Debian Bug report logs -
#682157
[php-pear] "/tmp" symlink file clobbering (CVE-2014-5459)
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#682157; Package php-pear.
(Thu, 19 Jul 2012 20:30:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Laurent Martelli <laurent@bearteam.org>:
New Bug report received and forwarded. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>.
(Thu, 19 Jul 2012 20:30:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: php-pear
Version: 5.4.4-2
Severity: important
Dear Maintainer,
"pear download" leaves files in /tmp/pear/cache, so that if 2 users use it,
there are interferences because directories and files are only writable by the
user who first ran the command. Other users will then face failures with
unclear messages like this:
$ pear download HTML_Common2
Warning: lstat(): Lstat failed for
/tmp/pear/cache/3fbb9a4a8ce980205256b12627511dacrest.cacheid in PEAR/REST.php
on line 276
PHP Warning: lstat(): Lstat failed for
/tmp/pear/cache/3fbb9a4a8ce980205256b12627511dacrest.cacheid in
/usr/share/php/PEAR/REST.php on line 276
PHP Stack trace:
PHP 1. {main}() /usr/share/php/pearcmd.php:0
PHP 2. PEAR_Command_Common->run() /usr/share/php/pearcmd.php:305
PHP 3. PEAR_Command_Remote->doDownload()
/usr/share/php/PEAR/Command/Common.php:271
PHP 4. PEAR_Downloader->download() /usr/share/php/PEAR/Command/Remote.php:607
PHP 5. PEAR_Downloader_Package->initialize()
/usr/share/php/PEAR/Downloader.php:279
PHP 6. PEAR_Downloader_Package->_fromString()
/usr/share/php/PEAR/Downloader/Package.php:190
PHP 7. PEAR_Downloader->_getPackageDownloadUrl()
/usr/share/php/PEAR/Downloader/Package.php:1713
PHP 8. PEAR_REST_13->getDownloadURL() /usr/share/php/PEAR/Downloader.php:850
PHP 9. PEAR_REST->retrieveData() /usr/share/php/PEAR/REST/13.php:68
PHP 10. PEAR_REST->saveCache() /usr/share/php/PEAR/REST.php:163
PHP 11. PEAR_REST->saveCacheFile() /usr/share/php/PEAR/REST.php:246
PHP 12. lstat() /usr/share/php/PEAR/REST.php:276
No releases available for package "pear.php.net/HTML_Common2"
download failed
A quick fix would be to default to a tmp dir located in the user's home
directory.
-- System Information:
Debian Release: wheezy/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-3-amd64 (SMP w/8 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages php-pear depends on:
ii php5-cli 5.4.4-2
ii php5-common 5.4.4-2
Versions of packages php-pear recommends:
ii gnupg 1.4.12-4+b1
Versions of packages php-pear suggests:
ii php5-dev 5.4.4-2
-- no debconf information
Severity set to 'normal' from 'important'
Request was from Ondřej Surý <ondrej@sury.org>
to 759282-submit@bugs.debian.org.
(Tue, 26 Aug 2014 09:21:08 GMT) (full text, mbox, link).
Marked as found in versions php5/5.4.4-14+deb7u14.
Request was from Ondřej Surý <ondrej@sury.org>
to 759282-submit@bugs.debian.org.
(Tue, 26 Aug 2014 09:21:09 GMT) (full text, mbox, link).
Added tag(s) security.
Request was from Ondřej Surý <ondrej@sury.org>
to 759282-submit@bugs.debian.org.
(Tue, 26 Aug 2014 09:21:10 GMT) (full text, mbox, link).
Merged 682157 759282
Request was from Ondřej Surý <ondrej@sury.org>
to 759282-submit@bugs.debian.org.
(Tue, 26 Aug 2014 09:21:13 GMT) (full text, mbox, link).
