[php-maint] Bug#758185: Bug#758185: php5-common: installation fails with . in $PATH
Ondřej Surý
ondrej at sury.org
Fri Aug 15 08:57:19 UTC 2014
Hi Zlatko,
I will fix that in git, but having "." in $PATH (especially for root
user)
is a very bad bad practice and really should be avoided due security
reasons.
Imagine someone dropping a malware binary in /tmp ...
Ondrej
On Fri, Aug 15, 2014, at 10:26, Zlatko Calusic wrote:
> Package: php5-common
> Version: 5.6.0~rc4+dfsg-1
> Severity: normal
>
> During installation:
>
> Setting up php5-common (5.6.0~rc4+dfsg-1) ...
> find: The current directory is included in the PATH environment variable,
> which is insecure in combination with the -execdir action of find.
> Please remove the current directory from your $PATH (that is, remove "."
> or leading or trailing colons)
> dpkg: error processing package php5-common (--configure):
> subprocess installed post-installation script returned error exit status
> 1
>
> And then all other php5 packages can't be upgraded, either. I'd say
> $PATH should be sanitized somewhere, I'm fond of . in $PATH on my
> personal desktop.
>
> -- Package-specific info:
> ==== Additional PHP 5 information ====
>
> ++++ PHP 5 SAPI (php5query -S): ++++
> cgi
> cli
> fpm
>
> ++++ PHP 5 Extensions (php5query -M -v): ++++
> pgsql (Enabled for cgi by maintainer script)
> pgsql (Enabled for cli by maintainer script)
> pgsql (Enabled for fpm by maintainer script)
> pdo_mysql (Enabled for cgi by maintainer script)
> pdo_mysql (Enabled for cli by maintainer script)
> pdo_mysql (Enabled for fpm by maintainer script)
> mysql (Enabled for cgi by maintainer script)
> mysql (Enabled for cli by maintainer script)
> mysql (Enabled for fpm by maintainer script)
> mysqli (Enabled for cgi by maintainer script)
> mysqli (Enabled for cli by maintainer script)
> mysqli (Enabled for fpm by maintainer script)
> pdo_pgsql (Enabled for cgi by maintainer script)
> pdo_pgsql (Enabled for cli by maintainer script)
> pdo_pgsql (Enabled for fpm by maintainer script)
> No module matches xdebug (Disabled for cgi by local administrator)
> No module matches xdebug (Disabled for cli by local administrator)
> No module matches xdebug (Disabled for fpm by local administrator)
> curl (Enabled for cgi by maintainer script)
> curl (Enabled for cli by maintainer script)
> curl (Enabled for fpm by maintainer script)
> gd (Enabled for cgi by maintainer script)
> gd (Enabled for cli by maintainer script)
> gd (Enabled for fpm by maintainer script)
> json (Enabled for cgi by maintainer script)
> json (Enabled for cli by maintainer script)
> json (Enabled for fpm by maintainer script)
> pdo (Enabled for cgi by maintainer script)
> pdo (Enabled for cli by maintainer script)
> pdo (Enabled for fpm by maintainer script)
> opcache (Enabled for cgi by maintainer script)
> opcache (Enabled for cli by maintainer script)
> opcache (Enabled for fpm by maintainer script)
> readline (Enabled for cgi by maintainer script)
> readline (Enabled for cli by maintainer script)
> readline (Enabled for fpm by maintainer script)
>
> ++++ Configuration files: ++++
> **** /etc/php5/mods-available/pdo.ini ****
> extension=pdo.so
>
> **** /etc/php5/mods-available/opcache.ini ****
> zend_extension=opcache.so
>
>
> -- System Information:
> Debian Release: jessie/sid
> APT prefers unstable
> APT policy: (500, 'unstable')
> Architecture: amd64 (x86_64)
>
> Kernel: Linux 3.16.0+ (SMP w/2 CPU cores; PREEMPT)
> Locale: LANG=C, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/bash
>
> Versions of packages php5-common depends on:
> ii libc6 2.19-9
> ii lsof 4.86+dfsg-1
> ii psmisc 22.21-2
> ii sed 4.2.2-4
> ii ucf 3.0030
>
> php5-common recommends no packages.
