Bug#682157: Bugs 759282 and 682157 (php-pear unsafe use of /tmp) should probably not be closed
Hi Mathieu, On Mon, Nov 09, 2015 at 07:17:24AM +0100, Mathieu Parent wrote: > Control: reopen -1 > > 2015-11-08 7:25 GMT+01:00 Salvatore Bonaccorso : > > Hi Mathieu, > > Hi Salvatore, > > > On Sat, Nov 07, 2015 at 03:53:07PM +0100, Mathieu Parent wrote: > >> 2015-11-07 15:05 GMT+01:00 Salvatore Bonaccorso : > >> > Hi Mathieu, > >> > > >> > On Sat, Nov 07, 2015 at 01:27:07PM +, Debian Bug Tracking System > >> > wrote: > >> >> Version: 5.3.6-1 > >> >> > >> >> Hello, > >> >> > >> >> According to https://pear.php.net/bugs/bug.php?id=18056, it's fixed > >> >> since 1.9.2 > >> > > >> > is this true? I just did a quick check (not a full analysis) and it > >> > still seems to use /tmp/pear. > >> > >> Yes, it does. But it checks for symlinks and truncate the file. > >> > >> This even introduced a regression on Windows: > >> https://pear.php.net/bugs/bug.php?id=18834 > >> > >> > Can you check if the upstream bug report might be pointing to the > >> > wrong fixing version? > >> > >> This is: > >> https://github.com/pear/pear-core/commit/38de9355e3a9c66445a6d39d2c9a20f73e986d9a > >> (which is in 1.9.2) > >> > >> And further improvement in: > >> https://github.com/pear/pear-core/commit/cd31da7d8b5e684f177a8fe700339f7eb2420876 > >> (which is in 1.9.3) > >> > >> > (I have reopened the bugs for now) > >> > >> Can we close it then? > > > > Well, IMHO no, that is not correct. The issues are still there even > > you cannot globber anymore someone else files. A can block another > > user this way. > > I didn't want to close, it, but my Reply-to-all went to the -done addresses. > > > > > As user foo do: > > > > foo@sid:~$ pear download HTML_Common2 > > downloading HTML_Common2-2.1.1.tgz ... > > Starting to download HTML_Common2-2.1.1.tgz (8,604 bytes) > > .done: 8,604 bytes > > File /home/foo/HTML_Common2-2.1.1.tgz downloaded > > > > > > then replace the cache files with symlinks (e.g. to files in home of > > user bar, since he want's to try to globber these files). bar now is > > unable to pear download HTML_Common2: > > > > bar@sid:~$ pear download HTML_Common2 > > > > Notice: unserialize(): Error at offset 0 of 220 bytes in PEAR/REST.php on > > line 203 > > PHP Notice: unserialize(): Error at offset 0 of 220 bytes in > > /usr/share/php/PEAR/REST.php on line 203 > > No releases available for package "pear.php.net/HTML_Common2" > > download failed > > bar@sid:~$ ls > > bar@sid:~$ > > > > or as root > > > > root@sid:~# pear download HTML_Common2 > > > > Notice: unserialize(): Error at offset 0 of 220 bytes in PEAR/REST.php > > on line 203 > > PHP Notice: unserialize(): Error at offset 0 of 220 bytes in > > /usr/share/php/PEAR/REST.php on line 203 > > No releases available for package "pear.php.net/HTML_Common2" > > download failed > > root@sid:~# pear install HTML_Common2 > > > > Notice: unserialize(): Error at offset 0 of 220 bytes in PEAR/REST.php > > on line 203 > > PHP Notice: unserialize(): Error at offset 0 of 220 bytes in > > /usr/share/php/PEAR/REST.php on line 203 > > No releases available for package "pear.php.net/HTML_Common2" > > install failed > > root@sid:~# > > > > So again, I don't think the issues with unsafe use of /tmp are fixed > > correctly and the bugs should not be closed. PHP maintainers, what do > > you think (Ondřej cc'ed)? > > Which pear version are you testing? Just to confirm, this was with php-pear provided from src:php5, Version 5.6.14+dfsg-1. > > Note that I'll be the php-pear maintainer, once the new package [1] is > finished. > > We should test against this latest 1.10 and report upstream is the bug remain. Ack, yes I see. Regards and thanks for your work there! Salvatore
Bug#682157: Bugs 759282 and 682157 (php-pear unsafe use of /tmp) should probably not be closed
Control: reopen -1 2015-11-08 7:25 GMT+01:00 Salvatore Bonaccorso : > Hi Mathieu, Hi Salvatore, > On Sat, Nov 07, 2015 at 03:53:07PM +0100, Mathieu Parent wrote: >> 2015-11-07 15:05 GMT+01:00 Salvatore Bonaccorso : >> > Hi Mathieu, >> > >> > On Sat, Nov 07, 2015 at 01:27:07PM +, Debian Bug Tracking System wrote: >> >> Version: 5.3.6-1 >> >> >> >> Hello, >> >> >> >> According to https://pear.php.net/bugs/bug.php?id=18056, it's fixed since >> >> 1.9.2 >> > >> > is this true? I just did a quick check (not a full analysis) and it >> > still seems to use /tmp/pear. >> >> Yes, it does. But it checks for symlinks and truncate the file. >> >> This even introduced a regression on Windows: >> https://pear.php.net/bugs/bug.php?id=18834 >> >> > Can you check if the upstream bug report might be pointing to the >> > wrong fixing version? >> >> This is: >> https://github.com/pear/pear-core/commit/38de9355e3a9c66445a6d39d2c9a20f73e986d9a >> (which is in 1.9.2) >> >> And further improvement in: >> https://github.com/pear/pear-core/commit/cd31da7d8b5e684f177a8fe700339f7eb2420876 >> (which is in 1.9.3) >> >> > (I have reopened the