ImxvZ2luIjs='.php", 0xbff589f8) = -1 ENOENT (No such file or directory)
> 15663 time(NULL)                        = 1326973864
> 15663 lstat64("/usr/share/roundcube/program/include/'dGVtcHxiOjE7bGFuZ3VhZ2V8czo1OiJlbl9VUyI7dGFza3xzOjU6ImxvZ2luIjs='.php", 0xbff589f8) = -1 ENOENT (No such file or directory)
> 15663 getcwd("/var/lib/roundcube", 4096) = 19
> 15663 time(NULL)                        = 1326973864
> 15663 lstat64("/var/lib/roundcube/'dGVtcHxiOjE7bGFuZ3VhZ2V8czo1OiJlbl9VUyI7dGFza3xzOjU6ImxvZ2luIjs='.php", 0xbff5aaa8) = -1 ENOENT (No such file or directory)
> 15663 open("/var/lib/roundcube/'dGVtcHxiOjE7bGFuZ3VhZ2V8czo1OiJlbl9VUyI7dGFza3xzOjU6ImxvZ2luIjs='.php", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory)
>
> This also happens for entire SQL commands, e.g.:
> 15663 lstat64("/var/lib/roundcube/program/lib/SELECT vars, ip, changed FROM session WHERE sess_id = ?.php", 0xbff56488) = -1 ENOENT (No such file or directory)
>
> Frankly, I could *not* believe my eyes.
>
> I don't know whether this has any security implications.
> If so, I wouldn't be too surprised.
>
> Anyway, I don't know the reason for this nonsense, but it needs to be stopped.
> 30 spurious file system calls for every SQL command is really pushing it.
> (Assuming that the typical SQL statement has two string parameters.)
>
> -- System Information:
> Debian Release: wheezy/sid
>  APT prefers testing
>  APT policy: (700, 'testing'), (650, 'unstable'), (600, 'stable')
> Architecture: i386 (i686)
>
> Kernel: Linux 3.1.0-1-686-pae (SMP w/4 CPU cores)
> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
>
> Versions of packages php-mdb2 depends on:
> ii  php-pear  5.3.8.0-1
>
> php-mdb2 recommends no packages.
>
> php-mdb2 suggests no packages.
>
> -- no debconf information
>
>
>
> _______________________________________________
> pkg-php-maint mailing list
> pkg-php-maint at lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-php-maint



-- 
Ondřej Surý <ondrej at sury.org>

More information about the pkg-php-maint mailing list