Changed Bug title to '[php-pear] "/tmp" symlink file clobbering (CVE-2014-5459)' from 'php-pear: use of /tmp is not mulituser safe'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 27 Aug 2014 05:42:06 GMT) (full text, mbox, link).
Reply sent
to Mathieu Parent <math.parent@gmail.com>:
You have taken responsibility.
(Sat, 07 Nov 2015 13:27:06 GMT) (full text, mbox, link).
Notification sent
to Laurent Martelli <laurent@bearteam.org>:
Bug acknowledged by developer.
(Sat, 07 Nov 2015 13:27:07 GMT) (full text, mbox, link).
Message #22 received at 682157-done@bugs.debian.org (full text, mbox, reply):
Version: 5.3.6-1
Hello,
According to https://pear.php.net/bugs/bug.php?id=18056, it's fixed since 1.9.2
Regards
--
Mathieu
Reply sent
to Mathieu Parent <math.parent@gmail.com>:
You have taken responsibility.
(Sat, 07 Nov 2015 13:27:07 GMT) (full text, mbox, link).
Notification sent
to vladz <vladz@devzero.fr>:
Bug acknowledged by developer.
(Sat, 07 Nov 2015 13:27:07 GMT) (full text, mbox, link).
Bug reopened
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 07 Nov 2015 13:54:09 GMT) (full text, mbox, link).
No longer marked as fixed in versions 5.3.6-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 07 Nov 2015 13:54:10 GMT) (full text, mbox, link).
Message #31 received at 759282-done@bugs.debian.org (full text, mbox, reply):
2015-11-07 15:05 GMT+01:00 Salvatore Bonaccorso <carnil@debian.org>:
> Hi Mathieu,
>
> On Sat, Nov 07, 2015 at 01:27:07PM +0000, Debian Bug Tracking System wrote:
>> Version: 5.3.6-1
>>
>> Hello,
>>
>> According to https://pear.php.net/bugs/bug.php?id=18056, it's fixed since 1.9.2
>
> is this true? I just did a quick check (not a full analysis) and it
> still seems to use /tmp/pear.
Yes, it does. But it checks for symlinks and truncate the file.
This even introduced a regression on Windows:
https://pear.php.net/bugs/bug.php?id=18834
> Can you check if the upstream bug report might be pointing to the
> wrong fixing version?
This is:
https://github.com/pear/pear-core/commit/38de9355e3a9c66445a6d39d2c9a20f73e986d9a
(which is in 1.9.2)
And further improvement in:
https://github.com/pear/pear-core/commit/cd31da7d8b5e684f177a8fe700339f7eb2420876
(which is in 1.9.3)
> (I have reopened the bugs for now)
Can we close it then?
Regards
--
Mathieu
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#682157; Package php-pear.
(Sun, 08 Nov 2015 06:27:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>.
(Sun, 08 Nov 2015 06:27:04 GMT) (full text, mbox, link).
Message #36 received at 682157@bugs.debian.org (full text, mbox, reply):
Hi Mathieu,
On Sat, Nov 07, 2015 at 03:53:07PM +0100, Mathieu Parent wrote:
> 2015-11-07 15:05 GMT+01:00 Salvatore Bonaccorso <carnil@debian.org>:
> > Hi Mathieu,
> >
> > On Sat, Nov 07, 2015 at 01:27:07PM +0000, Debian Bug Tracking System wrote:
> >> Version: 5.3.6-1
> >>
> >> Hello,
> >>
> >> According to https://pear.php.net/bugs/bug.php?id=18056, it's fixed since 1.9.2
> >
> > is this true? I just did a quick check (not a full analysis) and it
> > still seems to use /tmp/pear.
>
> Yes, it does. But it checks for symlinks and truncate the file.
>
> This even introduced a regression on Windows:
> https://pear.php.net/bugs/bug.php?id=18834
>
> > Can you check if the upstream bug report might be pointing to the
> > wrong fixing version?