bugs for now) >> >> Can we close it then? > > Well, IMHO no, that is not correct. The issues are still there even > you cannot globber anymore someone else files. A can block another > user this way. I didn't want to close, it, but my Reply-to-all went to the -done addresses. > > As user foo do: > > foo@sid:~$ pear download HTML_Common2 > downloading HTML_Common2-2.1.1.tgz ... > Starting to download HTML_Common2-2.1.1.tgz (8,604 bytes) > .done: 8,604 bytes > File /home/foo/HTML_Common2-2.1.1.tgz downloaded > > > then replace the cache files with symlinks (e.g. to files in home of > user bar, since he want's to try to globber these files). bar now is > unable to pear download HTML_Common2: > > bar@sid:~$ pear download HTML_Common2 > > Notice: unserialize(): Error at offset 0 of 220 bytes in PEAR/REST.php on > line 203 > PHP Notice: unserialize(): Error at offset 0 of 220 bytes in > /usr/share/php/PEAR/REST.php on line 203 > No releases available for package "pear.php.net/HTML_Common2" > download failed > bar@sid:~$ ls > bar@sid:~$ > > or as root > > root@sid:~# pear download HTML_Common2 > > Notice: unserialize(): Error at offset 0 of 220 bytes in PEAR/REST.php > on line 203 > PHP Notice: unserialize(): Error at offset 0 of 220 bytes in > /usr/share/php/PEAR/REST.php on line 203 > No releases available for package "pear.php.net/HTML_Common2" > download failed > root@sid:~# pear install HTML_Common2 > > Notice: unserialize(): Error at offset 0 of 220 bytes in PEAR/REST.php > on line 203 > PHP Notice: unserialize(): Error at offset 0 of 220 bytes in > /usr/share/php/PEAR/REST.php on line 203 > No releases available for package "pear.php.net/HTML_Common2" > install failed > root@sid:~# > > So again, I don't think the issues with unsafe use of /tmp are fixed > correctly and the bugs should not be closed. PHP maintainers, what do > you think (Ondřej cc'ed)? Which pear version are you testing? Note that I'll be the php-pear maintainer, once the new package [1] is finished. We should test against this latest 1.10 and report upstream is the bug remain. [1]: anonscm.debian.org/cgit/pkg-php/php-pear.git Regards -- Mathieu
Bug#682157: Bugs 759282 and 682157 (php-pear unsafe use of /tmp) should probably not be closed
Hi Mathieu, On Sat, Nov 07, 2015 at 03:53:07PM +0100, Mathieu Parent wrote: > 2015-11-07 15:05 GMT+01:00 Salvatore Bonaccorso : > > Hi Mathieu, > > > > On Sat, Nov 07, 2015 at 01:27:07PM +, Debian Bug Tracking System wrote: > >> Version: 5.3.6-1 > >> > >> Hello, > >> > >> According to https://pear.php.net/bugs/bug.php?id=18056, it's fixed since > >> 1.9.2 > > > > is this true? I just did a quick check (not a full analysis) and it > > still seems to use /tmp/pear. > > Yes, it does. But it checks for symlinks and truncate the file. > > This even introduced a regression on Windows: > https://pear.php.net/bugs/bug.php?id=18834 > > > Can you check if the upstream bug report might be pointing to the > > wrong fixing version? > > This is: > https://github.com/pear/pear-core/commit/38de9355e3a9c66445a6d39d2c9a20f73e986d9a > (which is in 1.9.2) > > And further improvement in: > https://github.com/pear/pear-core/commit/cd31da7d8b5e684f177a8fe700339f7eb2420876 > (which is in 1.9.3) > > > (I have reopened the bugs for now) > > Can we close it then? Well, IMHO no, that is not correct. The issues are still there even you cannot globber anymore someone else files. A can block another user this way. As user foo do: foo@sid:~$ pear download HTML_Common2 downloading HTML_Common2-2.1.1.tgz ... Starting to download HTML_Common2-2.1.1.tgz (8,604 bytes) .done: 8,604 bytes File /home/foo/HTML_Common2-2.1.1.tgz downloaded then replace the cache files with symlinks (e.g. to files in home of user bar, since he want's to try to globber these files). bar now is unable to pear download HTML_Common2: bar@sid:~$ pear download HTML_Common2 Notice: unserialize(): Error at offset 0 of 220 bytes in PEAR/REST.php on line 203 PHP Notice: unserialize(): Error at offset 0 of 220 bytes in /usr/share/php/PEAR/REST.php on line 203 No releases available for package "pear.php.net/HTML_Common2" download failed bar@sid:~$ ls bar@sid:~$ or as root root@sid:~# pear download HTML_Common2 Notice: unserialize(): Error at offset 0 of 220 bytes in PEAR/REST.php on line 203 PHP Notice: unserialize(): Error at offset 0 of 220 bytes in /usr/share/php/PEAR/REST.php on line 203 No releases available for package "pear.php.net/HTML_Common2" download failed root@sid:~# pear install HTML_Common2 Notice: unserialize(): Error at offset 0 of 220 bytes in PEAR/REST.php on line 203 PHP Notice: unserialize(): Error at offset 0 of 220 bytes in /usr/share/php/PEAR/REST.php on line 203 No releases available for package "pear.php.net/HTML_Common2" install failed root@sid:~# So again, I don't think the issues with unsafe use of /tmp are fixed correctly and the bugs should not be closed. PHP maintainers, what do you think (Ondřej cc'ed)? Regards, Salvatore