>
> Versions of packages php5-common suggests:
> pn php5-user-cache <none>
>
> Versions of packages php5-cli depends on:
> ii libbz2-1.0 1.0.6-7
> ii libc6 2.19-9
> ii libcomerr2 1.42.11-2
> ii libdb5.3 5.3.28-5
> ii libedit2 3.1-20140620-2
> ii libgssapi-krb5-2 1.12.1+dfsg-7
> ii libk5crypto3 1.12.1+dfsg-7
> ii libkrb5-3 1.12.1+dfsg-7
> ii libmagic1 1:5.19-1
> ii libonig2 5.9.5-2
> ii libpcre3 1:8.35-3
> ii libqdbm14 1.8.78-5
> ii libssl1.0.0 1.0.1i-2
> ii libxml2 2.9.1+dfsg1-4
> ii mime-support 3.56
> ii php5-json 1.3.6-1
> ii tzdata 2014f-1
> ii ucf 3.0030
> ii zlib1g 1:1.2.8.dfsg-1
>
> Versions of packages php5-cli recommends:
> iu php5-readline 5.6.0~rc4+dfsg-1
>
> Versions of packages php5-cli suggests:
> iu php-pear 5.6.0~rc4+dfsg-1
>
> Versions of packages php5-cgi depends on:
> ii libbz2-1.0 1.0.6-7
> ii libc6 2.19-9
> ii libcomerr2 1.42.11-2
> ii libdb5.3 5.3.28-5
> ii libgssapi-krb5-2 1.12.1+dfsg-7
> ii libk5crypto3 1.12.1+dfsg-7
> ii libkrb5-3 1.12.1+dfsg-7
> ii libmagic1 1:5.19-1
> ii libonig2 5.9.5-2
> ii libpcre3 1:8.35-3
> ii libqdbm14 1.8.78-5
> ii libssl1.0.0 1.0.1i-2
> ii libxml2 2.9.1+dfsg1-4
> ii mime-support 3.56
> iu php5-cli 5.6.0~rc4+dfsg-1
> ii php5-json 1.3.6-1
> ii tzdata 2014f-1
> ii ucf 3.0030
> ii zlib1g 1:1.2.8.dfsg-1
>
> Versions of packages php5-cgi suggests:
> iu php-pear 5.6.0~rc4+dfsg-1
>
> Versions of packages php5-fpm depends on:
> ii dpkg 1.17.11
> ii init-system-helpers 1.20
> ii libbz2-1.0 1.0.6-7
> ii libc6 2.19-9
> ii libcomerr2 1.42.11-2
> ii libdb5.3 5.3.28-5
> ii libgssapi-krb5-2 1.12.1+dfsg-7
> ii libk5crypto3 1.12.1+dfsg-7
> ii libkrb5-3 1.12.1+dfsg-7
> ii libmagic1 1:5.19-1
> ii libonig2 5.9.5-2
> ii libpcre3 1:8.35-3
> ii libqdbm14 1.8.78-5
> ii libssl1.0.0 1.0.1i-2
> ii libsystemd-daemon0 208-7
> ii libxml2 2.9.1+dfsg1-4
> ii mime-support 3.56
> iu php5-cli 5.6.0~rc4+dfsg-1
> ii php5-json 1.3.6-1
> ii tzdata 2014f-1
> ii ucf 3.0030
> ii zlib1g 1:1.2.8.dfsg-1
>
> Versions of packages php5-fpm suggests:
> iu php-pear 5.6.0~rc4+dfsg-1
>
> -- no debconf information
>
> _______________________________________________
> pkg-php-maint mailing list
> pkg-php-maint at lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-php-maint
--
Ondřej Surý <ondrej at sury.org>
Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server
More information about the pkg-php-maint
mailing list