[php-maint] Bug#759282: Bugs 759282 and 682157 (php-pear unsafe use of /tmp) should probably not be closed
Salvatore Bonaccorso
carnil at debian.org
Sun Nov 8 06:25:07 UTC 2015
Hi Mathieu,
On Sat, Nov 07, 2015 at 03:53:07PM +0100, Mathieu Parent wrote:
> 2015-11-07 15:05 GMT+01:00 Salvatore Bonaccorso <carnil at debian.org>:
> > Hi Mathieu,
> >
> > On Sat, Nov 07, 2015 at 01:27:07PM +0000, Debian Bug Tracking System wrote:
> >> Version: 5.3.6-1
> >>
> >> Hello,
> >>
> >> According to https://pear.php.net/bugs/bug.php?id=18056, it's fixed since 1.9.2
> >
> > is this true? I just did a quick check (not a full analysis) and it
> > still seems to use /tmp/pear.
>
> Yes, it does. But it checks for symlinks and truncate the file.
>
> This even introduced a regression on Windows:
> https://pear.php.net/bugs/bug.php?id=18834
>
> > Can you check if the upstream bug report might be pointing to the
> > wrong fixing version?
>
> This is:
> https://github.com/pear/pear-core/commit/38de9355e3a9c66445a6d39d2c9a20f73e986d9a
> (which is in 1.9.2)
>
> And further improvement in:
> https://github.com/pear/pear-core/commit/cd31da7d8b5e684f177a8fe700339f7eb2420876
> (which is in 1.9.3)
>
> > (I have reopened the bugs for now)
>
> Can we close it then?
Well, IMHO no, that is not correct. The issues are still there even
you cannot globber anymore someone else files. A can block another
user this way.
As user foo do:
foo at sid:~$ pear download HTML_Common2
downloading HTML_Common2-2.1.1.tgz ...
Starting to download HTML_Common2-2.1.1.tgz (8,604 bytes)
.....done: 8,604 bytes
File /home/foo/HTML_Common2-2.1.1.tgz downloaded
then replace the cache files with symlinks (e.g. to files in home of
user bar, since he want's to try to globber these files). bar now is
unable to pear download HTML_Common2:
bar at sid:~$ pear download HTML_Common2
Notice: unserialize(): Error at offset 0 of 220 bytes in PEAR/REST.php on line 203
PHP Notice: unserialize(): Error at offset 0 of 220 bytes in /usr/share/php/PEAR/REST.php on line 203
No releases available for package "pear.php.net/HTML_Common2"
download failed
bar at sid:~$ ls
bar at sid:~$
or as root
root at sid:~# pear download HTML_Common2
Notice: unserialize(): Error at offset 0 of 220 bytes in PEAR/REST.php
on line 203
PHP Notice: unserialize(): Error at offset 0 of 220 bytes in
/usr/share/php/PEAR/REST.php on line 203
No releases available for package "pear.php.net/HTML_Common2"
download failed
root at sid:~# pear install HTML_Common2
Notice: unserialize(): Error at offset 0 of 220 bytes in PEAR/REST.php
on line 203
PHP Notice: unserialize(): Error at offset 0 of 220 bytes in
/usr/share/php/PEAR/REST.php on line 203
No releases available for package "pear.php.net/HTML_Common2"
install failed
root at sid:~#
So again, I don't think the issues with unsafe use of /tmp are fixed
correctly and the bugs should not be closed. PHP maintainers, what do
you think (Ondřej cc'ed)?
Regards,
Salvatore
More information about the pkg-php-maint
mailing list