[php-maint] Bug#759282: Bugs 759282 and 682157 (php-pear unsafe use of /tmp) should probably not be closed
Salvatore Bonaccorso
carnil at debian.org
Sat Nov 14 18:18:52 UTC 2015
Hi Mathieu,
On Mon, Nov 09, 2015 at 07:17:24AM +0100, Mathieu Parent wrote:
> Control: reopen -1
>
> 2015-11-08 7:25 GMT+01:00 Salvatore Bonaccorso <carnil at debian.org>:
> > Hi Mathieu,
>
> Hi Salvatore,
>
> > On Sat, Nov 07, 2015 at 03:53:07PM +0100, Mathieu Parent wrote:
> >> 2015-11-07 15:05 GMT+01:00 Salvatore Bonaccorso <carnil at debian.org>:
> >> > Hi Mathieu,
> >> >
> >> > On Sat, Nov 07, 2015 at 01:27:07PM +0000, Debian Bug Tracking System wrote:
> >> >> Version: 5.3.6-1
> >> >>
> >> >> Hello,
> >> >>
> >> >> According to https://pear.php.net/bugs/bug.php?id=18056, it's fixed since 1.9.2
> >> >
> >> > is this true? I just did a quick check (not a full analysis) and it
> >> > still seems to use /tmp/pear.
> >>
> >> Yes, it does. But it checks for symlinks and truncate the file.
> >>
> >> This even introduced a regression on Windows:
> >> https://pear.php.net/bugs/bug.php?id=18834
> >>
> >> > Can you check if the upstream bug report might be pointing to the
> >> > wrong fixing version?
> >>
> >> This is:
> >> https://github.com/pear/pear-core/commit/38de9355e3a9c66445a6d39d2c9a20f73e986d9a
> >> (which is in 1.9.2)
> >>
> >> And further improvement in:
> >> https://github.com/pear/pear-core/commit/cd31da7d8b5e684f177a8fe700339f7eb2420876
> >> (which is in 1.9.3)
> >>
> >> > (I have reopened the bugs for now)
> >>
> >> Can we close it then?
> >
> > Well, IMHO no, that is not correct. The issues are still there even
> > you cannot globber anymore someone else files. A can block another
> > user this way.
>
> I didn't want to close, it, but my Reply-to-all went to the -done addresses.
>
> >
> > As user foo do:
> >
> > foo at sid:~$ pear download HTML_Common2
> > downloading HTML_Common2-2.1.1.tgz ...
> > Starting to download HTML_Common2-2.1.1.tgz (8,604 bytes)
> > .....done: 8,604 bytes
> > File /home/foo/HTML_Common2-2.1.1.tgz downloaded
> >
> >
> > then replace the cache files with symlinks (e.g. to files in home of
> > user bar, since he want's to try to globber these files). bar now is
> > unable to pear download HTML_Common2:
> >
> > bar at sid:~$ pear download HTML_Common2
> >
> > Notice: unserialize(): Error at offset 0 of 220 bytes in PEAR/REST.php on line 203
> > PHP Notice: unserialize(): Error at offset 0 of 220 bytes in /usr/share/php/PEAR/REST.php on line 203
> > No releases available for package "pear.php.net/HTML_Common2"
> > download failed
> > bar at sid:~$ ls
> > bar at sid:~$
> >
> > or as root
> >
> > root at sid:~# pear download HTML_Common2
> >
> > Notice: unserialize(): Error at offset 0 of 220 bytes in PEAR/REST.php
> > on line 203
> > PHP Notice: unserialize(): Error at offset 0 of 220 bytes in
> > /usr/share/php/PEAR/REST.php on line 203
> > No releases available for package "pear.php.net/HTML_Common2"
> > download failed
> > root at sid:~# pear install HTML_Common2
> >
> > Notice: unserialize(): Error at offset 0 of 220 bytes in PEAR/REST.php
> > on line 203
> > PHP Notice: unserialize(): Error at offset 0 of 220 bytes in
> > /usr/share/php/PEAR/REST.php on line 203
> > No releases available for package "pear.php.net/HTML_Common2"
> > install failed
> > root at sid:~#
> >
> > So again, I don't think the issues with unsafe use of /tmp are fixed
> > correctly and the bugs should not be closed. PHP maintainers, what do
> > you think (Ondřej cc'ed)?
>
> Which pear version are you testing?
Just to confirm, this was with php-pear provided from src:php5,
Version 5.6.14+dfsg-1.
>
> Note that I'll be the php-pear maintainer, once the new package [1] is finished.
>
> We should test against this latest 1.10 and report upstream is the bug remain.
Ack, yes I see.
Regards and thanks for your work there!
Salvatore
More information about the pkg-php-maint
mailing list