Hi Mathieu, On Mon, Nov 09, 2015 at 07:17:24AM +0100, Mathieu Parent wrote: > Control: reopen -1 > > 2015-11-08 7:25 GMT+01:00 Salvatore Bonaccorso <car...@debian.org>: > > Hi Mathieu, > > Hi Salvatore, > > > On Sat, Nov 07, 2015 at 03:53:07PM +0100, Mathieu Parent wrote: > >> 2015-11-07 15:05 GMT+01:00 Salvatore Bonaccorso <car...@debian.org>: > >> > Hi Mathieu, > >> > > >> > On Sat, Nov 07, 2015 at 01:27:07PM +0000, Debian Bug Tracking System > >> > wrote: > >> >> Version: 5.3.6-1 > >> >> > >> >> Hello, > >> >> > >> >> According to https://pear.php.net/bugs/bug.php?id=18056, it's fixed > >> >> since 1.9.2 > >> > > >> > is this true? I just did a quick check (not a full analysis) and it > >> > still seems to use /tmp/pear. > >> > >> Yes, it does. But it checks for symlinks and truncate the file. > >> > >> This even introduced a regression on Windows: > >> https://pear.php.net/bugs/bug.php?id=18834 > >> > >> > Can you check if the upstream bug report might be pointing to the > >> > wrong fixing version? > >> > >> This is: > >> https://github.com/pear/pear-core/commit/38de9355e3a9c66445a6d39d2c9a20f73e986d9a > >> (which is in 1.9.2) > >> > >> And further improvement in: > >> https://github.com/pear/pear-core/commit/cd31da7d8b5e684f177a8fe700339f7eb2420876 > >> (which is in 1.9.3) > >> > >> > (I have reopened the bugs for now) > >> > >> Can we close it then? > > > > Well, IMHO no, that is not correct. The issues are still there even > > you cannot globber anymore someone else files. A can block another > > user this way. > > I didn't want to close, it, but my Reply-to-all went to the -done addresses. > > > > > As user foo do: > > > > foo@sid:~$ pear download HTML_Common2 > > downloading HTML_Common2-2.1.1.tgz ... > > Starting to download HTML_Common2-2.1.1.tgz (8,604 bytes) > > .....done: 8,604 bytes > > File /home/foo/HTML_Common2-2.1.1.tgz downloaded > > > > > > then replace the cache files with symlinks (e.g. to files in home of > > user bar, since he want's to try to globber these files). bar now is > > unable to pear download HTML_Common2: > > > > bar@sid:~$ pear download HTML_Common2 > > > > Notice: unserialize(): Error at offset 0 of 220 bytes in PEAR/REST.php on > > line 203 > > PHP Notice: unserialize(): Error at offset 0 of 220 bytes in > > /usr/share/php/PEAR/REST.php on line 203 > > No releases available for package "pear.php.net/HTML_Common2" > > download failed > > bar@sid:~$ ls > > bar@sid:~$ > > > > or as root > > > > root@sid:~# pear download HTML_Common2 > > > > Notice: unserialize(): Error at offset 0 of 220 bytes in PEAR/REST.php > > on line 203 > > PHP Notice: unserialize(): Error at offset 0 of 220 bytes in > > /usr/share/php/PEAR/REST.php on line 203 > > No releases available for package "pear.php.net/HTML_Common2" > > download failed > > root@sid:~# pear install HTML_Common2 > > > > Notice: unserialize(): Error at offset 0 of 220 bytes in PEAR/REST.php > > on line 203 > > PHP Notice: unserialize(): Error at offset 0 of 220 bytes in > > /usr/share/php/PEAR/REST.php on line 203 > > No releases available for package "pear.php.net/HTML_Common2" > > install failed > > root@sid:~# > > > > So again, I don't think the issues with unsafe use of /tmp are fixed > > correctly and the bugs should not be closed. PHP maintainers, what do > > you think (Ondřej cc'ed)? > > Which pear version are you testing?
Just to confirm, this was with php-pear provided from src:php5, Version 5.6.14+dfsg-1. > > Note that I'll be the php-pear maintainer, once the new package [1] is > finished. > > We should test against this latest 1.10 and report upstream is the bug remain. Ack, yes I see. Regards and thanks for your work there! Salvatore