[php-maint] Bug#759282: Bugs 759282 and 682157 (php-pear unsafe use of /tmp) should probably not be closed
Mathieu Parent
math.parent at gmail.com
Mon Nov 9 06:17:24 UTC 2015
Control: reopen -1
2015-11-08 7:25 GMT+01:00 Salvatore Bonaccorso <carnil at debian.org>:
> Hi Mathieu,
Hi Salvatore,
> On Sat, Nov 07, 2015 at 03:53:07PM +0100, Mathieu Parent wrote:
>> 2015-11-07 15:05 GMT+01:00 Salvatore Bonaccorso <carnil at debian.org>:
>> > Hi Mathieu,
>> >
>> > On Sat, Nov 07, 2015 at 01:27:07PM +0000, Debian Bug Tracking System wrote:
>> >> Version: 5.3.6-1
>> >>
>> >> Hello,
>> >>
>> >> According to https://pear.php.net/bugs/bug.php?id=18056, it's fixed since 1.9.2
>> >
>> > is this true? I just did a quick check (not a full analysis) and it
>> > still seems to use /tmp/pear.
>>
>> Yes, it does. But it checks for symlinks and truncate the file.
>>
>> This even introduced a regression on Windows:
>> https://pear.php.net/bugs/bug.php?id=18834
>>
>> > Can you check if the upstream bug report might be pointing to the
>> > wrong fixing version?
>>
>> This is:
>> https://github.com/pear/pear-core/commit/38de9355e3a9c66445a6d39d2c9a20f73e986d9a
>> (which is in 1.9.2)
>>
>> And further improvement in:
>> https://github.com/pear/pear-core/commit/cd31da7d8b5e684f177a8fe700339f7eb2420876
>> (which is in 1.9.3)
>>
>> > (I have reopened the bugs for now)
>>
>> Can we close it then?
>
> Well, IMHO no, that is not correct. The issues are still there even
> you cannot globber anymore someone else files. A can block another
> user this way.
I didn't want to close, it, but my Reply-to-all went to the -done addresses.
>
> As user foo do:
>
> foo at sid:~$ pear download HTML_Common2
> downloading HTML_Common2-2.1.1.tgz ...
> Starting to download HTML_Common2-2.1.1.tgz (8,604 bytes)
> .....done: 8,604 bytes
> File /home/foo/HTML_Common2-2.1.1.tgz downloaded
>
>
> then replace the cache files with symlinks (e.g. to files in home of
> user bar, since he want's to try to globber these files). bar now is
> unable to pear download HTML_Common2:
>
> bar at sid:~$ pear download HTML_Common2
>
> Notice: unserialize(): Error at offset 0 of 220 bytes in PEAR/REST.php on line 203
> PHP Notice: unserialize(): Error at offset 0 of 220 bytes in /usr/share/php/PEAR/REST.php on line 203
> No releases available for package "pear.php.net/HTML_Common2"
> download failed
> bar at sid:~$ ls
> bar at sid:~$
>
> or as root
>
> root at sid:~# pear download HTML_Common2
>
> Notice: unserialize(): Error at offset 0 of 220 bytes in PEAR/REST.php
> on line 203
> PHP Notice: unserialize(): Error at offset 0 of 220 bytes in
> /usr/share/php/PEAR/REST.php on line 203
> No releases available for package "pear.php.net/HTML_Common2"
> download failed
> root at sid:~# pear install HTML_Common2
>
> Notice: unserialize(): Error at offset 0 of 220 bytes in PEAR/REST.php
> on line 203
> PHP Notice: unserialize(): Error at offset 0 of 220 bytes in
> /usr/share/php/PEAR/REST.php on line 203
> No releases available for package "pear.php.net/HTML_Common2"
> install failed
> root at sid:~#
>
> So again, I don't think the issues with unsafe use of /tmp are fixed
> correctly and the bugs should not be closed. PHP maintainers, what do
> you think (Ondřej cc'ed)?
Which pear version are you testing?
Note that I'll be the php-pear maintainer, once the new package [1] is finished.
We should test against this latest 1.10 and report upstream is the bug remain.
[1]: anonscm.debian.org/cgit/pkg-php/php-pear.git
Regards
--
Mathieu
More information about the pkg-php-maint
mailing list