>
> This is:
> https://github.com/pear/pear-core/commit/38de9355e3a9c66445a6d39d2c9a20f73e986d9a
> (which is in 1.9.2)
>
> And further improvement in:
> https://github.com/pear/pear-core/commit/cd31da7d8b5e684f177a8fe700339f7eb2420876
> (which is in 1.9.3)
>
> > (I have reopened the bugs for now)
>
> Can we close it then?
Well, IMHO no, that is not correct. The issues are still there even
you cannot globber anymore someone else files. A can block another
user this way.
As user foo do:
foo@sid:~$ pear download HTML_Common2
downloading HTML_Common2-2.1.1.tgz ...
Starting to download HTML_Common2-2.1.1.tgz (8,604 bytes)
.....done: 8,604 bytes
File /home/foo/HTML_Common2-2.1.1.tgz downloaded
then replace the cache files with symlinks (e.g. to files in home of
user bar, since he want's to try to globber these files). bar now is
unable to pear download HTML_Common2:
bar@sid:~$ pear download HTML_Common2
Notice: unserialize(): Error at offset 0 of 220 bytes in PEAR/REST.php on line 203
PHP Notice: unserialize(): Error at offset 0 of 220 bytes in /usr/share/php/PEAR/REST.php on line 203
No releases available for package "pear.php.net/HTML_Common2"
download failed
bar@sid:~$ ls
bar@sid:~$
or as root
root@sid:~# pear download HTML_Common2
Notice: unserialize(): Error at offset 0 of 220 bytes in PEAR/REST.php
on line 203
PHP Notice: unserialize(): Error at offset 0 of 220 bytes in
/usr/share/php/PEAR/REST.php on line 203
No releases available for package "pear.php.net/HTML_Common2"
download failed
root@sid:~# pear install HTML_Common2
Notice: unserialize(): Error at offset 0 of 220 bytes in PEAR/REST.php
on line 203
PHP Notice: unserialize(): Error at offset 0 of 220 bytes in
/usr/share/php/PEAR/REST.php on line 203
No releases available for package "pear.php.net/HTML_Common2"
install failed
root@sid:~#
So again, I don't think the issues with unsafe use of /tmp are fixed
correctly and the bugs should not be closed. PHP maintainers, what do
you think (Ondřej cc'ed)?
Regards,
Salvatore
Message sent on
to Laurent Martelli <laurent@bearteam.org>:
Bug#682157.
(Sun, 08 Nov 2015 06:27:09 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#682157; Package php-pear.
(Mon, 09 Nov 2015 06:21:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Mathieu Parent <math.parent@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>.
(Mon, 09 Nov 2015 06:21:03 GMT) (full text, mbox, link).
Message #44 received at 682157@bugs.debian.org (full text, mbox, reply):
Control: reopen -1
2015-11-08 7:25 GMT+01:00 Salvatore Bonaccorso <carnil@debian.org>:
> Hi Mathieu,
Hi Salvatore,
> On Sat, Nov 07, 2015 at 03:53:07PM +0100, Mathieu Parent wrote:
>> 2015-11-07 15:05 GMT+01:00 Salvatore Bonaccorso <carnil@debian.org>:
>> > Hi Mathieu,
>> >
>> > On Sat, Nov 07, 2015 at 01:27:07PM +0000, Debian Bug Tracking System wrote:
>> >> Version: 5.3.6-1
>> >>
>> >> Hello,
>> >>
>> >> According to https://pear.php.net/bugs/bug.php?id=18056, it's fixed since 1.9.2
>> >
>> > is this true? I just did a quick check (not a full analysis) and it
>> > still seems to use /tmp/pear.
>>
>> Yes, it does. But it checks for symlinks and truncate the file.
>>
>> This even introduced a regression on Windows:
>> https://pear.php.net/bugs/bug.php?id=18834
>>
>> > Can you check if the upstream bug report might be pointing to the
>> > wrong fixing version?
>>
>> This is:
>> https://github.com/pear/pear-core/commit/38de9355e3a9c66445a6d39d2c9a20f73e986d9a
>> (which is in 1.9.2)
>>
>> And further improvement in:
>> https://github.com/pear/pear-core/commit/cd31da7d8b5e684f177a8fe700339f7eb2420876
>> (which is in 1.9.3)
>>
>> > (I have reopened the bugs for now)
>>
>> Can we close it then?
>
> Well, IMHO no, that is not correct. The issues are still there even
> you cannot globber anymore someone else files. A can block another
> user this way.
I didn't want to close, it, but my Reply-to-all went to the -done addresses.
>
> As user foo do:
>
> foo@sid:~$ pear download HTML_Common2
> downloading HTML_Common2-2.1.1.tgz ...
> Starting to download HTML_Common2-2.1.1.tgz (8,604 bytes)
> .....done: 8,604 bytes
> File /home/foo/HTML_Common2-2.1.1.tgz downloaded
>
>
> then replace the cache files with symlinks (e.g. to files in home of
> user bar, since he want's to try to globber these files). bar now is
> unable to pear download HTML_Common2:
>
> bar@sid:~$ pear download HTML_Common2
>
> Notice: unserialize(): Error at offset 0 of 220 bytes in PEAR/REST.php on line 203
> PHP Notice: unserialize(): Error at offset 0 of 220 bytes in /usr/share/php/PEAR/REST.php on line 203
> No releases available for package "pear.php.net/HTML_Common2"
> download failed
> bar@sid:~$ ls
> bar@sid:~$
>
> or as root
>
> root@sid:~# pear download HTML_Common2
>
> Notice: unserialize(): Error at offset 0 of 220 bytes in PEAR/REST.php
> on line 203
> PHP Notice: unserialize(): Error at offset 0 of 220 bytes in
> /usr/share/php/PEAR/REST.php on line 203
> No releases available for package "pear.php.net/HTML_Common2"
> download failed
> root@sid:~# pear install HTML_Common2
>
> Notice: unserialize(): Error at offset 0 of 220 bytes in PEAR/REST.php
> on line 203
> PHP Notice: unserialize(): Error at offset 0 of 220 bytes in
> /usr/share/php/PEAR/REST.php on line 203
> No releases available for package "pear.php.net/HTML_Common2"
> install failed
> root@sid:~#
>
> So again, I don't think the issues with unsafe use of /tmp are fixed
> correctly and the bugs should not be closed. PHP maintainers, what do
> you think (Ondřej cc'ed)?
Which pear version are you testing?
Note that I'll be the php-pear maintainer, once the new package [1] is finished.
We should test against this latest 1.10 and report upstream is the bug remain.
[1]: anonscm.debian.org/cgit/pkg-php/php-pear.git
Regards
--
Mathieu
Bug reopened
Request was from Mathieu Parent <math.parent@gmail.com>
to 682157-submit@bugs.debian.org.
(Mon, 09 Nov 2015 06:21:03 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#682157; Package php-pear.
(Sat, 14 Nov 2015 18:21:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>.
(Sat, 14 Nov 2015 18:21:08 GMT) (full text, mbox, link).
Message #51 received at 682157@bugs.debian.org (full text, mbox, reply):
Hi Mathieu,
On Mon, Nov 09, 2015 at 07:17:24AM +0100, Mathieu Parent wrote:
> Control: reopen -1
>
> 2015-11-08 7:25 GMT+01:00 Salvatore Bonaccorso <carnil@debian.org>:
> > Hi Mathieu,
>
> Hi Salvatore,
>
> > On Sat, Nov 07, 2015 at 03:53:07PM +0100, Mathieu Parent wrote:
> >> 2015-11-07 15:05 GMT+01:00 Salvatore Bonaccorso <carnil@debian.org>:
> >> > Hi Mathieu,
> >> >
> >> > On Sat, Nov 07, 2015 at 01:27:07PM +0000, Debian Bug Tracking System wrote:
> >> >> Version: 5.3.6-1
> >> >>
> >> >> Hello,
> >> >>
> >> >> According to https://pear.php.net/bugs/bug.php?id=18056, it's fixed since 1.9.2
> >> >
> >> > is this true? I just did a quick check (not a full analysis) and it
> >> > still seems to use /tmp/pear.
> >>
> >> Yes, it does. But it checks for symlinks and truncate the file.
> >>
> >> This even introduced a regression on Windows:
> >> https://pear.php.net/bugs/bug.php?id=18834
> >>
> >> > Can you check if the upstream bug report might be pointing to the
> >> > wrong fixing version?
> >>
> >> This is:
> >> https://github.com/pear/pear-core/commit/38de9355e3a9c66445a6d39d2c9a20f73e986d9a
> >> (which is in 1.9.2)
> >>
> >> And further improvement in:
> >> https://github.com/pear/pear-core/commit/cd31da7d8b5e684f177a8fe700339f7eb2420876
> >> (which is in 1.9.3)
> >>
> >> > (I have reopened the bugs for now)
> >>
> >> Can we close it then?
> >
> > Well, IMHO no, that is not correct. The issues are still there even
> > you cannot globber anymore someone else files. A can block another
> > user this way.
>
> I didn't want to close, it, but my Reply-to-all went to the -done addresses.
>
> >
> > As user foo do:
> >
> > foo@sid:~$ pear download HTML_Common2
> > downloading HTML_Common2-2.1.1.tgz ...
> > Starting to download HTML_Common2-2.1.1.tgz (8,604 bytes)
> > .....done: 8,604 bytes
> > File /home/foo/HTML_Common2-2.1.1.tgz downloaded
> >
> >
> > then replace the cache files with symlinks (e.g. to files in home of
> > user bar, since he want's to try to globber these files). bar now is
> > unable to pear download HTML_Common2:
> >
> > bar@sid:~$ pear download HTML_Common2
> >
> > Notice: unserialize(): Error at offset 0 of 220 bytes in PEAR/REST.php on line 203
> > PHP Notice: unserialize(): Error at offset 0 of 220 bytes in /usr/share/php/PEAR/REST.php on line 203
> > No releases available for package "pear.php.net/HTML_Common2"
> > download failed
> > bar@sid:~$ ls
> > bar@sid:~$
> >
> > or as root
> >
> > root@sid:~# pear download HTML_Common2
> >
> > Notice: unserialize(): Error at offset 0 of 220 bytes in PEAR/REST.php
> > on line 203
> > PHP Notice: unserialize(): Error at offset 0 of 220 bytes in
> > /usr/share/php/PEAR/REST.php on line 203
> > No releases available for package "pear.php.net/HTML_Common2"
> > download failed
> > root@sid:~# pear install HTML_Common2
> >
> > Notice: unserialize(): Error at offset 0 of 220 bytes in PEAR/REST.php
> > on line 203
> > PHP Notice: unserialize(): Error at offset 0 of 220 bytes in
> > /usr/share/php/PEAR/REST.php on line 203
> > No releases available for package "pear.php.net/HTML_Common2"
> > install failed
> > root@sid:~#
> >
> > So again, I don't think the issues with unsafe use of /tmp are fixed
> > correctly and the bugs should not be closed. PHP maintainers, what do
> > you think (Ondřej cc'ed)?
>
> Which pear version are you testing?
Just to confirm, this was with php-pear provided from src:php5,
Version 5.6.14+dfsg-1.
>
> Note that I'll be the php-pear maintainer, once the new package [1] is finished.
>
> We should test against this latest 1.10 and report upstream is the bug remain.
Ack, yes I see.
Regards and thanks for your work there!
Salvatore
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:37:42 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon